Do you want to switch the language?
9. February 20261 min reading time

Who is affected? The NIS2 requirements and affected companies in detail.

NIS 2 in Austria (NISG 2026) is here. Cybersecurity is now a legal obligation for thousands of companies in Austria. But who exactly is covered by the regulation and what do companies need to do now? We take a look at the NISG 2026 and the specific criteria for being affected.

When do you fall under NIS2?

The question of whether a company is affected can usually be answered by two factors: the sector and the size of the company. In principle, companies fall under NIS 2 regulation if they:

  1. Are active in one of the 18 defined critical or important sectors (e.g. energy, transport, banking, health, digital infrastructure, but also waste management or food). You can find out more here.
  2. Employ at least 50 people or have an annual turnover/balance sheet total of more than 10 million euros (so-called "size cap" mechanism).

Who is affected by the NIS 2 Directive?

A distinction is made between two categories:

  • Significant entities: Large companies from highly critical sectors (e.g. electricity suppliers). They are subject to proactive supervision.
  • Important organisations: Medium-sized and large companies from sectors such as postal services, chemicals or manufacturing. Here, supervision is usually reactive, i.e. following an incident.

Important for SMEs in the NIS 2 Austria landscape: Even if you do not meet the size thresholds yourself, you may be indirectly affected if you work as a supplier for a regulated company.

Which companies are affected by NIS2?

In addition to traditional infrastructure operators, the list now also includes:

  • Providers of public electronic communications networks or services.
  • Managed service providers (MSPs) and providers of data centre services.
  • Manufacturers of certain critical products (e.g. pharmaceuticals or IT).
  • Online marketplaces and search engines.
What will change with NIS2?

The NISG 2026 will primarily change liability issues and documentation obligations:

  • Management responsibility: management can be held personally liable for cybersecurity failures and must complete mandatory training.
  • Supply chain security: Companies must check the security of their partners and service providers.
  • Reporting obligations: A significant security incident must be reported within 24 hours in advance and in detail within 72 hours.

We explain what NIS2 means in concrete terms and when the directive applies in Austria in the article "NIS 2 in Austria - The ultimate guide to the new cyber security law".

What are NIS2 requirements?

The specific NIS 2 requirements call for holistic risk management. This includes, among other things:

  • Concepts for risk analysis and security for information systems.
  • Management of incidents (incident management).
  • Business continuity management (backup strategies, emergency plans).
  • Cryptography and encryption.
  • Staff security and access control (e.g. multi-factor authentication, etc.).

Implementing the NISG 2026 is not a one-off project, but an ongoing process. Companies that act now not only protect themselves legally, but also strengthen the trust of their customers and partners in an increasingly digital market.

How may I help you?
Under this link you will find our privacy policy.