NIS2 in Austria

1. Quick SME Applicability Snapshot in Austria

Does NIS2 apply to SMEs in Austria?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Austria and, in certain cases, foreign digital providers serving the Austrian market.

SMEs in regulated sectors should assess qualification early under Austria's national cybersecurity regime.

2. Overview of NIS2 Implementation in Austria

Austria is transposing NIS2 through the NIS-Gesetz 2024 (NISG 2024), which replaces and expands the prior cybersecurity framework under the Network and Information Systems Security Act.

The legislation was adopted in 2024 to align with Directive (EU) 2022/2555 and establishes updated obligations for both Essential and Important Entities. Entry into force is tied to Austria's formal implementation schedule and EU notification process.

Austria's NIS2 implementation largely reflects the Directive baseline. Where sector-specific clarifications are introduced, they align with Austria's existing regulatory structure and supervisory authorities.

3. Scope of Application in Austria

Austria does not materially expand sector scope beyond the Directive minimum at this stage.

4. Size Thresholds and SME Applicability in Austria

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria in covered sectors are automatically within scope unless exempted.

Small and micro entities may still fall under NIS2 Austria requirements if designated by authorities due to critical importance or systemic relevance.

Austria retains authority to designate entities where justified by risk exposure, national security considerations, or cross-border relevance.

5. Entity Classification Framework in Austria

Austria classifies in-scope entities as:

• Essential Entities — Subject to stricter supervisory oversight, including proactive inspections.
• Important Entities — Subject primarily to reactive supervision unless risk indicators warrant intervention.

Classification is automatic based on sector and size but may be adjusted by competent authorities. Austrian regulators may reclassify entities where operational impact justifies enhanced oversight.

6. Cybersecurity Risk Management Requirements in Austria

Austria's national regime aligns closely with the Directive baseline. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system security
• Incident handling procedures
• Business continuity and crisis management
• NIS2 supply chain Austria risk controls
• Secure system acquisition and development
• Access control mechanisms
• Encryption and cryptography policies
• Vulnerability management and disclosure
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and risk exposure. Alignment with ISO/IEC 27001 and recognized Austrian cybersecurity frameworks is encouraged.

7. Management Liability and Governance in Austria

Management bodies must approve cybersecurity risk management measures and oversee their implementation.

Under Austria's framework:

• Boards are responsible for ensuring compliance.
• Senior management must receive cybersecurity training.
• Authorities may impose administrative sanctions for non-compliance.
• Temporary suspension of managerial functions is possible under Directive-aligned enforcement mechanisms.

NIS2 management liability Austria standards emphasize board-level accountability rather than purely technical responsibility.

8. Incident Reporting Obligations in Austria

9. Supervisory Authorities and Enforcement Model in Austria

Primary authority: Federal Ministry of the Interior (BMI).

Austria operates a centralized coordination model, supported by sectoral regulators where relevant.

Supervisory powers include:

• Information requests
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU-level cooperation mechanisms

The enforcement structure integrates with EU cybersecurity coordination frameworks.

10. NIS2 Fines and Sanctions in Austria

Austria applies Directive-aligned administrative penalties.

NIS2 fines Austria enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of certification or authorization
• Managerial suspension powers

11. NIS2 Supply Chain and Vendor Security in Austria

Entities must manage third-party cyber risk through:

• Supplier due diligence
• Contractual security obligations
• Ongoing vendor monitoring
• ICT service provider scrutiny
• Concentration risk assessment
• Incident propagation analysis

Austria's national framework aligns with the Directive baseline in this area, emphasizing proportionate supply chain oversight.

12. Registration and Self-Identification Duties in Austria

Entities falling within scope must:

• Register with competent authorities
• Provide entity identification details
• Disclose sector classification
• Maintain updated contact information

Deadlines and procedural mechanics follow Austria's implementing regulation. As of the current transposition status, Austria follows the NIS2 Directive baseline framework. National implementing details may refine specific obligations.

Self-identification is mandatory where entities meet statutory thresholds.

13. Interaction With GDPR and Other Laws in Austria

The General Data Protection Regulation continues to apply in parallel.

Overlap areas include data breach notification, security measure requirements, and supervisory coordination. NIS2 and GDPR obligations are complementary but distinct.

14. Cross-Border Applicability

Entities with their main establishment in Austria are supervised by Austrian authorities for cross-border services.

Foreign digital providers offering services in Austria may be subject to local obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the Austrian market.

15. Implementation Timeline in Austria

• Directive adoption: 2022
• National legislation adoption: 2024
• Entry into force: Upon national publication schedule
• Commission notification: Pending/ongoing alignment
• Compliance milestone: Aligned with Directive deadlines

Austria's NIS2 implementation reflects the EU transposition timeline without announced extended grace periods.

16. Key Takeaways for SMEs in Austria

• Medium-sized entities in covered sectors are automatically in scope.
• Small entities may be designated if operationally critical.
• Governance accountability sits at board level.
• Incident reporting follows 24h / 72h / 1 month structure.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor and ICT risk oversight is mandatory.
• Early compliance planning reduces regulatory exposure.

FAQ: NIS2 Austria SME Guide