NIS2 in Austria

1. Quick SME Applicability Snapshot in Austria

Does NIS2 apply to SMEs in Austria?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Austria and, in certain cases, foreign digital providers serving the Austrian market.

SMEs in regulated sectors should assess qualification early under Austria's national cybersecurity regime.

2. Overview of NIS2 Implementation in Austria

Austria has transposed NIS2 through the Netz- und Informationssystemsicherheitsgesetz 2026 (NISG 2026), which replaces and expands the prior cybersecurity framework under the original NIS Act.

The NISG 2026 was adopted by the Austrian National Council on 12 December 2025 and promulgated on 23 December 2025 (Federal Law Gazette I No. 135/2025). An earlier draft, the NISG 2024, failed to secure the required two-thirds majority and was rejected by the National Council in July 2024. The NISG 2026 enters into force on 1 October 2026, aligning Austria with Directive (EU) 2022/2555.

Austria's NIS2 implementation largely reflects the Directive baseline. Where sector-specific clarifications are introduced, they align with Austria's existing regulatory structure and supervisory authorities.

3. Scope of Application in Austria

Austria does not materially expand sector scope beyond the Directive minimum at this stage.

4. Size Thresholds and SME Applicability in Austria

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria in covered sectors are automatically within scope unless exempted.

Small and micro entities may still fall under NIS2 Austria requirements if designated by authorities due to critical importance or systemic relevance.

Austria retains authority to designate entities where justified by risk exposure, national security considerations, or cross-border relevance.

5. Entity Classification Framework in Austria

Austria classifies in-scope entities as:

• Essential Entities — Subject to stricter supervisory oversight, including proactive inspections.
• Important Entities — Subject primarily to reactive supervision unless risk indicators warrant intervention.

Classification is automatic based on sector and size but may be adjusted by competent authorities. Austrian regulators may reclassify entities where operational impact justifies enhanced oversight.

6. Cybersecurity Risk Management Requirements in Austria

Austria's national regime aligns closely with the Directive baseline. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system security
• Incident handling procedures
• Business continuity and crisis management
• Supply chain risk controls
• Secure system acquisition and development
• Access control mechanisms
• Encryption and cryptography policies
• Vulnerability management and disclosure
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and risk exposure. Alignment with ISO/IEC 27001 and recognized Austrian cybersecurity frameworks is encouraged.

7. Management Liability and Governance in Austria

Management bodies must approve cybersecurity risk management measures and oversee their implementation.

• Boards are accountable for compliance oversight.
• Senior management must ensure adequate cybersecurity expertise.
• Administrative sanctions may address governance failures.
• Temporary suspension of managerial functions may be available under Directive-aligned mechanisms.

NIS2 management liability Austria standards emphasize board-level accountability rather than purely technical responsibility.

8. Incident Reporting Obligations in Austria

9. Supervisory Authorities and Enforcement Model in Austria

Primary authority: Bundesamt für Cybersicherheit (Federal Office for Cybersecurity), established by the NISG 2026 as a dedicated supervisory body operating under the Federal Ministry of the Interior (BMI). Operational from 1 October 2026.

Austria operates a centralized supervision model through the newly established Bundesamt für Cybersicherheit, supported by sectoral regulators where relevant.

Supervisory powers include:

• Information requests
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination
• Public identification of non-compliant entities (naming and shaming)

The enforcement structure integrates with EU cybersecurity coordination frameworks.

10. NIS2 Fines and Sanctions in Austria

Austria applies Directive-aligned administrative penalties.

NIS2 fines Austria enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of certification or authorization
• Managerial suspension powers

11. NIS2 Supply Chain and Vendor Security in Austria

Entities must manage third-party cyber risk through:

• Supplier due diligence
• Contractual security obligations
• Ongoing vendor monitoring
• ICT service provider scrutiny
• Concentration risk assessment
• Incident propagation analysis

Austria's national framework aligns with the Directive baseline in this area, emphasizing proportionate supply chain oversight.

12. Registration and Self-Identification Duties in Austria

Entities within scope must:

• Register with the Bundesamt für Cybersicherheit by 1 January 2027
• Provide corporate identification details
• Disclose sector classification
• Maintain updated contact information

Entities must submit a self-declaration to the Bundesamt für Cybersicherheit within 12 months of the NISG 2026 entering into force, with the deadline falling on 30 September 2027.

Self-identification is mandatory — entities must determine their own status under the NISG 2026. Authorities will not proactively notify entities of their obligations.

13. Interaction With GDPR and Other Laws in Austria

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific Austrian cybersecurity legislation

A cyber incident may trigger reporting obligations under both regimes.

14. Cross-Border Applicability

Entities with their main establishment in Austria are supervised by Austrian authorities for cross-border services.

Foreign digital providers offering services in Austria may be subject to local obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the Austrian market.

15. Implementation Timeline in Austria

• Directive adoption: 2022
• National legislation adoption: 12 December 2025 — NISG 2026 adopted by the National Council (an earlier draft, the NISG 2024, was rejected in July 2024)
• NISG 2026 promulgated: 23 December 2025 (Federal Law Gazette I No. 135/2025)
• Entry into force: 1 October 2026
• Commission notification: The European Commission issued a reasoned opinion in May 2025 regarding Austria's delayed transposition; notification is under review following NISG 2026 adoption
• Registration deadline: 1 January 2027 — entities must register with the Bundesamt für Cybersicherheit
• Self-declaration deadline: 30 September 2027 — entities must submit their self-declaration

Austria's NIS2 implementation entered into force on 1 October 2026 following promulgation in December 2025.

16. Key Takeaways for SMEs in Austria

• Medium-sized entities in covered sectors are automatically in scope.
• Small entities may be designated if operationally critical.
• Board-level governance oversight is mandatory.
• Incident reporting follows 24h / 72h / 1 month deadlines.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is a core obligation.
• Early compliance planning reduces enforcement exposure.

FAQ: NIS2 Austria SME Guide