AT transposition

NIS 2 status in Austria

Austria transposes the NIS 2 Directive through an amendment to the Network and Information System Security Act (NISG). The EU layer applies in parallel and is what your obligations ultimately track to.

Simon OrzelSimon Orzel·

What changes in Austria

The starting point is European. Directive (EU) 2022/2555 (NIS 2) sets the obligations. Commission Implementing Regulation (EU) 2024/2690 makes the technical and methodological requirements for digital infrastructure, ICT service management and digital providers directly applicable in every member state, without national transposition.

Austria implements the directive by amending its existing Network and Information System Security Act (Netz- und Informationssystemsicherheitsgesetz, NISG). The original NISG (BGBl I Nr. 111/2018) transposed NIS 1. The amended version is the vehicle for NIS 2.

Like most EU member states, Austria did not meet the 17 October 2024 transposition deadline. The legislative process for the NISG amendment is ongoing. Until the amended NISG enters into force, the directive itself and the implementing regulation already shape what supervisors and auditors look at.

The three legal layers
Austrian companies sit under three layers of law at once. Read them in this order.

EU directive

Member States shall adopt and publish, by 17 October 2024, the measures necessary to comply with this Directive.

Directive (EU) 2022/2555, Article 41. The directive defines scope, governance duties, risk management measures and incident reporting. Member states had to transpose by 17 October 2024.

EU implementing regulation

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024. It defines the technical and methodological requirements for the entity types listed in Annex I points 8 (digital infrastructure), 6 (ICT service management, B2B) and Annex II point 6 (digital providers). It applies directly without Austrian transposition.

Austrian transposition

Bundesgesetz, mit dem ein Netz- und Informationssystemsicherheitsgesetz erlassen wird (NISG).

Austria transposes the directive by amending the existing NISG. The original NISG (BGBl I Nr. 111/2018) transposed NIS 1. The amended NISG carries NIS 2 obligations into Austrian law.

What the Austrian framework consists of
Three building blocks define how NIS 2 lands in Austria.
Law

Amended NISG

The NISG amendment translates the directive into Austrian law. It defines entity categories, supervisory powers, registration obligations, fines and the relationship to sector specific laws.

Supervisor

Bundesministerium für Inneres (BMI)

Under the existing NISG, the Federal Ministry of the Interior is the central supervisory authority for operators of essential services. The amended NISG continues this role for essential and important entities. Sector specific authorities like E-Control (energy) and FMA (financial market) keep their roles.

Deadlines

EU deadline already passed

The directive deadline was 17 October 2024. The Austrian amendment is in the legislative process. Once the amended NISG enters into force, registration windows and reporting obligations start running. The EU implementing regulation already applies directly to in scope entity types.

Two principles to remember
These two ideas explain almost every question companies have about the Austrian status.

Local detail follows EU minimum

The directive is a floor. Austria can be stricter but cannot be looser. If the amended NISG is silent on something the directive requires, the directive still governs interpretation. The implementing regulation applies regardless of national text.

Sector laws remain in force

Sector regimes for finance, energy and telecommunications continue to apply. Financial entities follow DORA (Regulation (EU) 2022/2554) as lex specialis for risk management and incident reporting, but stay in scope of NIS 2 Article 27 registration obligations through their member state mechanism.

Who does what at national level
Three institutions you will encounter in Austrian practice.
AT

Bundesministerium für Inneres

The Federal Ministry of the Interior is the central NIS supervisor. It registers entities, exercises supervisory powers, issues directions and imposes fines. Under the existing NISG this role sat with BMI; the amended NISG retains the central supervisory function at BMI.

AT

GovCERT.AT and CERT.at

Austria operates two national CSIRTs. GovCERT.AT, hosted at the Federal Chancellery, serves the public sector. CERT.at, operated by nic.at, serves the private sector and the general internet community. Together they cover the national CSIRT functions required by the directive.

EU

ENISA

The European Union Agency for Cybersecurity does not supervise. It publishes guidance, the EU Cybersecurity Index and the technical mappings between NIS 2 and ISO 27001, NIST CSF 2.0 and other frameworks. Austrian supervisors and auditors use ENISA material as a reference.

Three traps when reading the Austrian status
Each of these comes up in real conversations with Austrian operators.
  • The old NISG still applies, so nothing changes

    The original NISG covers NIS 1 only. NIS 2 widens scope drastically: 18 sectors, size based scoping, registration obligations, governance duties for management. Even before the amended NISG is in force, in scope entity types under the implementing regulation already face directly applicable rules.

  • Only large companies are in scope

    The directive sets the floor at medium sized entities under Recommendation 2003/361/EC (50+ employees or more than 10 million EUR turnover and balance sheet total) in listed sectors. Size cap off rules in Article 2 catch smaller entities in specific cases (sole providers, criticality, public administration). Austria can be stricter than this floor, not looser.

  • Only critical infrastructure operators are affected

    Austria's NIS 1 model centered on operators of essential services and digital service providers. NIS 2 replaces that with essential entities and important entities across 18 sectors. A medium sized waste management firm, a manufacturer of medical devices or a food production company can be in scope without ever being labelled critical infrastructure.

Practitioner view

Most Austrian small and medium operators ask the same first question: is the amended NISG already in force. The honest answer in mid 2026 is that the legislative process is ongoing and the EU deadline has already passed. That does not pause your work. The directive and the implementing regulation set the substance. Once the amended NISG arrives it confirms the supervisory mechanics.

Treat the NIS 2 obligation set as your reference document. Run the applicability check against directive Annex I and II plus the size thresholds, not against the older NISG list of essential services. When the amended NISG enters into force, the registration window starts running; companies that have already mapped scope and assets are ready on day one.

How nisd2.eu helps an Austrian company

Our applicability check uses the directive and the implementing regulation as primary sources. The Austrian layer is added where it matters: the NISG, BMI as supervisor, the CSIRT contacts. The platform does not depend on the amended NISG being in force to produce a working obligation register.

The compliance pipeline (assets, risks, suppliers, incidents, training, sign offs) is the same across member states. Country specific rules appear as additional questions and references, never as a separate workflow.

Sources
  • Directive (EU) 2022/2555 of 14 December 2022 (NIS 2 Directive)
  • Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024
  • Netz- und Informationssystemsicherheitsgesetz (NISG), BGBl I Nr. 111/2018 (original NIS 1 transposition)
  • Austrian Parliament: legislative process page for the NISG amendment (parlament.gv.at)
  • Bundesministerium für Inneres (BMI), nis.gv.at
  • GovCERT.AT (govcert.gv.at) and CERT.at (cert.at)
  • ENISA NIS 2 implementation guidance and reference mappings
Check your Austrian status now
Five minutes against the directive and the implementing regulation, with the Austrian supervisor and CSIRT references built in.