NIS2 Austria Compliance Guide: NISG 2026 Requirements, BMI Authority and DACH Region Framework for 2026

Austria’s journey to NIS2 compliance has been one of the most dramatic in the EU. The initial NISG 2024 was rejected by Parliament in July 2024 over constitutional federal-state competency issues — a rare failure that pushed Austria past the EU’s 17 October 2024 transposition deadline. The European Commission issued a formal reasoned opinion on 7 May 2025. A revised NISG 2026 (Netz- und Informationssystemsicherheitsgesetz 2026 — Network and Information Systems Security Act 2026) was finally passed on 12 December 2025 and will enter into force on 1 October 2026.

For Austrian organizations — and the cyber insurance professionals who underwrite them — this guide covers everything you need to know: the legal framework under NISG 2026, the new Bundesamt für Cybersicherheit (Federal Office for Cybersecurity) being established, entity classification, sector-specific obligations, penalties including personal management liability, and the critical compliance deadlines stretching to 2030.

Austria’s NIS2 Legal Framework

NISG 2026 — The Network and Information Systems Security Act

Austria transposed NIS2 through the NISG 2026 (BGBl. I Nr. 94/2025), which was promulgated on 23 December 2025 after parliamentary approval on 12 December 2025. The act enters into force on 1 October 2026, replacing the prior NISG 2018 that covered only approximately 100 Austrian entities.

Key features of NISG 2026:

• Expands scope from ~100 to ~4,000 Austrian organizations under NIS2 obligations
• Establishes a new Bundesamt für Cybersicherheit (Federal Office for Cybersecurity) under the Federal Ministry of the Interior (BMI)
• Adopts the EU NIS2 two-tier classification: Essential (wesentliche Einrichtungen) and Important (wichtige Einrichtungen) entities
• Introduces personal liability for management bodies of essential entities
• Mandates registration by 31 December 2026 and self-declaration by 1 October 2027

The Failed NISG 2024 and Recovery

The original transposition attempt, NISG 2024, was rejected on 3 July 2024 when it failed to achieve the required two-thirds parliamentary majority. The rejection stemmed from constitutional disputes over federal versus state competency in cybersecurity regulation — not from opposition to NIS2 itself. The Council of Ministers approved a revised draft on 20 November 2025, which resolved the competency issues and secured passage.

Key Differences from NISG 2018

Aspect	NISG 2018 (Previous)	NISG 2026 (Current)
Scope	~100 entities (OES + DSPs)	~4,000 entities (essential + important)
Entity types	Operators of Essential Services + DSPs	Essential + Important entities
Authority	Federal Chancellery (BKA) for DSPs; sector authorities for OES	BMI / Bundesamt für Cybersicherheit (centralized)
Management liability	None	Personal liability + possible disqualification
Maximum fines	€100,000	Up to €10,000,000 or 2% global turnover
Supply chain	Limited	Comprehensive third-party risk management required

Competent Authorities

BMI and the New Bundesamt für Cybersicherheit

The BMI (Bundesministerium für Inneres / Federal Ministry of the Interior) serves as the central cybersecurity competent authority and EU Single Point of Contact under NIS2. NISG 2026 establishes a new Bundesamt für Cybersicherheit (Federal Office for Cybersecurity) as a monocratic authority under the BMI, which will become the primary enforcement body once operational.

Contact: Herrengasse 7, 1010 Vienna | post@nis.gv.at | +43 59133 989480

CSIRT Network

CSIRT	Scope
CERT.at	National CSIRT for essential and important entities. 24/7 NIS reporting portal at nis.cert.at
GovCERT Austria	Public administration entities
Austrian Energy CERT (AEC)	Energy sector operators

Sectoral Cooperation

A formal Memorandum of Understanding between BMI, FMA (Financial Market Authority), and OeNB (National Bank) was signed on 12 December 2025, establishing inter-authority cooperation for financial sector cybersecurity oversight as mandated by NIS2 Article 13.

Entity Classification

Size Thresholds

Entities qualify based on both an employee count AND a financial threshold:

Category	Employees	Financial Threshold
Medium enterprise	≥ 50	Annual turnover > €10M OR balance sheet > €10M
Large enterprise	≥ 250	Annual turnover > €50M OR balance sheet > €43M

Consolidation of figures within corporate groups does not apply if organizational, technical, and operational independence exists.

Essential Entities (Wesentliche Einrichtungen)

Entities classified as essential include:

• Size-independent: Qualified trust service providers, TLD name registries, DNS service providers
• Size-dependent (large enterprises): Entities in Annex 1 sectors (energy, transport, banking, health, water, digital infrastructure, public administration, space)
• Medium-sized: Public electronic communications network/service providers
• Supervision: Proactive, ex ante — regular audits expected

Important Entities (Wichtige Einrichtungen)

• Public electronic communications networks/services (unless already essential)
• State administration entities
• Large or medium-sized enterprises in Annex 1 and Annex 2 sectors not classified as essential
• Supervision: Reactive, ad hoc ex post — audits only in emergencies or based on risk assessment

Manual Designation Power

The Cybersecurity Authority can manually designate entities as essential or important regardless of size thresholds if specific criticality conditions are met. This prevents entities from evading obligations through corporate restructuring.

Sectors Covered

Essential Entity Sectors (Annex 1)

Sector	Scope
Energy	Electricity, district heating/cooling, oil, gas, hydrogen
Transport	Air, rail, water, road transport operators
Banking	Credit institutions (DORA-regulated entities have separate requirements)
Financial Market Infrastructure	Trading venues, central counterparties
Health	Hospitals, healthcare providers, EU reference labs, pharma/medical device manufacturers
Drinking Water	Supply and distribution
Wastewater	Collection, disposal, treatment
Digital Infrastructure	IXPs, DNS providers, TLD registries, cloud services, data centers, CDNs, trust service providers
ICT Service Management	MSPs, MSSPs
Public Administration	Central government entities
Space	Ground-based infrastructure operators

Important Entity Sectors (Annex 2)

• Postal and courier services
• Waste management
• Chemical manufacturing, production, and distribution
• Food production, processing, and wholesale distribution
• Manufacturing (medical devices, computers/electronics, electrical equipment, machinery, motor vehicles)
• Digital providers (online marketplaces, search engines, social networking platforms)
• Research organizations

Key Compliance Requirements

Security Measures (Article 21 Equivalent)

All essential and important entities must implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks. These must be based on an all-hazards approach and include:

• Risk analysis and information system security policies
• Incident handling — detection, response, and recovery procedures
• Supply chain security — risk assessments of suppliers and service providers
• Network security — segregation, access control, encryption
• Business continuity — crisis communication and disaster recovery plans
• Training — mandatory cybersecurity training for all staff and management
• Vulnerability handling and disclosure policies
• Multi-factor authentication and secure communication channels

Incident Reporting via CERT.at

All significant incidents must be reported to CERT.at through the 24/7 NIS reporting portal (nis.cert.at):

Report Type	Deadline
Early warning	Within 24 hours of becoming aware
Incident notification	Within 72 hours of becoming aware
Final report	Within 1 month of incident submission

Reports must include: initial indicators of compromise, severity assessment, potential cross-border impact, and corrective measures taken.

Supply Chain Risk Management

NISG 2026 places particular emphasis on supply chain security — entities must assess and manage cybersecurity risks from direct suppliers and service providers. This is especially relevant for Austrian manufacturing and industrial sectors with complex DACH-region supply chains.

Registration and Compliance Timeline

Date	Milestone
1 October 2026	NISG 2026 enters into force — NISG 2018 replaced; risk management obligations apply in full
31 December 2026	Registration deadline — all essential and important entities must register with the Cybersecurity Authority
1 October 2027	Self-declaration deadline — entities must submit risk management descriptions and risk analysis results
October 2028	Earliest date for authority to request evidence of compliance from essential entities
November 2028	Essential entities must submit compliance evidence within 2 months of request
30 September 2030	Proof of effectiveness required via signed audit report

Registration Process

1. Identify your entity classification (essential or important) based on sector, size, and activities
2. Register with the Cybersecurity Authority (BMI / Bundesamt für Cybersicherheit) by 31 December 2026
3. Implement risk management measures and document security policies
4. Submit self-declaration by 1 October 2027 describing risk management measures and risk analysis
5. Prepare evidence for potential compliance audit (earliest October 2028)
6. Obtain audit report by 30 September 2030

Penalties and Enforcement

Financial Penalties

Entity Type	Maximum Fine	Turnover Cap
Essential entities	Up to €10,000,000	2% of global annual turnover (whichever is higher)
Important entities	Up to €7,000,000	1.4% of global annual turnover (whichever is higher)
Public authorities	No fines, but subject to naming and shaming

Additional Sanctions

Violation	Penalty
Registration failure (1st offence)	Up to €50,000
Registration failure (repeat offence)	Up to €100,000
Naming and shaming	BMI may publicly disclose inadequate cybersecurity measures
Management disqualification	Essential entity management may be temporarily prohibited from exercising management functions for serious breaches

Key Targeted Breaches

• Failure to provide mandatory cybersecurity training to staff and management
• Inadequate risk management measures
• Non-reporting of significant incidents to CERT.at
• Failure to register with the Cybersecurity Authority
• Insufficient supply chain security assessments

Important: Simultaneous violations of GDPR and NISG 2026 will not result in double penalties — Austria has adopted a proportionality approach.

Cyber Insurance Implications for Austrian Entities

NISG 2026 creates significant new liability exposure for Austrian organizations. The combination of personal management liability, fines up to €10M, and supply chain risk obligations makes cyber insurance a critical risk transfer mechanism.

Key Underwriting Considerations

1. Management liability coverage — NISG 2026’s personal liability provisions for management bodies of essential entities create demand for D&O and management liability insurance that specifically covers cybersecurity governance failures
2. NIS2 compliance gap — insurers will assess whether organizations have begun their NISG 2026 compliance journey; non-compliance may affect coverage terms
3. Supply chain cascading risks — Austrian manufacturing and industrial sectors face elevated exposure from interconnected DACH supply chains
4. Incident reporting compliance — failure to report to CERT.at within required timelines could jeopardize both regulatory standing and insurance claims
5. Cross-border DACH exposure — Austrian entities with operations in Germany and Switzerland face overlapping NIS2 and NIS/MSIT regulatory requirements

For a detailed analysis of how NIS2 compliance affects cyber insurance premiums, see our guide on how NIS2 compliance lowers cyber insurance premiums.

Summary

Austria’s NISG 2026 represents a 40x expansion of cybersecurity regulation — from ~100 entities under NISG 2018 to approximately 4,000 organizations under the new framework. The law enters into force on 1 October 2026, with registration required by year-end and self-declaration by October 2027.

For Austrian organizations, the roadmap is clear: classify your entity, register with the Cybersecurity Authority, implement NIS2-compliant risk management measures, establish CERT.at incident reporting procedures, and address supply chain security. Management personal liability means this is not just an IT project — it’s a board-level governance issue.

For a broader NIS2 compliance framework applicable across all EU Member States, start with our NIS2 Compliance Guide and IT Manager Action Plan. For supply chain risk management obligations, see our NIS2 Supply Chain Security Guide. For gap analysis methodology, see our NIS2 Gap Analysis Guide.

Related NIS2 Country Guides:

• NIS2 France (ANSSI) | NIS2 Germany (BSI) | NIS2 Italy (ACN) | NIS2 Netherlands (NCSC-NL) | NIS2 Spain (INCIBE) | NIS2 Poland (NCSA) | NIS2 Belgium (CCB) | NIS2 Sweden (MCF)

---

Resiliently provides cyber insurance intelligence for EU risk professionals. Explore our tools for compliance cost assessment and coverage comparison to make informed decisions about your cybersecurity investments.