Skip to main content
NIS2Certify
Back to overview

Austria's NISG 2026 Is Live: What EU Suppliers Need to Know

By NIS2Certify
nis2austrianisg-2026compliancesupply-chain
Austria's NISG 2026 Is Live: What EU Suppliers Need to Know

Austria published the NISG 2026 in the Federal Law Gazette on 23 December 2025. It enters into force on 1 October 2026. The number of in-scope organisations jumps from roughly 100 under the old regime to an estimated 4,000.

If you advise Austrian clients — or run a business anywhere in the EU that supplies one — that date is now a hard line in your project plan. After 1 October, registration is mandatory, the management board is personally on the hook, and the supply-chain clauses pull in vendors that aren't even directly regulated.

Here's what changed, who it catches, and what you should be doing in the next three months.

The NISG 2026 replaces a law that covered almost nobody

Austria's original NIS Act applied to about 100 operators of essential services. That was the whole point of NIS2 across the EU: the first directive was too narrow, so the second one widened the net dramatically.

The NISG 2026 is the result. It transposes Directive (EU) 2022/2555 and mirrors its structure exactly — Annex I for essential-entity sectors, Annex II for important-entity sectors. Telecoms, financial services, energy, transport, health, digital infrastructure, public administration, and even licensed gambling operators are now in scope.

The size threshold is the standard EU medium-enterprise test: 50 or more employees, or annual turnover and balance-sheet total above EUR 10 million. Hit either and you're presumptively covered. Some entities — public electronic communications network providers, for example — are caught regardless of size.

That's how you get from 100 to 4,000.

Essential versus important decides how hard the authority hits you

The classification isn't cosmetic. It changes your penalty ceiling and how closely the regulator watches you.

Essential entities (Annex I) face administrative fines up to EUR 10 million or 2% of global annual turnover, whichever is higher. They're subject to proactive supervision — the authority can audit you without waiting for an incident.

Important entities (Annex II) face fines up to EUR 7 million or 1.4% of global turnover, and supervision is reactive — the authority steps in after something goes wrong or a complaint lands.

Most consultants' clients will land in the important-entity bucket. That's not a reason to relax. The obligations are nearly identical; only the enforcement posture and the fine ceiling differ.

Does NIS2 Apply to Your Organisation?
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
YesNo
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
YesNo
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
YesNo
NIS2 does not directly apply to your organisation.
NIS2 applies to your organisation as an Essential or Important Entity.
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
Applies
Possibly applies
Does not apply

Registration closes on 31 December 2026 — and it's the easy part

Once the law enters into force on 1 October, covered entities have three months to register with the NIS Anlaufstelle, the national contact point run under the Federal Ministry of the Interior. That puts the hard deadline at 31 December 2026.

Miss it and the fine is up to EUR 50,000 for a first offence, rising to EUR 100,000 for repeat failures. Those numbers are small next to the multi-million-euro ceilings for substantive breaches, but registration is also the moment you put yourself on the regulator's radar. Late or missing registration is the easiest possible thing for an authority to spot and penalise.

Treat registration as a deadline, not a project. The real work is everything the registration commits you to: the risk-management measures under Article 21, incident reporting, and supply-chain controls.

The board carries the obligation — not the IT department

This is the part Austrian executives keep underestimating. Under the NISG 2026, responsibility for implementing and monitoring cybersecurity risk-management measures sits explicitly with the management board or executive directors.

You cannot delegate this to the CISO and walk away. The board must approve the measures, oversee them, and — under the directive's logic — can be held personally liable for failures. Management is also required to undergo cybersecurity training.

For consultants, this is your opening. The conversation that gets you in the door isn't "your firewall needs work." It's "your directors are now personally accountable for a control framework they've never seen." Brief the board first. The budget follows.

Article 21 — 10 NIS2 Cybersecurity Measures
Article 21
10 Cybersecurity Measures
Governance & Strategy
1Risk analysis & information security policies
6Effectiveness assessment of security measures
Incident & Continuity
2Incident handling & notification
3Business continuity & disaster recovery
Supply Chain & Systems
4Supply chain security
5Security in network & information systems development
Technical Controls
8Cryptography & encryption
10Multi-factor authentication & secure communications
People & Assets
7Cyber hygiene & training
9HR security & access control

The supply-chain clause catches companies that aren't even in scope

Here's the provision with the longest reach. The NISG 2026 requires covered entities to assess and contractually secure the cybersecurity of their direct suppliers and service providers.

That means a regulated Austrian entity will push security requirements down its contracts. Even a company that falls below the size thresholds — and is therefore not directly regulated — can be required to provide security evidence as a condition of staying in the supply chain.

If your client sells to a hospital, a bank, an energy operator, or a telecoms firm in Austria, expect security questionnaires, contractual clauses, and audit rights to start appearing in renewal negotiations. The regulated buyer has a legal obligation to demand them.

This is the mechanism that makes NIS2 a market force, not just a compliance line item. A small MSP in Vienna with zero direct obligation can still lose a contract for failing a customer's vendor assessment. For the deeper mechanics of how this works in practice, see our guide on NIS2 supply-chain security and the detail on supplier contracts under Article 21.

NIS2 Penalty Escalation — Beyond the Fine
!
Trigger event
Non-Compliance Detected or Incident Occurs
A supervisory authority identifies a compliance gap or an organisation fails to meet NIS2 requirements
Authorities can impose
Non-Monetary Penalties
1
Compliance orders with binding deadlines
2
Mandatory security audits at your expense
3
Public disclosure of violations
4
Binding instructions on specific security measures
Escalates to
Operational & Personal Consequences
1
Suspension of certifications or operating licences
2
Temporary ban on management functions for individuals
3
Public naming of responsible natural persons
Trigger
Non-monetary
Operational / personal

Austria joins a fast-closing group of transposed states

Austria isn't an outlier any more. As of early 2026, 21 of 27 member states had transposed NIS2, and the European Commission referred the laggards to the Court of Justice. Germany flipped its switch, Belgium's audit regime is running, and France, Portugal, and Poland are all live.

For a consultant or MSP working across borders, the practical takeaway is that the patchwork is hardening into a baseline. A client operating in Austria, Germany, and Belgium can't run three different compliance postures. The smart move is to build one Article 21-aligned control set and map it to each national flavour.

The national variations matter at the edges — registration portals, exact deadlines, fine ceilings — but the core risk-management obligations are the same directive underneath. Get the core right once and the per-country work shrinks to paperwork.

NIS2 Implementation Status by Country (2025–2026)
Fully in force
Belgium
Croatia
Hungary
Lithuania
Latvia
Italy
6 countries
Adopted — late 2025
Germany
Czech Republic
Finland
3 countries
In progress — expected 2026
Netherlands
France
Spain
Poland
Austria
Sweden
Ireland
7 countries

What to do before 1 October 2026

The window is short and the sequence matters. If you're advising an Austrian client, work it in this order.

First, confirm scope. Run the size threshold and sector check now, before October, so the client knows whether they're essential, important, or out. Don't assume — the gambling and digital-infrastructure inclusions catch organisations that never thought of themselves as critical.

Second, brief the board. Get the personal-liability and training obligations in front of the management directors early. This is what unlocks budget and authority.

Third, run a gap analysis against Article 21. The ten measures are the substance of compliance, and most organisations have three or four of them half-implemented at best. Our step-by-step gap-analysis guide walks through the process.

Fourth, register before 31 December 2026. Once scope is confirmed, registration is administrative — but don't let it slip past the deadline.

Fifth, fix the supply chain. Map your client's critical suppliers and start the contractual work now. This is the slowest item because it depends on counterparties, so begin early.

If you want to know where a specific organisation stands today, the fastest starting point is a structured readiness assessment that scores them against every Article 21 measure and flags the gaps. Run the NIS2 quick scan and you'll have a prioritised picture in minutes — exactly the kind of evidence the board, and an Austrian supplier's customers, will want to see.

The NISG 2026 has been law since December. The clock to 1 October is already running.

    Austria's NISG 2026 Is Live: What EU Suppliers Need to Know — NIS2Certify