Austria NISG 2026: €10M Fine Caps, Public Naming for State Entities, and Director Liability — Enforcement Details Most EU Guides Skip

Austria took longer than most EU member states to transpose the NIS2 Directive — and the delay tells you something about the complexity of what the law requires. Parliament rejected the first attempt, NISG 2024, in July 2024. The revised law — NISG 2026 (Federal Law Gazette I No. 94/2025) — passed both chambers in December 2025 and enters full force on 1 October 2026 [1]. Austrian organisations that were waiting out the political process now have a compressed window: register by December 2026, demonstrate risk-management compliance by September 2027, and face a supervisory authority with significant audit and fine powers from day one.

Most guidance reproduces the headline figures — €10 million for essential entities, €7 million for important ones — and stops there. That framing misses three mechanisms specific to Austria’s implementation: a proactive versus reactive supervision split that determines when each fine cap applies, a fixed-ceiling registration breach ladder (€50,000 for first failures, €100,000 for repeats) that sits separately from the main penalty tiers, and a naming-and-shaming procedure reserved for public sector entities as a direct substitute for monetary fines. This last mechanism is almost entirely absent from EU-level commentary on Austria NIS2 penalties.

This article explains all three mechanisms, plus the management disqualification rule and the enforcement authority structure. For a broader cross-country view, the NIS2 penalties overview provides context on how Austria’s approach sits within the EU enforcement landscape.

Austria’s Enforcement Landscape: One Law, Three Authorities

The NISG 2026 establishes the Bundesamt für Cybersicherheit — Austria’s new federal cybersecurity office — as the primary NIS2 supervisory authority. Operating directly under the Federal Ministry of the Interior (BMI), it replaces the fragmented structure inherited from NISG 2018, where the Bundeskanzleramt held strategic oversight while incident reporting was distributed across three separate sector-specific platforms.

The Bundesamt does not enforce alone. Three existing sectoral regulators retain NIS2 jurisdiction over their industries:

Sector	Supervisory authority
Telecommunications and digital infrastructure	RTR (Rundfunk und Telekom Regulierungs-GmbH)
Financial services	FMA (Finanzmarktaufsicht)
Health	AGES (Agentur für Gesundheit und Ernährungssicherheit)
All other covered sectors	Bundesamt für Cybersicherheit

Entities in telecoms, financial services, or health report to their sectoral regulator for NIS2 supervision — not to the Bundesamt. For all others — energy, transport, manufacturing, public administration, digital services, and the remaining sectors in NIS2 Annex I and Annex II — the Bundesamt is the competent authority. This matters practically: organisations already regulated by RTR, FMA, or AGES will likely find NIS2 supervision integrated into existing regulatory cycles. Entities under the Bundesamt are building a new supervisory relationship from scratch [4][6].

One Austria-specific element most guides overlook: a two-year moratorium on the Bundesamt’s first formal audit requests, running from the December 2025 enactment date. This places the first proactive audit cycle for essential entities no earlier than late 2027. The moratorium covers scheduled proactive audits — it does not suspend reactive investigations triggered by complaints or incidents, which can begin from 1 October 2026.

The Fine Structure: €10M vs €7M and the Proactive/Reactive Supervision Split

Austria’s penalty tiers align exactly with NIS2 Directive Articles 34.4 and 34.5 — the maximum fine levels set at EU level. Austrian legislators did not increase or reduce these caps. What Austria’s implementation adds is a proactive/reactive supervision architecture that determines which cap applies in practice, depending on entity type.

Essential entities face proactive oversight. The Bundesamt für Cybersicherheit can initiate audits and on-site inspections without a prior incident or complaint — it does not need a trigger. Article 34.4 of the NIS2 Directive sets the maximum fine for essential entity breaches of Articles 21 (security measures) or 23 (reporting obligations) at €10 million or 2% of total worldwide annual turnover for the preceding financial year, whichever is higher [2]. A company with €600 million in global revenue faces a maximum fine of €12 million — the percentage-based cap exceeds the absolute floor once turnover clears the €500 million mark.

Important entities fall under reactive supervision. The Bundesamt and sectoral regulators intervene only after a complaint, a reported incident, or evidence of non-compliance surfacing through other means. Article 34.5 sets the ceiling for important entity breaches at €7 million or 1.4% of worldwide annual turnover, whichever is higher [2].

Entity type	Supervision mode	Max fine (absolute)	Max fine (turnover)	Directive basis
Essential	Proactive — audits without prior incident	€10 million	2% global annual turnover	Article 34.4
Important	Reactive — complaints and incidents only	€7 million	1.4% global annual turnover	Article 34.5

Both figures are maximums, not fixed amounts. The Bundesamt applies proportionality criteria drawn from Article 32(7) of the NIS2 Directive: the entity’s size, the severity and duration of the infringement, actual damage caused, and degree of cooperation with the authority all factor into the determination [2]. First-time enforcement actions for procedural failures typically produce fines well below the cap. Systemic failure to implement required security measures, or repeated non-reporting of significant incidents, are the scenarios where higher-tier fines become realistic.

Austria also permits periodic penalty payments: coercive daily fines imposed to compel an entity to stop an ongoing infringement following a prior authority decision — grounded in Article 34.6 of the NIS2 Directive [2]. These stack on top of the headline fine; they are an additional enforcement tool, not a substitute.

The Registration Breach Ladder: €50,000 and €100,000

The NISG 2026 introduces a separate fine tier for administrative compliance failures, distinct from the Article 21/23 security-obligation penalties. Where the main penalty regime targets substantive failures of risk management and incident reporting, the registration breach ladder targets administrative defaults: failure to register, failure to meet reporting obligations, and failure to comply with domain registry requirements [3].

The structure is a two-rung ladder:

• Initial failure to register or meet a specified administrative obligation: maximum fine of €50,000
• Repeat offence — a second or subsequent violation of the same administrative obligation: maximum fine of €100,000

These ceilings apply per offence determination. An entity that registers late and then fails a subsequent administrative reporting obligation has committed two separate offences — potentially attracting €50,000 for the first and up to €100,000 for the second if the authority treats the first as a prior violation for escalation. The escalating structure creates deliberate financial pressure to resolve registration defaults quickly rather than treating the fine as a straightforward cost of delay.

All in-scope entities have a hard registration deadline of 31 December 2026 — three months after the NISG 2026 enters force. Entities supervised by RTR, FMA, or AGES register with their sectoral regulator; the December 2026 deadline applies equally to them. Entities unsure of their scope status should not wait for clarity from the Bundesamt: a finding that the obligation existed and went unmet from October 2026 triggers the €50,000 tier from the date of that determination, not the date the entity began its scoping exercise.

Naming-and-Shaming: How Austria Penalises the Public Sector

The NIS2 Directive covers public administration entities in Annex I and permits member states to apply enforcement mechanisms — including fines — to public bodies. Austria has navigated a constitutional constraint that makes the direct imposition of monetary fines on public entities legally complex, and in doing so has implemented one of the directive’s most unusual national enforcement mechanisms [4].

Under NISG 2026, federal ministries, regional governments, and large municipalities within scope are exempt from monetary fines. The €10M/2% and €7M/1.4% penalty tiers do not apply to them. In their place, the NISG 2026 applies a two-stage alternative sanction:

1. Formal administrative notice. The Bundesamt für Cybersicherheit issues a binding determination of non-compliance and specifies a remediation period.
2. Publication. If the entity fails to remediate within the specified period, the Bundesamt publishes the non-compliance determination — the entity’s name, the nature of the violation, and the outstanding remediation requirement become publicly accessible.

This is naming-and-shaming as the primary enforcement mechanism, not a supplementary measure. For public sector entities, publication replaces the fine entirely. The intent is deterrence through reputational consequence: public bodies cannot be financially penalised in the conventional sense, but they can be publicly identified as non-compliant with a binding national cybersecurity framework — with all the parliamentary accountability and media scrutiny that follows in Austria’s governance environment [4].

The deterrent effect is not uniform across the public sector. A federal ministry operating under constant parliamentary oversight faces genuine reputational risk from a published non-compliance finding. A smaller municipality with limited public profile faces a softer deterrent. Whether Austria’s naming mechanism generates equivalent compliance pressure at all tiers of the public sector is an open question that the first enforcement cycle will begin to answer.

Private sector entities face a different logic: for them, naming is an additional enforcement measure available alongside the monetary fine, not a substitute. The Spain NIS2 enforcement framework offers a useful comparison — Spain’s CNCS authority can publish non-compliance findings, but as a supplementary sanction layered on top of its fine structure, not as its replacement.

Management Liability: The Disqualification Mechanism

The NISG 2026 places direct governance responsibility on management boards and executive directors at essential entities — not as an aspirational principle but as an enforceable obligation with personal consequences [3][5].

Two requirements bind management individually:

Active governance duty. Management must approve and actively oversee cybersecurity risk-management measures. This means personally reviewing and signing off on the information security policy, the risk assessment methodology, and significant incident response decisions. It also means ensuring that management-body members complete appropriate NIS2 training. Delegating cybersecurity oversight entirely to a CISO or IT function — without personal engagement in approvals and review — does not satisfy the obligation under NISG 2026.

Temporary disqualification from management functions. Following a serious breach, the Bundesamt may impose a temporary ban preventing the individual from serving as a managing director, board member, or equivalent officer at any covered entity [3]. This is a functional restriction — it removes the person from regulated management roles. It is not a direct personal financial fine.

The trigger — “serious non-compliance” — has not yet been tested by enforcement decisions or administrative court rulings, since the NISG 2026 does not enter force until October 2026. As a working framework: single procedural failures (one late registration, one missed reporting deadline) are unlikely to reach the disqualification threshold. Systemic failure to implement required security measures across multiple Article 21 obligations, or deliberate non-reporting of a significant incident, represent the higher-risk scenarios where disqualification becomes a realistic prospect for individual directors.

Management can document active governance through formal approval records for the information security policy, board minutes confirming cybersecurity review, records of completed NIS2 training, and board resolution templates confirming oversight. For a structured approach to building this evidence trail, the NIS2 audit preparation guide sets out the documentation requirements most likely to feature in the Bundesamt’s first supervision cycle.

Three Compliance Dates That Cannot Move

The NISG 2026 creates three hard deadlines. Unlike Austria’s transposition deadline — which the Nationalrat missed in 2024 — these dates are fixed in enacted national law and carry direct fine liability for entities that breach them.

Date	Obligation	Consequence of breach
1 October 2026	NISG 2026 enters full force; Bundesamt für Cybersicherheit operational	Law applicable; reactive supervision active for important entities from this date
31 December 2026	Registration with Bundesamt or sectoral regulator	€50,000 fixed-ceiling fine for initial failure; €100,000 for repeat
30 September 2027	Self-declaration confirming risk-management measure implementation	Administrative non-compliance; potential escalating enforcement

The two-year audit moratorium means proactive audit cycles are not expected until late 2027 at the earliest. Treat this as a structured preparation window. An entity that registers on time, completes its self-declaration, and documents security measure implementation enters the first audit cycle with a compliance baseline the Bundesamt must weigh under proportionality criteria. The NIS2 compliance checklist provides a structured walkthrough of all Article 21 obligations to address before the self-declaration deadline [5].

Does the NISG 2026 Apply to Your Organisation?

The NISG 2026 applies to entities that meet all three of the following conditions:

• Size threshold: 50 or more employees, or annual turnover and balance-sheet total each exceeding €10 million
• Sector: One of the 18 sectors in NIS2 Annex I or Annex II — energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, post and courier, waste management, chemicals, food, manufacturing, digital providers, and research
• Jurisdiction: Established in Austria, or providing services to Austrian recipients in a covered sector

EU-based entities with Austrian operations fall under the NISG 2026 for those operations. The entity classification — essential or important — follows the sector-and-size matrix in the NISG 2026’s Annex I and Annex II, mirroring the NIS2 Directive’s own annex structure. Annex I entities operating above the thresholds are typically classified as essential (proactive supervision, €10M/2% cap). Annex II entities are typically important (reactive supervision, €7M/1.4% cap).

Entities near the threshold — 40–60 employees, €8–12 million in turnover — should conduct a formal scoping assessment before the registration deadline. The NISG 2026 provides no de minimis exception for entities marginally above the threshold, and self-assessed out-of-scope status does not protect against a Bundesamt finding that the obligation existed from October 2026 [5].

Frequently Asked Questions

Can a public sector entity be fined under NISG 2026?

No. Federal ministries, regional governments, and in-scope municipalities are exempt from monetary fines. Non-compliance triggers a formal binding administrative notice; failure to remediate within the specified period results in the Bundesamt publishing the non-compliance determination publicly.

Are the €10M and €7M figures maximums or fixed amounts?

They are maximums. The Bundesamt applies proportionality criteria from Article 32(7) of the NIS2 Directive — entity size, infringement severity and duration, actual harm caused, and degree of cooperation all influence the outcome. First-time enforcement actions for procedural failures typically produce fines well below the cap.

When does proactive supervision of essential entities begin?

The Bundesamt is operational from 1 October 2026 and can conduct reactive investigations from that date. A two-year moratorium on formal first audit requests (from December 2025 enactment) places the first expected proactive audit cycle no earlier than late 2027.

Does Austria require separate registration if an entity is already supervised by RTR, FMA, or AGES?

Entities supervised by RTR (telecoms), FMA (financial services), or AGES (health) register with their sectoral regulator for NIS2 purposes — not with the Bundesamt. Confirm the specific registration procedure and deadline directly with your sectoral regulator before December 2026.

Does the management disqualification mechanism apply to important entities?

The NISG 2026 most clearly articulates personal disqualification in the context of essential entity supervision. Important entities carry the same governance duty obligations, but the explicit disqualification mechanism is primarily described alongside the essential entity regime. Enforcement practice from October 2026 will clarify this distinction.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. NISG 2026 — Parliamentary Bill 308 d.B. — Austrian Parliament. Nationalrat 12 Dec 2025; Bundesrat 18 Dec 2025; Federal Law Gazette I No. 94/2025.
2. NIS 2 Directive Article 34 — Administrative Fines — nis-2-directive.com. Articles 34.4 (essential), 34.5 (important), 34.6 (periodic payments).
3. NIS-2 Implementation Act: New Cyber Obligations for Critical Infrastructure Operators — Wolf Theiss.
4. Österreich: NISG 2026 — Alles, was Sie wissen müssen — Schoenherr.
5. NIS2 Compliance Austria 2026 — Global Law Experts.