Austria’s NIS2 Transposition: NISG 2026, Bundesamt für Cybersicherheit, and the December 2026 Registration Deadline
Austria Finally Transposes NIS2 — Later Than Most, but Fully Binding
Austria’s NIS2 journey was more turbulent than most EU member states. The original draft law, NISG 2024, was rejected by the National Council on 3 July 2024 — just months before the EU’s 17 October 2024 transposition deadline. Austria missed that deadline and became subject to European Commission infringement proceedings, launched alongside 18 other member states in May 2025.
The second attempt succeeded. The NISG 2026 (Netz- und Informationssystemsicherheitsgesetz 2026) was voted into law on 12 December 2025 and published on 23 December 2025. Under Austrian law, it enters into force nine months after publication: 1 October 2026. Registration closes 31 December 2026. Self-declarations are due 30 September 2027.
The legislative uncertainty is over. This guide covers who regulates compliance in Austria, which organisations fall in scope, what the exact deadlines require, and the practical pathways available to Austrian entities. For background on the EU-level framework, see our NIS2 Directive overview.
Who Must Comply? Scope Under NISG 2026
The NISG 2026 applies to medium-sized and large companies in 18 critical sectors. If your organisation employs 50 or more staff or generates €10 million or more in annual turnover and operates in an in-scope sector, it is almost certainly covered. Austria expects approximately 4,000 organisations to fall within the new regime.
The NIS2 Directive divides in-scope organisations into two tiers based on sector risk and criticality. For the full scope framework and size thresholds, see our dedicated NIS2 scope guide.
Essential entities (Annex I) — proactive ex ante supervision:
| Sector | Examples |
|---|---|
| Energy | Electricity, oil, gas, heat suppliers |
| Transport | Air, rail, road, maritime operators |
| Banking | Credit institutions |
| Financial market infrastructure | Exchanges, central counterparties |
| Health | Hospitals, laboratories, pharma manufacturers |
| Drinking water / wastewater | Utilities serving 50,000+ people |
| Digital infrastructure | IXPs, DNS, TLD registries, cloud providers, data centres |
| Public administration | Central and regional government entities |
| Space | Ground-based space infrastructure operators |
Important entities (Annex II) — reactive ex post oversight: Postal and courier services, waste management, chemicals, food production, manufacturing (medical devices, electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networks), and research organisations.
Two Austria-specific scope features that trip up multinational groups:
First, NISG 2026 contains no exemption for ancillary activities. A manufacturing company outside the NIS2 sectors can still face compliance obligations if a secondary business line — say, an internal cloud service offered to subsidiaries — falls within scope. In that case, the entire legal entity comes into scope, not just the relevant business unit.
Second, NISG 2026 provides no group privilege relaxation. An Austrian subsidiary of a multinational group that independently meets the size and sector criteria must register in Austria by 31 December 2026, regardless of whether the parent group is already registered elsewhere in the EU.
“Does NISG 2026 apply to us?” — Decision logic:
- Is the organisation a medium or large enterprise (≥50 employees OR ≥10M€ turnover)? If no: likely out of scope, unless specifically designated as critical.
- Does it operate in an Annex I or Annex II sector? If no: out of scope.
- Are services provided from Austria to other EU member states? If yes: register in Austria and assess obligations in those states too.
Austria’s Cybersecurity Authority Structure
NISG 2026 creates a single central supervisory authority — the Bundesamt für Cybersicherheit — while sector-specific authorities retain oversight within their domains. For incident response, CERT.at is Austria’s national CSIRT for the private sector; GovCERT handles the public sector. Austria does not have a single entity formally branded as “National Cyber Security Centre”; the equivalent function is distributed across these bodies.
The Bundesamt für Cybersicherheit (Federal Office for Cybersecurity)
NISG 2026 establishes the Bundesamt für Cybersicherheit as a new dedicated central supervisory authority. It sits outside the Directorate General for Public Security and reports directly to the Interior Minister. Core functions include:
- Maintaining the register of essential and important entities
- Directing the Cyber Security Steering Group
- Coordinating national emergency response structures
- Issuing supervisory decisions, requesting audit evidence, and imposing fines
This authority consolidates a function previously split across the Federal Chancellery (BKA) and the Ministry of Interior’s Department IV/10. As of 1 April 2025, cybersecurity responsibilities formally transferred from the BKA to the BMI. NISG 2026 crystallises this into a standalone dedicated office.
National CSIRTs
| CSIRT | Sector coverage | Reporting contact |
|---|---|---|
| CERT.at | OES, DSPs, private sector | reports@cert.at; 24/7 at nis.cert.at |
| GovCERT Austria | Public administration | reports@govcert.gv.at |
| Austrian Energy CERT | Energy sector | team@energy-cert.at |
Sector supervisory authorities
For sector-specific NIS2 oversight, multiple authorities operate alongside the Bundesamt für Cybersicherheit. Your reporting pathway for incidents depends on which sector authority governs your organisation:
| Sector | Supervisory authority | Incident window |
|---|---|---|
| Energy | E-Control | 24h / 72h |
| Finance | FMA (Financial Market Authority) | 24h / 72h |
| Telecommunications | RTR (Rundfunk und Telekom Regulierungs-GmbH) | 24h / 72h |
| Health | BMG / BMK | 24h / 72h |
| Public administration | GovCERT / BMI | Immediate |
| All other sectors | Bundesamt für Cybersicherheit | 24h / 72h |
The sector authority for your industry determines which regulator receives your incident notifications, which body conducts compliance audits, and which authority imposes fines for substantive non-compliance.
The 3-Month Registration Window — Key Dates and Requirements
Austria’s 3-month registration window is one of the more generous European implementation windows. From the law’s entry into force on 1 October 2026, affected entities have until 31 December 2026 to register with the Bundesamt für Cybersicherheit. That three-month window triggers a multi-year compliance sequence:
| Date | Milestone |
|---|---|
| 1 October 2026 | NISG 2026 enters into force |
| 31 December 2026 | Registration deadline — 3 months after entry into force |
| 30 September 2027 | Self-declaration deadline — 12 months after registration trigger |
| 1 October 2028 | Authorities may begin requesting proof of implementation |
| 30 September 2030 | Final signed audit report due (comprehensive effectiveness evidence) |
What registration requires: The submission to the Bundesamt für Cybersicherheit must include organisation name and address, designated responsible contact person, IP address ranges, sector and subsector classification, and the EU member states in which services are provided. This registry entry forms the baseline for all subsequent compliance interactions.
Missing the December 31 deadline carries a specific financial penalty: registration failures are subject to fines of €50,000 to €100,000, separate from the general penalty regime. The message is clear: registration is not administrative formality — it is the enforcement entry point.
As of mid-2026, secondary legislation specifying the exact registration procedure is still in development. The NISG 2026 places the obligation to self-identify on entities. Waiting for full regulatory guidance creates fine exposure; completing scope assessment before 1 October 2026 is the safe approach.
Core Compliance Obligations Under NISG 2026
NISG 2026 transposes Article 21 of the NIS2 Directive in full, requiring risk-based cybersecurity measures across ten domains. Management bears direct accountability for implementation — mandatory training for directors and C-suite is explicitly required.
Ten risk-management domains (Article 21 NIS2 Directive):
- Risk analysis and information security policies
- Incident handling — detection, response, and recovery
- Business continuity and crisis management (backup, disaster recovery)
- Supply chain security — covering direct suppliers and service providers
- Secure network and information system acquisition and maintenance
- Cybersecurity hygiene and awareness training (management training is mandatory)
- Access control policies and multi-factor authentication
- Cryptography and encryption policies
- Human resources security and asset management
- Vulnerability management and disclosure
Incident reporting (Article 23 NIS2 Directive):
- 24 hours — Early warning to CERT.at (or sector CSIRT) for significant incidents
- 72 hours — Detailed incident report with initial impact assessment
- 30 days — Final comprehensive incident report
Self-declaration: Within 12 months of registration (by 30 September 2027), organisations must submit a self-declaration to the Bundesamt für Cybersicherheit describing implemented risk management measures, results of risk analyses, supply chain security arrangements, and management training evidence. This is not a self-audit — it is a structured declaration that authorities use to prioritise follow-up supervisory action.
Penalties and Management Liability Under NISG 2026
NISG 2026 implements a two-tier penalty regime with an additional personal liability dimension that creates direct incentive for Austrian directors to treat compliance as a board-level priority.
| Entity category | Maximum fine | Registration breach |
|---|---|---|
| Essential entities | €10 million or 2% of global annual turnover (whichever is higher) | €50,000–€100,000 |
| Important entities | €7 million or 1.4% of global annual turnover (whichever is higher) | — |
| Public administration | Naming-and-shaming (formal publication of non-compliance) | — |
The naming-and-shaming mechanism for public administration is an Austria-specific enforcement design: rather than fining government bodies, the authority formally documents and publishes non-compliance — creating reputational and political accountability in place of financial penalties.
Management personal liability: NISG 2026 holds directors and C-suite executives directly accountable. Consequences for gross negligence in cybersecurity oversight include:
- Personal damages liability for losses resulting from insufficient cybersecurity management
- Temporary prohibition from leadership roles for serious or repeated breaches
All risk reviews, incident logs, and security sign-offs must be documented, timestamped, and exportable on authority request. This is not optional record-keeping — it is the evidence base for the personal liability defence.
Austrian Compliance Pathways: ISO 27001, Cyber Trust Austria, and National Standards
Three frameworks help Austrian organisations build and demonstrate NISG 2026 compliance.
ISO 27001:2022 is the primary accepted framework under NISG 2026. Article 21 of the NIS2 Directive explicitly references “European and international standards” for cybersecurity risk management, and ISO/IEC 27001:2022 maps directly to all ten NIS2 security domains. Organisations with an existing ISO 27001:2022 ISMS have a shorter gap to close — the control structure, risk assessment methodology, and audit documentation largely satisfy the self-declaration requirements. Certification does not, however, replace the mandatory registration, incident reporting obligations, or self-declaration under NISG 2026: those are procedural requirements regardless of certification status.
Cyber Trust Austria is an Austrian-specific quality label developed in cooperation with KSV1870, accepted by Austria’s NIS authority as evidence of cybersecurity maturity. It has four levels:
| Level | Coverage | Best suited for |
|---|---|---|
| Standard | Basic cyber hygiene controls | SMEs entering compliance |
| Silver | Intermediate technical and organisational controls | Growing organisations |
| Gold | Advanced controls with independent verification | Important entities |
| Platinum | Maps specifically to §33 NISG 2026 requirements | Essential entities seeking Austrian-authority recognition |
The Platinum label is the most direct Austrian compliance pathway short of full ISO 27001 certification. It provides structured, authority-accepted evidence of NIS2 security measure compliance.
Austrian technical standards (OVE and ÖNORM): Austria’s national standards bodies — OVE (Österreichischer Verband für Elektrotechnik) for electrical and electronic engineering standards, and Austrian Standards International for general technical standards (ÖNORM) — publish sector-specific guidance that can supplement NIS2 compliance documentation. In sectors with applicable OVE or ÖNORM frameworks (notably energy, industrial environments, and critical infrastructure), referencing these standards in security documentation strengthens audit-readiness and demonstrates alignment with national technical consensus. They do not create a standalone compliance pathway — NISG 2026 compliance documentation must directly address the directive’s requirements — but they are credible evidence of due diligence in technically regulated sectors.
Frequently Asked Questions About NISG 2026
Is NISG 2026 in force now?
Not yet as of May 2026. The law enters into force on 1 October 2026. Until that date, the NISG 2018 framework continues to apply for organisations already within scope under the original NIS Directive. The remaining months before October are the window for scope assessment, gap analysis, and registration preparation.
Our Austrian subsidiary is part of a group already registered under NIS2 in Germany. Does it need to register separately?
Yes. NISG 2026 provides no group privilege relaxation. An Austrian subsidiary that independently meets the scope criteria registers with the Bundesamt für Cybersicherheit by 31 December 2026, regardless of the parent group’s registration elsewhere in the EU. The Austrian entity is regulated as a standalone entity, not as part of a group structure.
What is the difference between CERT.at and the Bundesamt für Cybersicherheit?
CERT.at handles incident response — it receives 24/72-hour incident notifications and provides technical assistance. The Bundesamt für Cybersicherheit supervises compliance — it maintains the entity register, requests audit evidence, and imposes fines. Think of CERT.at as your emergency responder and the Bundesamt as your regulator.
Does ISO 27001 certification satisfy NISG 2026?
It substantially reduces the compliance gap. ISO 27001:2022 maps well to Article 21’s ten security domains and provides most of the documentation the self-declaration requires. However, ISO 27001 does not substitute for mandatory registration, the structured self-declaration submission, or the 24-hour incident reporting obligation. Both are needed: the framework for security controls, and the procedural compliance for regulatory interaction.
Key Takeaways for Austrian Organisations
The NISG 2026 is law. Austria’s legislative uncertainty is resolved, and the compliance timeline is concrete. Four priorities stand out for organisations operating in scope:
- Scope assessment before 1 October 2026: Confirm essential or important entity classification. Identify which sector authority supervises your organisation.
- Registration preparation: Gather IP ranges, designate a responsible contact person, confirm sector classification. Registration opens 1 October 2026 and closes 31 December 2026.
- Gap analysis against Article 21: Map current controls to the ten NIS2 security domains. Prioritise areas with high remediation effort.
- Incident reporting pipeline: Verify reporting pathway to CERT.at or your sector CSIRT. 24-hour early warning capability must be operational from 1 October 2026.
Organisations with ISO 27001:2022 certification have a manageable compliance gap. Those starting from scratch should evaluate the Cyber Trust Austria label — particularly the Platinum level — as a structured, Austrian-authority-recognised path to NISG 2026 compliance.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- European Commission — Commission infringement proceedings: 19 member states including Austria
- Schoenherr law firm — NISG 2026: Alles, was Sie wissen müssen
- NIS-2-Directive.com — Transposition in Austria
- Federal Chancellery of Austria — Cybersecurity contact points
- ISMS.online — NIS 2 Austria: Sectoral Authority and Audit Traps
- Baker McKenzie — New cybersecurity laws in Germany and Austria: Legal uncertainty remains (Connect on Tech, December 2025)
- Limes Security — What the new NISG 2026 means for companies
- Eversheds Sutherland — EU NIS2 Directive: Austria
- Wolf Theiss — NIS-2 implementation act: new cyber obligations
- Cyber Trust Austria — Austrian cybersecurity quality label
- EUR-Lex — Directive (EU) 2022/2555 (NIS2)
