NIS2 in Austria
Everything you need to know about the NIS2 directive in Oesterreich: transposition law, competent authority, fines, deadlines, and how Reglyze helps SMEs become compliant.
Austria transposed NIS2 through the Netz- und Informationssystemsicherheitsgesetz 2026 (NISG 2026), adopted by Parliament in December 2025 after the country missed the EU's October 2024 deadline and received a Commission reasoned opinion in May 2025. The law enters fully into force on 1 October 2026, so unlike Germany or Belgium — where obligations already bind — Austrian entities still have a defined run-up: the smart move is to be registration-ready and have the Article 21(2) baseline evidenced before the October 2026 switch-on, not after.
Key facts at a glance
Netz- und Informationssystemsicherheitsgesetz 2026 (NISG 2026)
Adopted / in force: 2026-10-01
Bundesministerium fuer Inneres — NIS-Anlaufstelle (BMI)
https://www.nis.gv.atUp to EUR 10 million or 2% of total worldwide annual turnover (whichever is higher)
Up to EUR 7 million or 1.4% of total worldwide annual turnover (whichever is higher)
These ceilings come from the directive — see how NIS2 fines are calculated, recent enforcement cases and director personal liability.
Priority sectors for NIS2 in Austria
NIS2 covers 18 sectors across Annex I (essential) and Annex II (important). These are the sectors where Austria's transposition and BMI supervision focus most.
Energy, water and transport operators
Austria's existing critical-infrastructure operators under the prior NISG regime are the clearest essential entities under NISG 2026 — grid operators, water utilities and rail/transport hubs carry continuous obligations and are the first cohort supervisors will examine once the law switches on.
Manufacturing and the industrial Mittelstand
Much of the estimated ~4,000 newly in-scope population is mid-sized Austrian industry — machinery, automotive suppliers, food and chemicals — pulled in as important entities once they pass the 50-employee / EUR 10M thresholds under Annex II.
Digital infrastructure and managed IT services
Cloud providers, data centres, managed service providers and DNS/TLD operators are in scope irrespective of size. A small Austrian MSP serving regulated customers is typically caught even below the headcount threshold, and carries supply-chain obligations toward its clients.
Key deadlines
2026-10-01
NISG 2026 enters fully into force. From this date in-scope essential and important entities are legally bound.
2026-12-31
Registration deadline with the Austrian NIS authority (NIS-Anlaufstelle) — within three months of entry into force.
Is your company in scope? Common Austria scenarios
Two worked examples of how NIS2 scoping plays out in Austria. Not sure where you land? Run the free NIS2 scope checker.
Water supply is an Annex I sector. A utility of this size is an essential entity under NISG 2026: it must register with the NIS-Anlaufstelle by 31 December 2026, implement the Article 21(2) risk-management measures, and meet the 24h/72h/1-month incident-reporting clock once the law is in force.
Managed services and digital infrastructure fall under Annex II. Above the 50-staff / EUR 10M threshold this firm is an important entity: it faces ex-post supervision, must register, and should expect its own regulated customers to demand supply-chain assurances.
What Austria businesses need to know
The NISG 2026 was adopted by the Austrian Parliament in December 2025 and enters fully into force on 1 October 2026 — obligations are not yet binding before that date.
Austria missed the EU's 17 October 2024 transposition deadline; the European Commission issued a reasoned opinion on 7 May 2025 before the law was finally adopted.
Roughly 4,000 Austrian organisations are expected to fall in scope as essential or important entities.
In-scope entities must register with the Austrian NIS authority within three months of entry into force (by 31 December 2026).
Failure to register, or late registration, is a separate offence punishable by fines up to EUR 50,000 (up to EUR 100,000 for repeat cases), on top of the main NIS2 penalty ceilings.
Significant incidents must be reported with a 24-hour early warning, a 72-hour notification and a one-month final report (NIS2 Article 23).
How BMI enforces NIS2 in Austria
Because NISG 2026 only takes effect on 1 October 2026, active supervision and penalties apply from that date rather than today. Once in force, essential entities face proactive (ex-ante) supervision while important entities are supervised ex-post on cause. The penalty architecture mirrors the directive — up to EUR 10M / 2% for essential and EUR 7M / 1.4% for important entities — with a distinct registration-failure fine of up to EUR 50,000 (EUR 100,000 for repeat breaches). The run-up to October 2026 is the window to get registration-ready and evidence the Article 21(2) baseline.
NIS2 in Austria: frequently asked questions
- Is NIS2 already in force in Austria (NISG 2026)?
- Not yet. The NISG 2026 was adopted in December 2025 but enters fully into force on 1 October 2026. Obligations — including registration and the Article 21(2) measures — become binding from that date. Austria had missed the EU's October 2024 deadline, which is why its law arrived later than Germany's or Belgium's.
- When must Austrian entities register, and with whom?
- Essential and important entities must register with the Austrian NIS authority (the NIS-Anlaufstelle, reachable via nis.gv.at) within three months of entry into force — by 31 December 2026. Late or missing registration is a separate offence punishable by up to EUR 50,000 (EUR 100,000 for repeat cases).
- How high are NIS2 fines in Austria?
- Essential entities face fines up to EUR 10 million or 2% of total worldwide annual turnover (whichever is higher); important entities up to EUR 7 million or 1.4%. These sit alongside the separate registration-failure penalty of up to EUR 50,000 / EUR 100,000.
- Who is in scope under NISG 2026?
- Roughly 4,000 Austrian organisations are expected to be caught. Essential entities come from Annex I sectors (energy, water, transport, health, digital infrastructure, public administration); important entities from Annex II (manufacturing, postal, waste, chemicals, food, digital providers) once they pass the 50-employee / EUR 10M size threshold. Some digital-infrastructure providers are in scope regardless of size.
Official sources
Primary references for NIS2 in Austria — verify the latest text and deadlines directly with the authority.