Austria

(a) What is the NIS2 implementation status?

Austria has not yet implemented the NIS2 Directive. A previous draft bill was rejected by the Austrian Parliament in July 2024 after failing to secure the required two-thirds majority. Since then, no revised version of the draft has been presented, and the national transformation law remains pending in Parliament.

However, the newly formed Austrian government, inaugurated in March 2025, has committed to the implementation of NIS2 as part of its official government program announced in late February 2025. The government has stated that the implementation will follow the directive closely, without expanding its scope, except for the announced inclusion of Public Broadcasting in Austria.

(b) What is the envisaged NIS2 implementation timeline?

Given the rejection of the previous draft bill in July 2024 and the lack of a revised draft since then, the exact timeline for Austria’s NIS2 implementation remains uncertain. The new government has confirmed its intention to proceed, but the draft legislation still requires a two-thirds majority in Parliament—meaning it is dependent on the support of opposition parties.

As of now, it is unlikely that the law will enter into force before Q3 or Q4 of 2025. The previously rejected draft had suggested a potential implementation date of 1 June 2025, but this is no longer considered realistic. Once adopted, current drafts foresee that affected companies will have to register with the supervisory authority within three months of the law taking effect.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The implementation of NIS2 will replace the existing Austrian NIS Act (Netz- und Informationssystemsicherheitsgesetz) which had implemented the original NIS directive. Certain rules in the Telecommunications Act and the Health Telematics Act will be amended accordingly.

(d) Who will be the supervisory authority and how are they preparing the market?

The new Austrian government has announced in their government program that a new cybersecurity authority will be created. This new cybersecurity authority (Cybersicherheitsbehörde) will be the supervisory authority for NIS2.

Limited information on the upcoming rules has been published on a dedicated NIS homepage.

(e) What should you be doing/on the lookout for?

We expect that the final implementation law will have very similar contents to the last (rejected) implementation draft. We therefore recommend companies to prepare based on this implementation draft.

Companies should therefore assess whether they are subject to NIS2 based on the latest Austrian implementation draft, as affected companies will have to register at the supervisory authority. Affected companies should then conduct a gap analysis on the compliance of their current cybersecurity measures with the measures required by the Austrian implementation draft. Identified gaps should be addressed as quickly as possible, so compliance can be achieved at the implementation date.