Austria
(a) What is the NIS2 implementation status?
Austria has not yet implemented the NIS2 directive. An implementation draft was recently rejected by Parliament.
(b) What is the envisaged NIS2 implementation timeline?
Recently, the last implementation draft was surprisingly rejected by Austrian Parliament. Due to upcoming general elections in autumn, the implementation timeline is now unclear. As an implementation before the Directive’s deadline on 17 October 2024 seems unlikely, the last implementation drafts already included an implementation date of 1 June 2025.
It is therefore expected that once Austria will implement NIS2, the implementation act will take effect on 1 June 2025.
According to the latest implementation drafts, affected companies will have to register at the supervisory authority within three months of the implementation act taking effect.
(c) What does the NIS2 mean for other national cybersecurity legislation?
The implementation of NIS2 will replace the existing Austrian NIS Act (Netz- und Informationssystemsicherheitsgesetz) which had implemented the original NIS directive. Certain rules in the Telecommunications Act and the Health Telematics Act will be amended accordingly.
(d) Who will be the supervisory authority and how are they preparing the market?
The Federal Ministry of the Interior Is supposed to be the supervisory authority. However, this has been criticized lately and was the main reason for the implementation draft being rejected in Parliament. This may therefore change.
Limited information on the upcoming rules has been published on a dedicated NIS homepage.
(e) What should you be doing/on the lookout for?
Companies should now assess whether they are subject to NIS2 based on the latest Austrian implementation draft, as affected companies will have to register at the Supervisory Authority. Failure to register may lead to significant fines. Affected companies should then conduct a gap analysis on the compliance of their current cybersecurity measures with the measures required by the Austrian implementation draft. Identified gaps should be addressed as quickly as possible, so compliance can be achieved at the implementation date.
Contact
Michael Roehsner E: michael.roehsner@eversheds-sutherland.at
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page