Austria

(a) What is the NIS2 implementation status?

The Austrian NIS2 implementation act (“NISG 2026”) was published on 23 December 2025. It will enter into force on 1 October 2026.

(b) What is the envisaged NIS2 implementation timeline?

The NISG 2026 will enter into force on 1 October 2026. Affected entities have to register with the Authority within 3 months, so until 1 January 2027. Within 1 year, so until 30 September 2027, affected entities will have to submit a self-declaration to the Authority on the implemented risk-management measures.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The NISG 2026 replaces the existing Austrian NIS Act (Netz- und Informationssystemsicherheitsgesetz) which had implemented the original NIS directive. Certain rules in the Telecommunications Act and the Health Telematics Act are amended accordingly.

(d) Who will be the supervisory authority and how are they preparing the market?

A new cybersecurity authority (Bundesamt für Cybersicherheit) is established by NISG 2026. This new authority will be the supervisory authority for NIS2. Limited information on the upcoming rules has been published on a dedicated NIS homepage.

(e) What should you be doing/on the lookout for?

Entities should by now know whether they are subject to NISG 2026. If this is not the case, an assessment of the applicability should be performed as soon as possible. Entities that are subject to NISG 2026 should perform a gap analysis to identify and close any gaps before the implementation date of 1 October 2026. Affected entities should also consider obtaining a certification such as ISO27001, as this can serve as an important proof of compliance with some of the obligations under NISG 2026. Entities should also be on the lookout for further clarifications on the scope and formal requirements under NISG 2026, which can be issued by ordinance.

Contact

Michael Roehsner E: michael.roehsner@eversheds-sutherland.at

Compare NIS2 implementation across other EU member states

Compare now

Other Resources

Eversheds Sutherland NIS2 Directive hub

Visit webpage

Whitepaper: Everything you need to know about the NIS2 Directive

Read the whitepaper

Webinar: One year to go until the EU NIS2 Directive

Watch the webinar

Article: Focus on the NIS2 directive

Read the summary briefing

© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.

Share this page