Austria
(a) What is the NIS2 implementation status?
Austria has not yet implemented the NIS2 directive. An implementation draft was rejected by Parliament in July 2024.
(b) What is the envisaged NIS2 implementation timeline?
In July 2024, the last implementation draft was surprisingly rejected by Austrian Parliament. Since then, no new implementation draft has been published yet.
The last implementation draft already included an implementation date of 1 June 2025.
It is therefore expected that once Austria implements NIS2, the implementation act will not take effect before 1 June 2025. We expect that implementation may take even longer than that.
According to the latest implementation drafts, affected companies will have to register at the supervisory authority within three months of the implementation act taking effect.
(c) What does the NIS2 mean for other national cybersecurity legislation?
The implementation of NIS2 will replace the existing Austrian NIS Act (Netz- und Informationssystemsicherheitsgesetz) which had implemented the original NIS directive. Certain rules in the Telecommunications Act and the Health Telematics Act will be amended accordingly.
(d) Who will be the supervisory authority and how are they preparing the market?
The Federal Ministry of the Interior is supposed to be the supervisory authority. However, this has been criticized and was the main reason for the implementation draft being rejected in Parliament. This may therefore change.
Limited information on the upcoming rules has been published on a dedicated NIS homepage.
(e) What should you be doing/on the lookout for?
We expect that the final implementation law will have very similar contents to the last (rejected) implementation draft. We therefore recommend companies to prepare based on this implementation draft.
Companies should therefore assess whether they are subject to NIS2 based on the latest Austrian implementation draft, as affected companies will have to register at the supervisory authority. Affected companies should then conduct a gap analysis on the compliance of their current cybersecurity measures with the measures required by the Austrian implementation draft. Identified gaps should be addressed as quickly as possible, so compliance can be achieved at the implementation date.
Contact
Michael Roehsner E: michael.roehsner@eversheds-sutherland.at
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page