NIS2 in Austria: What Companies Must Concretely Implement

Austria's NIS2 Implementation: NISG 2024

Austria transposed the NIS2 Directive through the Network and Information System Security Act 2024 (NISG 2024). The Act has been applicable since October 2024. Compared to the predecessor regulation (NISG 2018), the circle of affected companies has grown significantly.

Who Is Affected?

NISG 2024 distinguishes between essential entities and important entities:

Essential entities are typically large companies (>250 employees or >€50M turnover) in critical sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT services (B2B), public administration, and space.

Important entities include medium-sized companies (>50 employees or >€10M turnover) in the same and additional sectors: postal and courier services, waste management, chemicals, food, medical devices, electronics, vehicle manufacturing, general machinery, digital providers, and research.

Important: even if your company does not meet the size threshold, it may qualify as an essential entity if it is the only provider of a specific critical service or if a failure would have significant consequences.

What Must Be Concretely Implemented

NISG 2024 prescribes the following measures:

Risk Management: Identification and assessment of risks to network and information systems; implementation of appropriate technical and organizational measures.

Security Measures (examples): Policies on information security, business continuity, cryptography, and access control; security in acquisition, development, and maintenance of systems; training; multi-factor authentication.

Supply Chain Security: Assessment and management of security risks from suppliers and service providers.

Reporting Obligations: Serious incidents must be reported to CERT.at within 24 hours (early warning), 72 hours (notification), and 30 days (final report).

Registration Obligation: Affected companies must register with the BMLRT.

Sanctions and Enforcement

NISG 2024 provides for fines of up to €10 million or 2% of global annual turnover for essential entities. For important entities, fines of up to €7 million or 1.4% of turnover apply. Additionally, personal liability of management bodies is possible as provided in the directive.

Note: This article provides a general overview of NISG 2024 and does not replace legal or compliance consulting.