Network and Information Systems Security Act 2026 – NISG 2026 implemented

In a second attempt, the implementation of the EU’s NIS 2 Directive (Directive (EU) 2022/2555) has now been approved by both the National Council and the Federal Council. The Network and Information Systems Security Act 2026 (NISG 2026) transposes the European legal framework on cybersecurity into Austrian law. The Act was promulgated on 23 December 2025 and will take effect from 1 October 2026.
The aim of the NISG 2026 is to ensure a high common level of cybersecurity for those sectors and subsectors that are essential to the functioning of society and the economy. To this end, comprehensive measures to secure network and information systems are envisaged, and the Federal Office for Cybersecurity is established as the central cybersecurity authority.

The scope of the NISG 2026 covers, in particular, medium-sized and large enterprises in critical sectors such as energy, transport, banking, digital infrastructure, healthcare, waste management and public administration. The classification as a ‘medium-sized’ or ‘large’ enterprise is determined by the number of employees, annual turnover and total annual balance sheet. In the case of more complex corporate structures – such as subsidiaries within a group – a case-by-case assessment is required because additional assessment criteria must be taken into account; in such cases, these figures may be aggregated. Small enterprises are generally not covered; however, exceptions apply to enterprises such as providers of public electronic communications networks and trust service providers. In all cases, it is advisable to carry out an early legal and organisational review in order to identify any obligations in good time and implement appropriate measures.

The NISG 2026 requires affected organisations to implement appropriate risk management measures and to comply with comprehensive notification and reporting obligations. In the event of a cybersecurity incident, these obligations may arise within 24 or 72 hours. The management bodies – such as the managing directors of a limited liability company (GmbH) or board members of a public limited company (AG) – are obliged to ensure and monitor compliance with these measures. They are liable to the organisation for any damage caused through negligence and must also attend specially designed cybersecurity training courses.

Affected organisations must register by 31 December 2026; the form of registration is yet to be determined by regulation. Information on the risk management measures implemented must be submitted to the cybersecurity authority by 30 September 2027. These measures must be implemented from 1 October 2026, and the reporting obligations must also be observed from that date.

The specified deadlines should be used to ensure the systematic and consistent implementation of the requirements of the NISG 2026. We would be happy to assist you with the legal assessment and support for the implementation of the requirements of the NISG 2026.

Dornbirn, 18 March 2026, Viktor Thurnher/Andreas Wachter