NIS2 and the Austrian NISG 2026

What is NIS-2 and what is the NISG 2026?

The NIS-2 Directive (Directive (EU) 2022/2555, "Network and Information Security Directive 2") is the central EU legal framework for a high common level of cybersecurity across the Union. It replaces the first NIS Directive of 2016 and responds to its known weaknesses: an overly narrow scope, inconsistent transposition, and weak enforcement. NIS-2 entered into force on 16 January 2023; the deadline for transposition into national law expired on 17 October 2024.

As a directive, NIS-2 does not have direct effect vis-à-vis companies but must be cast into national law by the Member States. In Austria this is done through a recast of the Network and Information System Security Act (Netz- und Informationssystemsicherheitsgesetz, NISG), in Germany through the NIS2 Implementation and Cybersecurity Strengthening Act, and in Switzerland via a standalone path not bound to NIS-2 (including a reporting obligation for critical infrastructure in the Information Security Act). Important in practice: both Austria and Germany have missed the transposition deadline. The provisional status in 2026 is that the national laws are in advanced procedures that are, however, not yet finalized in all respects. Organizations should therefore actively monitor the entry-into-force and registration timing and not rely on a fixed date.

The strategic core: NIS-2 shifts cybersecurity from a voluntary IT task to a legally mandatory, board-level governance requirement with personal responsibility of the management bodies.

Who is affected? Essential and important entities

NIS-2 massively expands the scope compared to the old directive. Whether an organization is affected fundamentally derives from two criteria: sector and size.

NIS-2 distinguishes between essential entities and important entities. The sectors are governed in two annexes: Annex I covers sectors of high criticality (including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management in B2B, public administration, space). Annex II covers further critical sectors (including postal and courier services, waste management, chemicals, food, manufacturing/production, providers of digital services such as online marketplaces, search engines, and social media platforms, research).

For the size threshold, the "size-cap rule" generally applies: covered are medium-sized and large companies, that is, from 50 employees or an annual turnover/balance sheet total of more than EUR 10 million. Below this threshold, NIS-2 generally does not apply – with exceptions for certain critical providers (e.g. DNS services, TLD registries, qualified trust service providers, certain providers of public communications networks), which may be covered regardless of their size.

A key practical point: there is no official prior classification for each organization. Affected entities must determine for themselves whether they are affected and – depending on the national design of the NISG – register within set deadlines. This self-assessment obligation affects many companies that have not previously regarded themselves as "critical infrastructure," such as manufacturers, food, or research organizations.

Cybersecurity and risk-management obligations (Art. 21)

The heart of NIS-2 is Article 21: affected entities must take "appropriate and proportionate technical, operational, and organizational measures" to manage the risks to their network and information systems. The benchmark is risk-based and oriented toward the state of the art. NIS-2 explicitly names a minimum catalogue that includes at least:

• Risk analysis and policies for the security of information systems
• Incident handling (managing security incidents)
• Business continuity and crisis management (backup, recovery)
• Supply-chain security including relationships with suppliers and service providers
• Security in the acquisition, development, and maintenance of systems, including vulnerability management
• Procedures to assess the effectiveness of the measures
• Cyber hygiene and training
• Cryptography and encryption
• Personnel security, access control, and asset management
• Multi-factor authentication (MFA), secured communication, and emergency communication

Operating an AI Agent falls within this framework in several respects: an AI Agent is a network and information system within the meaning of the directive, it typically accesses further systems via tools, APIs, and MCP integrations, and it potentially processes data worthy of protection. This makes access control, encryption, logging, vulnerability management, and supply-chain assessment directly relevant. Anyone operating AI Agents productively in an affected sector must integrate these components into NIS-2 risk management – not as an add-on, but as part of the regular security concept.

Reporting obligations: the 24/72-hour regime

NIS-2 establishes a tiered, tightly timed reporting procedure for significant incidents to the competent authority or the national CSIRT (Computer Security Incident Response Team). Simplified, an incident is considered significant if it has caused or is capable of causing serious operational disruption, financial losses, or considerable harm to others.

For operating an AI Agent this means: detection and escalation capability is needed that is fast enough to meet the 24-hour early warning. Incidents such as a successful prompt injection attack that drives an agent to unauthorized tool calls or data exfiltration, a compromised model endpoint, or a data leak via a misconfigured tool integration may be reportable. Logging, monitoring, and a defined incident-response process for agent systems are therefore practical NIS-2 prerequisites.

Supply-chain security: the reach-through to AI and cloud providers

One of the most impactful innovations is the explicit obligation to secure the supply chain. Affected entities must assess the security of their direct suppliers and service providers and feed the results into their risk management and their contracts. Factors to be taken into account include the quality of the supplier's security practices, its development processes, and the specific risk profile.

For operating an AI Agent this is central, because the typical stack relies heavily on external components: LLM providers, cloud/hosting providers, vector databases, tool and API services, MCP servers, orchestration frameworks. These providers are often not directly subject to NIS-2 themselves – but through the supply-chain obligation of the regulated customer organization, NIS-2 requirements are effectively passed through to them. In practice this means: security commitments in contracts (DPA/AVV, audit rights, sub-processor transparency, incident-notification clauses), evidence such as ISO/IEC 27001 or SOC 2 reports, and a documented supplier assessment.

This also produces a DACH-specific intersection with the sovereign-AI discussion: workloads in regulated or critical sectors – such as financial services under DORA or critical infrastructure under NIS-2 – benefit structurally from EU-resident, sovereign AI platforms, because these simplify data residency, sub-processor transparency, and supply-chain assessment. McKinsey estimates the global market for sovereign AI at around USD 600 billion per year by 2030, of which EUR 180–200 billion is the European share (McKinsey, cited in Blck Alpaca Research, 2026) – an indicator that the regulatory pressure (NIS-2, DORA, EU AI Act, GDPR) commercially supports sovereign architecture decisions.

Responsibility of management bodies and sanctions

NIS-2 expressly addresses the management bodies. They must approve the risk-management measures, oversee their implementation, and answer for breaches. Also envisaged are mandatory training for management bodies so that they can assess cyber risks and estimate impacts. In the event of serious breaches, national authorities can – depending on transposition – also order the temporary suspension of management functions.

The fine range is significant: up to EUR 10 million or 2 % of global annual turnover (whichever is higher) for essential entities, up to EUR 7 million or 1.4 % for important entities. This elevates cybersecurity to a board-level risk similar to the GDPR. Important in the DACH context: the specific design of sanctions, supervision, and any liability rules for management bodies is set out in the national NISG/NIS2 transposition act and may vary from country to country – the figures cited are the directive's requirements; the national transposition must be examined in detail (informational, not legal advice).

AI Agent-specific cybersecurity within the NIS-2 framework

Autonomous AI Agents expand the attack surface compared to classic applications because they interpret inputs, make decisions, and act on systems in reality via tools. Within NIS-2 risk management, the following aspects should therefore be addressed at a minimum:

• Prompt injection and data poisoning as the primary threat class – content from emails, documents, or websites can lead an agent to unintended actions. Countermeasures: input validation, separation of instruction and data context, output filtering.
• Least-privilege tool access – equip agents only with the minimum necessary permissions; secure sensitive tool calls (payments, deletions, external communication) with a human-in-the-loop.
• Guardrails and policy enforcement – technical guardrails for permissible actions, rate limits, and allow/deny lists for tools and domains.
• Identity and access management – strong authentication (MFA), short-lived tokens, and clean secrets management for agent identities.
• Complete logging and auditability – traceability of every agent decision and every tool call, in order to meet reporting obligations and forensics.
• Supply-chain hardening – securing model endpoints, MCP servers, and third-party tools.

These measures overlap with established security catalogues such as the OWASP Top 10 list for LLM applications and the OWASP list for agentic systems. NIS-2 does not directly prescribe these catalogues but provides the legal occasion to anchor them bindingly in the security concept.

Distinction from the EU AI Act, the GDPR, and DORA

NIS-2 is a cybersecurity regime and does not overlap with the parallel EU frameworks. A clean distinction prevents both gaps and duplicated effort:

In regulated industries, several regimes apply simultaneously. As a sector-specific special rule for the financial sector, DORA largely displaces the NIS-2 requirements but in parts goes beyond them. Pragmatically, it is advisable to use established management standards as a shared implementation baseline: ISO/IEC 27001 for the information security management system (ISMS) and ISO/IEC 42001 (AI management system, December 2023) for AI governance. According to Blck Alpaca Research (2026), ISO/IEC 42001 is increasingly developing into a "multi-jurisdictional compliance simplifier" that is referenced across multiple legal jurisdictions as a prudential baseline anchor.

Practical outlook and recommended action

The provisional status in 2026 for the DACH region is: the NIS-2 obligations are substantively clear by virtue of the directive, the national transposition in Austria (NISG) and Germany is being delayed beyond the EU deadline (17 October 2024), and the precise registration, deadline, and sanction details will only emerge from the final national law. Organizations should not misunderstand this delay as a reprieve: the substantive requirements are foreseeable, and the preparation time for robust risk management is considerable.

Concretely, a three-step approach is advisable: first, an honest analysis of affectedness and size per sector (including the self-registration obligation); second, a gap assessment against the Art. 21 measures catalogue that expressly includes AI Agents and their supply chain; third, building an incident-response process that can meet the 24/72-hour reporting window. For AI Agents this means: factor in guardrails, least-privilege tool access, complete logging, and a documented supplier assessment from the outset – ideally anchored in an ISMS (ISO/IEC 27001) and an AI management system (ISO/IEC 42001).