Skip to content
7.35Intermediate8 min

NIS2 Applicability Assessment Austria: Self-Classification under the NISG Step by Step

Blck Alpaca·
Definition

NIS2 applicability in Austria is governed by the NISG 2026, which transposes EU Directive (EU) 2022/2555. As a general rule, medium-sized and larger enterprises (50 or more employees or over EUR 10 million in turnover) across 18 sectors are covered. Unlike the failed earlier draft, self-classification applies instead of an official ruling.

Key Takeaways

  • The NISG 2026 was passed by the National Council on 12 December 2025, promulgated on 23 December 2025 and enters into force on 1 October 2026 - Austria is therefore well behind the EU deadline (17 October 2024).
  • The basic size rule follows the EU definition of medium-sized enterprises: 50 or more employees OR more than EUR 10 million in annual turnover or annual balance sheet total, combined with an activity in one of the 18 sectors covered.
  • The NISG 2026 distinguishes between essential and important entities - the classification determines the intensity of supervision and the sanction framework; both categories have obligations.
  • Key innovation: a shift to self-classification and self-declaration instead of an official ruling; in addition, the group privilege is abolished and companies are generally assessed individually.
  • The applicability assessment does not replace legal advice - special cases (critical activity regardless of size, supply chain) require an individual legal assessment by a lawyer.

Whether your company is covered by NIS2 is determined in Austria by the NISG 2026, which transposes EU Directive (EU) 2022/2555 (NIS2) into national law. The basic rule: as a general rule, medium-sized and larger enterprises are covered - that is, organisations with 50 or more employees or with more than EUR 10 million in annual turnover or balance sheet total - provided they operate in one of the 18 sectors covered. What is new is the shift to self-classification: you must determine your applicability yourself, no longer an authority by means of an official ruling.

This article walks through self-classification step by step - with an assessment table, a concrete calculation example and the most important special cases. It provides professional orientation but does not replace legal advice.

  • Size: 50 or more employees or over EUR 10 million in turnover/balance sheet total (EU definition of medium-sized enterprises).
  • Sector: Activity in one of the 18 sectors under Annex I or II of the NIS2 Directive.
  • Procedure: Self-classification and self-declaration instead of an official ruling - responsibility lies with the company.

Legal framework: NISG 2026 and the transposition delay

The NIS2 Directive (EU) 2022/2555 was required to be transposed into national law across the EU by 17 October 2024. Austria significantly exceeded this deadline. The first attempt, the NISG 2024, was rejected in the National Council on 3 July 2024 - the two-thirds majority required for parts of the act was not reached.

The revised draft, the NISG 2026, was finally passed by the National Council on 12 December 2025, promulgated in the Federal Law Gazette on 23 December 2025 and enters into force nine months after promulgation - on 1 October 2026 (as of 2026). Until this date there is no directly applicable national NIS2 obligation in Austria, but preparation should have been under way for some time.

The NISG 2026 brings several structural innovations compared with the 2024 draft:

  • Establishment of a Federal Office for Cybersecurity within the Federal Ministry of the Interior (BMI) as the competent cybersecurity authority.
  • A shift to self-classification and self-declaration instead of an official declaratory ruling.
  • Abolition of the group privilege - companies are generally assessed individually.
  • Supervisory bodies (for example supervisory boards) are expressly excluded from the concept of the "management body".
  • A half-yearly (instead of annual) cybersecurity report.

The scope covers around 4,000 companies across 18 sectors. Members of the management body of essential entities are themselves obliged to participate in training and tests; an incident-response team must be set up.

The two categories: essential and important entities

Like the EU Directive, the NISG 2026 distinguishes between two categories of covered organisations. The classification results from the interplay of sector (Annex I or Annex II of the Directive), company size and statutorily defined criticality criteria.

  • Essential entities are subject to more intensive, including proactive, supervision. Typically these are larger companies in the particularly critical sectors of Annex I (such as energy, transport, banking, health, digital infrastructure).
  • Important entities are supervised primarily on an ex-post (incident-driven) basis - the authority therefore acts above all following an incident or a tip-off. These include, among others, medium-sized companies in Annex I sectors as well as entities from the Annex II sectors.

Important for self-classification: both categories have obligations. Under the NIS2 logic, the responsibility of management does not apply only to essential entities. Article 20 of the NIS2 Directive requires the management body to approve the risk-management measures, oversee their implementation and be held accountable for breaches. Recital 137 makes clear that this responsibility can apply where the management body has failed to comply with its governance obligations - even without a successful attack. Liability therefore attaches to the breach of duty, not to the damage.

In Austria, sanctions are imposed not by the cybersecurity authority itself but by the district administrative authorities; the penalty framework is designed in line with the NIS2 requirements.

The assessment table: self-classification step by step

Work through the following criteria in order. Only when both size and sector apply (or a special case is triggered) is applicability likely.

Criterion

Threshold / question

Consequence

Number of employees

50 or more employees (full-time equivalents)

Size criterion met (one value is sufficient)

Annual turnover

More than EUR 10 million

Size criterion met (one value is sufficient)

Annual balance sheet total

More than EUR 10 million

Size criterion met (as an alternative to turnover)

Sector affiliation

Activity in one of the 18 sectors (Annex I or II)

Sector criterion met

Annex I vs. Annex II

Particularly critical sector (Annex I) or other critical sector (Annex II)?

Indication of essential vs. important entity

Special case / critical activity

Is a critical service provided regardless of size?

Applicability possible despite falling below the size threshold

Group structure

Individual company assessed in isolation (no group privilege)

Each entity assesses independently

Registration

Self-classification results in applicability

Self-declaration / registration obligation with the Federal Office

The size thresholds (50 employees, EUR 10 million) correspond to the EU definition of medium-sized enterprises. The precise allocation of the 18 sectors to Annex I and Annex II, as well as the detailed rules on linked and partner enterprises, follow from the Directive and the NISG 2026 - here a legal review is worthwhile in borderline cases.

Concrete example: three companies compared

Case A - Mid-sized IT service provider (managed services), Vienna. 70 employees, EUR 14 million turnover. Size criterion met (70 ≥ 50 and EUR 14 million > EUR 10 million). The sector "digital services / ICT service management" is among the sectors covered. Result: covered, presumably as an important entity. Self-declaration required.

Case B - Regional energy supplier. 40 employees, EUR 9 million turnover. The pure size assessment would fall below both thresholds. However, energy is a particularly critical sector (Annex I) in which special-case rules can apply regardless of size. Result: applicability possible despite small size - here the individual assessment is decisive, and a blanket all-clear would be wrong.

Case C - Advertising and marketing agency, 30 employees, EUR 6 million turnover. Neither the size threshold reached nor a relevant core sector applicable. Result: not directly covered. But beware the supply-chain effect: if the agency provides critical services for an essential entity, it may in practice be obliged - via the contractual requirements of its client - to implement NIS2-compliant security measures, without being subject to a registration obligation itself.

The cases illustrate the basic pattern: size and sector together form the rule, but special cases and supply chains can shift the outcome.

Registration obligation and next steps

If your self-classification results in applicability, the self-declaration or registration with the Federal Office for Cybersecurity follows. Since no official ruling is issued that actively informs you, the onus lies entirely with you. An omitted or incorrect classification can be sanctioned.

A practical sequence for preparing for 1 October 2026:

  1. Record size and sector - document employees, turnover, balance sheet total and the specific activity.
  2. Determine the category - essential or important entity, based on Annex allocation and criticality.
  3. Review special cases and group structure - each company individually, taking supply-chain requirements into account.
  4. Legal safeguarding in borderline cases - where sector allocation or holding structures are unclear.
  5. Set up governance - risk-management measures, incident-response team, training of the management body, reporting processes.

Note: This article does not constitute legal advice. The binding assessment of NIS2 applicability - in particular for borderline cases, sector allocation and supply-chain questions - requires an individual legal assessment by a lawyer.

For B2B decision-makers and agencies

For B2B decision-makers, self-classification is not a one-off act but a recurring obligation: if your company grows beyond a threshold or its activity changes, the classification can change. Anchor the assessment as a fixed part of your compliance routine and document the result in an audit-proof manner - the management body bears the responsibility.

For marketing and digital agencies, a twofold view is worthwhile: most agencies fall below the direct applicability threshold but enter the supply chain via clients in regulated sectors. Anyone working for essential or important entities should factor security and evidence requirements into proposals and contracts at an early stage - this is increasingly becoming a selection criterion in the pitch. As an agency in Vienna, we support you in the structured preparation of your cybersecurity and content communication around NIS2 - the legal classification itself belongs in the hands of specialised legal advisers.

FAQ

From what company size does NIS2 apply in Austria?
The basic rule follows the EU definition of medium-sized enterprises: as a general rule, companies with 50 or more employees or with more than EUR 10 million in annual turnover or annual balance sheet total are covered - provided they operate in one of the 18 sectors covered by the NISG 2026. Below this threshold there is usually no direct applicability, with the exception of special cases defined by law (such as critical services). Size alone is not decisive - sector and activity must come together.
What is the difference between essential and important entities?
The NISG 2026 adopts the NIS2 logic of two categories. Essential entities are subject to more intensive, including proactive, supervision; important entities are supervised primarily on an ex-post (incident-driven) basis. Both categories must implement risk-management measures, report incidents and register. The classification depends on the sector (Annex I or II of the Directive), size and statutorily defined criticality criteria, and should be reviewed legally in case of doubt.
What does self-classification under the NISG 2026 mean in concrete terms?
Unlike the failed NISG 2024 draft, the NISG 2026 no longer provides for an official ruling that determines applicability. Instead, companies must assess for themselves whether they fall under the act (self-classification) and, where applicable, actively register or declare on their own initiative (self-declaration). Responsibility for the correct classification therefore lies with the company - an incorrect or omitted classification can trigger sanctions.
My company is part of a group - does the group size count?
Under the NISG 2026, the group privilege is abolished: companies are generally assessed individually. Each legally independent entity assesses its applicability on its own, based on its own size and activity. A subsidiary may therefore be covered without the entire group being covered - or vice versa. For linked or partner holdings, the detailed rules of the EU SME definition are relevant, which requires a careful individual assessment.
From when does the NISG 2026 apply and why so late?
The NISG 2026 was passed by the National Council on 12 December 2025, promulgated on 23 December 2025 and enters into force nine months later, on 1 October 2026. Austria is therefore well behind the EU transposition deadline of 17 October 2024. The reason is the first, failed attempt: the NISG 2024 draft was rejected in the National Council on 3 July 2024 because the required two-thirds majority was not reached. Only the revised draft secured the necessary majority.
Does this applicability assessment replace legal advice?
No. This article provides professional orientation but not legal advice. NIS2 applicability depends on detailed rules on sectors (Annex I/II), size classes, holding structures and special cases, which are complex in individual cases. For a binding classification - in particular for borderline cases, supply-chain requirements or unclear sector allocation - you should obtain an individual legal assessment from a lawyer.

Want to go deeper?

Get new analyses straight to your inbox – or see how we put this knowledge to work for companies.

Subscribe to newsletterOur services
NextNIS2 Reporting Obligations: The 24-Hour Early Warning in Practice