NISG 2026 and Institutional Cybersecurity Supervision in Austria

The NISG 2026 (Network and Information System Security Act 2026) is Austria's transposition of the EU NIS 2 Directive (EU) 2022/2555. It was passed by the National Council on 12 December 2025, promulgated on 23 December 2025, and becomes fully applicable nine months later, on 1 October 2026. It defines cybersecurity obligations for around 4,000 companies across 18 sectors and, for the first time, establishes a dedicated Federal Office for Cybersecurity.

The three most important points up front:

• Late, but binding: Austria significantly missed the EU transposition deadline of 17 October 2024. The first draft (NISG 2024) failed to secure the two-thirds majority on 3 July 2024. Only the NISG 2026 creates the national legal framework, applicable from October 2026.
• Self-responsibility instead of an administrative decision: The act shifts to self-classification and self-declaration. Companies must assess for themselves whether they are affected and report this independently.
• Preparation pays off now: The EU obligation exists irrespective of the national delay. The months until October 2026 are the window for scoping, building an ISMS, and incident-response preparation.

The road to the NISG 2026: a delay relative to the EU deadline

The NIS 2 Directive required all EU Member States to bring their national transposition laws into force by 17 October 2024. Austria is among the states that did not meet this deadline. The first attempt, the NISG 2024, was rejected by the National Council on 3 July 2024 because the two-thirds majority required for parts of the act was not achieved. As a result, the EU deadline passed unused.

Only after renegotiation and with amended content did the National Council pass the NISG 2026 on 12 December 2025. Promulgation in the Federal Law Gazette took place on 23 December 2025, with full applicability dated to 1 October 2026. Almost two years therefore lie between the expiry of the EU deadline and national applicability. For companies, this delay represents a double-edged situation: it formally provides time, but changes nothing about the fundamental European obligation underlying the national norm.

The competent authority: Federal Office for Cybersecurity within the BMI

The institutionally most important element of the NISG 2026 is the establishment of a Federal Office for Cybersecurity within the Federal Ministry of the Interior (BMI). This authority is envisaged as the central cybersecurity supervisor and, as of 2026, is still being set up (under establishment).

A key feature of the Austrian construction concerns sanctioning: the cybersecurity authority does not itself impose fines. Administrative penalties fall within the remit of the district administrative authorities. The penalty range is aligned with the requirements of the NIS 2 Directive. This separation between the supervisory authority and the sanctioning body is a peculiarity compared with other jurisdictions in which the supervisory authority itself issues fines.

CSIRT, GovCERT and national response structures — status: in flux

The NIS 2 Directive requires every Member State to designate Computer Security Incident Response Teams (CSIRTs) and a national coordination point. Independently of the NISG 2026, Austria has for years already operated established response structures, foremost among them GovCERT Austria and the national CSIRT environment. How the specific CSIRT and GovCERT integration under the NISG 2026 will be institutionally designed, organisationally situated and interlinked with the new Federal Office is, as of 2026, in parts not yet conclusively clarified and should be treated as expected/provisional. Accompanying implementing regulations and official guidance are likely to clarify these details only in the course of the implementation phase. Companies should therefore monitor the official publications on an ongoing basis and not rely on preliminary assumptions about details.

What has changed compared with the NISG 2024 draft

The NISG 2026 differs in several structural respects from the failed 2024 draft. These changes directly shape compliance practice:

The systemic shift to self-classification transfers responsibility for correctly determining applicability to the company itself. Anyone who wrongly assumes they do not fall within scope bears the risk. The removal of the group privilege means that the companies within a corporate group are, in principle, to be considered individually — a group-wide collective assessment is no longer readily possible. The explicit exclusion of supervisory bodies from the definition of a management body is a deliberate departure from the 2024 draft and distinguishes the Austrian regime on this point from the German transposition, in which members of supervisory and oversight bodies are treated differently.

Obligations of the management bodies

Essential entities must embed cybersecurity at the level of the management body and set up an incident-response team. The members of the management body are themselves required to participate in training and tests. With this, the NISG 2026 — like the entire NIS 2 architecture — lifts responsibility for cybersecurity out of the IT department alone and onto the leadership level. Governance responsibility cannot be fully delegated.

Practical example: a mid-sized energy provider

A hypothetical Austrian energy provider with 600 employees assesses its applicability in spring 2026. Energy is one of the 18 sectors; due to its size and activity, the company classifies itself as an essential entity in the course of self-classification. It declares this independently — without waiting for an administrative decision, since the NISG 2026 no longer provides for one.

By the cut-off date of 1 October 2026, the company builds out the following components:

```
Q1 2026 Scoping + self-classification (essential/important?)
Q2 2026 ISMS maturation, risk analysis, catalogue of measures
Q2 2026 Designate incident-response team + define processes
Q3 2026 Document management-body training, tabletop test
Q3 2026 Prepare reporting channels + reporting template (semi-annual)
Oct 2026 Applicability of NISG 2026 — obligations take effect
```

Because the cyber authority does not itself sanction, the competent district administrative authority is the addressee of the administrative penalty proceedings for any infringements. The energy provider therefore documents everything seamlessly from the outset: risk-approval records, training records, and incident-response tests. This chain of evidence is the practical core of any applicability assessment.

What companies should do already now

Even without final national details in place, inaction is not a sensible option. The European obligation stands; the cut-off date of October 2026 is set. Sensible steps are:

• Scoping and self-classification based on the 18 sectors and the size/activity criteria, documented and traceable.
• Building or maturing an ISMS as the organisational foundation of the risk-management measures.
• Designating an incident-response team, defining reporting channels, and testing response processes.
• Embedding cybersecurity at management-body level, including documented training and tests of the leadership.
• Preparing semi-annual reporting, since the NISG 2026 provides for a semi-annual cybersecurity report.
• Reviewing the corporate structure, as the group privilege is removed and companies are to be considered individually.

A subtle but important note: this article is an expert editorial overview and not legal advice. The specific applicability, the correct self-classification, and individual obligations under the NISG 2026 must be clarified with qualified legal advisors. Institutional details — in particular the CSIRT/GovCERT integration and upcoming implementing regulations — are, as of 2026, partly in flux and continue to evolve.

For agencies and B2B decision-makers

For DACH B2B decision-makers, the NISG 2026 means above all one thing: a plannable deadline, self-responsible classification, and seamless documentation. Anyone who operates supply chains in Austria or has Austrian subsidiaries should clarify their applicability early — the removal of the group privilege makes a company-by-company assessment necessary. Marketing and digital agencies serving regulated clients from the 18 sectors should also consider their own role as a service provider in the supply chain and contractually map cybersecurity and reporting requirements cleanly. Blck Alpaca helps companies present compliance topics such as the NISG 2026 in an accessible way and translate them into content, knowledge, and communication structures — factual, up to date, and without legal overreach.