I remember the moment I realized how critical legislative timing could be. A cybersecurity conference in Vienna had just wrapped up, and while sipping espresso in a quiet café, I overheard a group of IT security leads nervously discussing NIS2. They weren’t debating if it would arrive—they were asking when. That moment encapsulated the current state of NIS2 directive implementation in Austria: suspended between regulatory anticipation and uncertainty.
In this article, I’ll walk you through everything that matters—from Austria’s stalled legislative efforts to the expected compliance requirements, sectoral impacts, and what companies should be doing right now to stay ahead. Let’s start by examining where Austria currently stands and how it got here.
Where Austria stands on NIS2 transposition
Austria has yet to officially transpose the Network and Information Security Directive 2 (NIS2), a critical European Union directive designed to bolster cybersecurity across member states. The country’s legislative attempt, titled Netz- und Informationssystemsicherheitsgesetz 2024 (NISG 2024), was rejected by the National Council on 3 July 2024. That rejection has placed Austria among the few EU nations facing formal infringement procedures for failing to meet the EU deadline of 17 October 2024.
A new government program announced in December 2024 promises a revised bill by Q3 2025, aiming for the law to take effect on 1 January 2026. In the meantime, the outdated NISG 2018 remains in force, covering only about 1,000 previously designated operators. Thousands of entities expected to fall under NIS2 Austria obligations remain in regulatory limbo.
Timeline of NIS2 implementation efforts in Austria
To understand the unfolding story, here’s a comprehensive look at key events leading up to Austria’s current position:
Austria NIS2 directive timeline and status
| Date | Event |
| 3 Apr 2024 | Public consultation on draft NISG 2024 opens; 180+ responses received |
| 30 May 2024 | Amended draft submitted to Parliament |
| 3 Jul 2024 | National Council rejects the bill before parliamentary elections |
| 8 Oct 2024 | EU launches infringement procedure for missed transposition deadline |
| 10 Dec 2024 | New government promises NIS2 law within 9 months |
| Q2 2025 | Updated draft to be circulated to stakeholders |
| Summer 2025 | Revised bill planned for submission to Council of Ministers |
| 1 Jan 2026 | Targeted entry into force, with 6-month grace period for compliance |
Transitioning into implementation, let’s look at what the previous draft proposed—and what’s likely to reappear.
Core components of the rejected NISG 2024 draft
Although the original draft law was rejected, its structure and regulatory logic are expected to form the basis of the new version. The draft aligned closely with the NIS2 Directive’s two-tier classification system and detailed both responsibilities and sanctions.
Key chapters in the rejected NISG 2024 draft (likely to reappear)
| Chapter | Focus area |
| §§ 1–7 | Scope, definitions, sectoral coverage (Annex I/II), and company thresholds |
| §§ 8–20 | Security duties (aligned with NIS2 Art. 21) including Austrian ISC catalogue |
| §§ 21–27 | Incident reporting timelines: 24h alert, 72h update, 30-day final report |
| §§ 28–35 | Oversight powers for BMI and sectoral regulators like RTR, FMA, AGES |
| §§ 36–43 | Enforcement: fines, penalties, and management bans |
| Transitional | Current NISG 2018 entities transition into new categories |
These sections created the backbone of Austria NIS2 implementation, outlining not just compliance mandates but also defining the authorities involved and enforcement intensity.
Let’s dig deeper into what kind of enforcement measures businesses might face.
Sanctions: how steep are the stakes?
One of the most striking elements in the draft was its enforcement mechanism. The fines proposed mirrored the severity of the General Data Protection Regulation (GDPR), signaling Austria’s intent to take cybersecurity seriously.
Proposed fines and penalties in the 2024 draft
| Entity category | Maximum fine | Other sanctions |
| Essential Entities | €10 million or 2% of global turnover | Public naming, daily penalties |
| Important Entities | €7 million or 1.4% of global turnover | Binding orders, management bans |
Notably, public entities such as federal ministries and large municipalities would be subject to binding compliance orders but would be exempt from monetary fines.
This kind of enforcement architecture is likely to return in the next draft, particularly since the European Commission expects all member states to implement effective, proportionate, and dissuasive penalties.
Impact across industries: who’s affected and how?
The ripple effect of the Austria NIS2 directive will be felt across a wide range of sectors. While some industries have long been under regulatory scrutiny, others are entering the compliance spotlight for the first time.
Sector-specific impacts from the draft NISG 2024
| Sector | Changes & new duties |
| Manufacturing | Newly in scope; supply-chain vetting, annual pen-testing required |
| Energy & Utilities | Broader coverage; includes hydrogen and heat networks |
| Healthcare | More providers classified as essential; backup drills mandated |
| Digital Infrastructure | Essential by default; must operate 24/7 EU-based SOC |
| Finance | Already regulated; dovetails with DORA requirements |
| Public Administration | Now “essential”; exempt from fines but must comply operationally |
The extension to medium-sized manufacturers and IT service providers is significant, bringing thousands of new players into the cybersecurity compliance regime under the Austria NIS2 transposition.
What companies should do now
Despite the absence of a new legal framework, Austrian companies should not wait idly. There’s enough clarity on the direction of the upcoming law to begin preparing for compliance.
Here are a few immediate steps organisations can take:
- Assess your classification: Use the WKO checklist to determine if you’re likely to be categorized as a “wesentliche Einrichtung” (essential) or “wichtige Einrichtung” (important).
- Gap analysis: Begin an Article 21 compliance review focusing on backup drills, MFA, and third-party risks.
- Incident response prep: Design a 24h/72h reporting playbook based on CERT-AT standards.
- Executive alignment: Ensure board-level oversight is documented—this is critical under both EU and Austrian expectations.
Even if final legislation is delayed, building resilience early will only serve to mitigate long-term risk and avoid future liability.
Will Austria meet its 2026 target?
With the new draft expected by summer 2025 and a six-month grace period built into the proposed timeline, Austria still has a narrow window to comply by 1 January 2026. However, political fragility and administrative delays may derail this goal.
Until then, the NISG 2018 remains in force, which means only a fraction of affected organisations are currently bound by legal cybersecurity obligations. This has left the country in a regulatory no-man’s-land—a risky place given rising cyber threats and increasing pressure from the EU.
What’s next for Austria’s cybersecurity future?
Austria’s stalled NIS2 directive implementation is more than a legislative hiccup—it’s a critical juncture. With geopolitical tensions and cybercrime on the rise, the need for robust national cybersecurity governance has never been clearer. Businesses that take proactive steps now will not only be ready for compliance but will also strengthen their operational resilience and reputation.
So, while the legal deadline remains a moving target, the imperative to act is already here. The question is no longer if you’ll need to comply—it’s how soon you can be ready.
For ongoing updates, organisations should monitor nis.gv.at and remain engaged with stakeholders and industry groups preparing for the shift. Because when the law finally lands, those already prepared won’t just survive—they’ll lead.
