The most important thing in brief:
NIS2 in Austria — An overview of the new cybersecurity directive: Digital transformation brings numerous benefits, but also presents companies with new challenges in the area of cybersecurity. In order to meet these challenges at European level, the NIS2 Directive was created. In this article, we look at the most important aspects of NIS2 Directive in Austria, answer key questions and take a brief look at the situation in Switzerland. General information and a definition of NIS2 can be found in our blog article NIS2: Requirements, penalties, and implementation.
NIS2 Act Austria: Basis and Responsibilities
In Austria, the NIS 2 Directive is implemented into national law through amendments to the existing Network and Information System Security Act (NISG). Responsibility for implementation lies with Federal Ministry of the Interior (BMI), which is carried out in close cooperation with Austrian Cyber Security Authority (CERT.at) acts. A central point of Austrian implementation is the strong emphasis on cooperation between private and public institutions. For example, there is a focus on establishing regular exchange platforms and reporting processes between companies and authorities.
Support for companies in Austria
Austrian companies can draw on various support services when implementing the NIS 2 Directive:
- Austrian Chamber of Commerce (WKO): The WKO provides comprehensive information, guidelines and consulting services to help companies implement them in a practical way.
- NISG contact point: The official platform of the Austrian government provides up-to-date information on the implementation of the law, including FAQs, contacts and legal basis.
- Certified IT service providers: Numerous specialized companies offer support in the form of consulting, risk analyses and training to ensure compliance with NIS2 requirements. It is recommended that you rely on experience in the areas IT security, compliance, and infrastructure documentation to respect.
Who is affected by the NIS2 Directive in Austria and what needs to be considered?
The NIS2 Directive significantly expands the circle of affected companies and organizations. Medium-sized and large companies from 18 defined sectors, including energy, transportation, healthcare and digital infrastructure, are particularly affected. In Austria, it is estimated that around 4,000 companies are covered by the new regulations. Read more about the impact assessment in our blog article NIS2: Who is affected?
Affected companies must take a number of measures, including:
- risk management: Introduction of appropriate measures to manage cybersecurity risks.
- Reporting requirements: Obligation to report significant security incidents promptly to competent authorities.
- supply chain management: Ensuring that service providers and suppliers also comply with appropriate safety standards.
Failure to comply with these obligations may result in significant penalties, including heavy fines. In Austria, the current draft of Network and Information System Security Act (NISG 2024) provides that fines of up to 10 million euros or 2% of annual global turnover of a company — depending on which amount is higher. In addition, in the event of particularly serious or repeated violations, organizational law measures consequences, such as the withdrawal of management functions or orders to implement specific security measures by the authority.
NIS2 Directive in Austria: The differences with Germany
A significant difference to the German implementation lies in the definition of the thresholds for affected organizations. While Germany makes clear guidelines on the size and relevance of the companies concerned, Austria is taking a more flexible approach. The Austrian thresholds take into account not only the size of a company, but also its sectoral significance and potential effects of an outage on national security. As a result, smaller organizations that are critical to supply may also fall within the scope of the Directive. In our blog article NIS 2 Directive: Implementation by Germany Let us examine the current situation in Germany.
Focus on training and awareness raising
Austria also attaches particular importance to training and raising awareness among employees in critical sectors. Funding programs are offered to help companies implement the required security measures. This practice-oriented assistance differs from the German implementation, which relies more heavily on formal regulations and control mechanisms.
NIS 2 implementation in Austria planned for 2025
The NIS2 Directive came into force at EU level on January 16, 2023. Member States, including Austria, are required to comply with the Directive by October 17, 2024 transpose into national law. In Austria, this should be achieved by the revised Network and Information Systems Security Act (NISG 2024) take place.
However, there was a setback in February 2024: The first draft law on NIS2 implementation was rejected by the National Council. The opposition — consisting of the SPÖ, FPÖ and NEOS — criticized, among other things, insufficient involvement of stakeholders and technical deficiencies in the legislative text. Although there is agreement across parties on the importance of cybersecurity, a revised draft is now expected. This delay increases time pressure on legislators and companies, as compliance with the EU implementation deadline remains mandatory.
The corresponding legal regulations are therefore expected to come into force in the course of 2025. However, companies should start implementing the necessary cybersecurity measures now to meet future requirements.
NIS2 Directive Switzerland: A brief overview
Although Switzerland is not a member of the EU, the NIS2 policy including Swiss companies — especially if they offer services or products in the EU, cooperate with European partners or are part of international supply chains. The requirements of the Directive therefore have an effect indirectly through contractual obligations, compliance requirements or audit requirements on Swiss organizations.
In response to increasing cybersecurity requirements, Switzerland launched the new Information Security Act (ISG) put into effect. It strengthens security requirements for operators of critical infrastructures and creates a national minimum level of information security.
Nevertheless, it is recommended for Swiss companies operating in a European context to internal processes and technical measures also to comply with the requirements of the NIS2 Directive — for example with regard to Reporting requirements, risk management, and supply chain security.
Companies in Switzerland that need assistance with classification or implementation can contact the NCSC — National Center for Cyber Security turn, the one under www.ncsc.admin.ch offers comprehensive information, alerts and advice.
Conclusion
The NIS2 Directive represents a significant step towards strengthening cybersecurity in Europe. For Austrian companies, this means that they must review their security measures and adapt them to the new requirements. Addressing the requirements at an early stage and careful implementation are crucial to ensure compliance and avoid potential sanctions. Read our blog article NIS2: Requirements, Penalties, and Implementation to find out how our Docusnap software solution can help you implement the NIS 2 Directive
The next steps:
Prepare yourself early on for the national implementation of the NIS2 Directive in Austria — with a complete, up-to-date overview of your IT systems, networks and access rights. Docusnap offers you exactly the right features for this: agentless IT inventory, automated documentation, authorization analyses and network visualizations.
Try it now for free!
