NIS2 Country Guide

NIS2 Austria: Compliance, Authorities & Key Requirements

Understand how Austria is implementing the NIS2 Directive, the current legal status, competent authorities, how incident reporting works today, and what steps organisations should take to get ready.

Get Ready Checklist Get Consultation
Austria Status: NIS2 law pending (NISG 2024 draft) Registration: To be announced

Introduction

Austria implemented the original NIS Directive via the Netz- und Informationssystemsicherheitsgesetz (NISG). To align with NIS2, a comprehensive update (NISG 2024) has been drafted and is progressing through the national process. Until the new law enters into force, current obligations under the existing NISG and the national CSIRT processes remain applicable.

Quick link: Read our overview “What is NIS2?” and “NIS vs NIS2”.

NIS2 implementation in Austria

The draft NISG 2024 (Federal Act to ensure a high level of cybersecurity for network and information systems) is Austria’s vehicle to transpose NIS2. As of now, the draft is not yet in force; timelines are being updated by the Federal Chancellery. Organisations should monitor official channels and prepare for rapid registration and supervision once enacted.

Status

Draft law (NISG 2024) under discussion; not yet in force (expected to apply from 1 October 2026).

Official law / drafts

Draft available via the Austrian Parliament’s site (DE). Draft text (NISG 2024)

Registration

To be announced after entry into force. Current NIS incident reporting uses nis.cert.at.

SectorAustria note
Public sectorGovCERT and BKA handles security incident response, municipalities are expected to fall within NIS2 scope.
Digital infrastructuredata centres, cloud providers and TSPs follow EU Annex scoping reporting via CERT.at platform.
Financealignment with DORA; detailed supervisory mapping to be defined in the final national act.

Compliance & certification

Austria is expected to mirror NIS2’s Essential/Important tiers and Article 21 risk management measures.

Scope (expected)

  • Annex I & II sectors (services-based scoping)
  • General size thresholds (≥50 employees or ≥€10m turnover/balance)
  • Critical smaller entities may be included by exception

Obligations (core)

  • Risk management policies and governance
  • Incident detection & reporting (CSIRT coordination)
  • Business continuity & crisis management
  • Supply-chain security & contractual controls
  • Access control, segmentation, encryption

Standards & alignment

ISO/IEC 27001:2023, NIST CSF 2.0 and sectoral norms; national implementation acts will provide specifics.

Tip: Prepare your inventory, scoping, and incident playbooks now so you can register quickly when the law is enacted.

Competent authorities & CSIRT

Austria uses a central coordination model under the Federal Chancellery with national CSIRTs.

RoleAuthorityNotes
National CSIRT GOVCERT Austria Government CSIRT; incident coordination for public sector and national-level response.
Computer Emergency Response (private/critical operators) CERT.at Operates the national reporting platform for NIS incidents: nis.cert.at.
Central coordination / Single Point of Contact Federal Chancellery (BKA) Coordinates national cybersecurity policy and CSIRT cooperation; updates on NIS2 transposition.

Timeline & key dates

27 Dec 2022 — NIS2 published in the EU Official Journal.
17 Oct 2024 — EU deadline for Member States to transpose NIS2.
Pending — Austria’s NISG 2024 final adoption & entry into force (watch BKA updates).

Sector-specific notes

  • Public sector: GovCERT and BKA coordinate security incident handling; municipalities expected to be in scope per NIS2.
  • Finance: alignment with DORA; detailed supervisory mapping to follow in final act.
  • Digital infrastructure: data centres/cloud & TSPs to follow EU Annex scoping; reporting via CERT.at platform.

Penalties

Final penalty design and turnover caps will be set by the Austrian NIS2 act. Expect alignment with NIS2’s administrative fine model and potential corrective measures once the law enters into force.

How to prepare

  1. Determine scope: assess Annex I/II services and size thresholds; prepare EE/IE classification.
  2. Readiness: map controls to ISO 27001/NIST CSF and produce a gap analysis.
  3. Incident reporting: establish playbooks and contacts for GOVCERT/CERT.at; rehearse timelines.
  4. Supply chain: add security requirements to vendor contracts & perform risk reviews.
  5. Governance: board accountability, KPIs, and training plans.
  6. Documentation: evidence trails for policies, risk, incidents, BCP/DR tests.
Run Eligibility Check Start Readiness Test

Official links & resources

🏛️ BKA – Cybersecurity contact points
🛡️ GOVCERT Austria
🧩 NIS Reporting Portal (nis.cert.at)
📘 Draft NISG 2024 (Parliament PDF)
ℹ️ NIS2 overview (nis.gv.at)

FAQ: NIS2 in Austria

Is NIS2 already in force in Austria?
No. The draft NISG 2024 has not yet entered into force. Follow BKA/GOVCERT updates for timing.
Where do I register?
Registration details will be announced after the law enters into force. For incidents today, use nis.cert.at.
Who is the main contact point?
The Federal Chancellery (BKA) coordinates nationally; GOVCERT is the national CSIRT; CERT.at operates the NIS reporting platform.
Information provided for general guidance; consult official national sources for updates.