12 March 2026 Update - The transposition of NIS 2 in Austria
Austria’s path toward transposition has been unusually complex and delayed compared with some other EU Member States.
The NIS 2 Directive required Member States to adopt national implementing legislation by 17 October 2024. Austria prepared a first implementation proposal, commonly referred to as NISG 2024, which was intended to update the existing cybersecurity law and align it with the directive.
However, the legislative process encountered political obstacles. In July 2024, the Austrian National Council rejected the draft implementation law after it failed to secure the necessary political support. This rejection meant that Austria missed the EU transposition deadline.
As a consequence of this delay, Austria became one of several Member States that had not fully transposed the directive by the required date. In May 2025, the European Commission issued reasoned opinions to 19 Member States, including Austria, for failing to complete the transposition of the NIS 2 Directive.
This placed Austria under increasing regulatory and political pressure to complete the legislative process.
Following the failed first attempt, the Austrian government restarted the legislative process. A revised draft law, commonly referred to as NISG 2026, was developed and introduced as the new national implementation of the NIS 2 Directive. The government formally launched the legislative initiative in late 2025, submitting the new draft to parliament as part of a renewed effort to align Austrian cybersecurity law with EU requirements.
The law was subsequently adopted by the Austrian parliament and promulgated in December 2025. This legislation formally transposes the NIS 2 Directive into Austrian law and establishes a new national cybersecurity framework that significantly expands the scope of regulated entities and strengthens supervisory powers.
The NISG 2026 will enter fully into force on 1 October 2026, at which point the NIS 2 regulatory framework will become operational in Austria. Until that date, the existing NISG 2018 regime continues to apply.
This means that Austria is currently in an intermediate phase. The directive has been transposed in formal legislative terms, but the practical application of the new rules has been deferred for administrative and operational preparation.
One of the most significant changes introduced by the Austrian implementation law is the dramatic expansion of the number of organizations covered by cybersecurity regulation. Under the new regime, approximately 4,000 organizations in Austria are expected to fall within the scope of the NIS 2 framework.
These include entities operating in sectors considered critical or highly relevant to societal and economic functioning. The directive introduces the distinction between essential entities and important entities, and applies to medium-sized and large organizations operating in sectors such as energy, transport, health, banking, digital infrastructure, manufacturing of critical products, and public administration.
Despite the adoption of the NISG 2026, several elements of the Austrian NIS 2 framework are still in development. The most important remaining steps involve secondary legislation, regulatory guidance, and operational preparation.
Authorities must still finalize the detailed implementing regulations that will specify technical requirements, registration procedures, and reporting mechanisms for entities falling within the scope of the law. National supervisory structures must also be expanded to handle the significantly larger number of regulated organizations.
In addition, many organizations that will fall within the scope of the new regime have not yet been formally identified or registered. The creation of national registries of essential and important entities will therefore be a key administrative milestone before the law becomes fully operational.
Finally, coordination mechanisms between Austrian cybersecurity authorities and the European cybersecurity cooperation structures created by NIS 2 must be fully operationalized.
EU - Transposition, Member States