NIS-2 implementation act: new cyber obligations for critical infrastructure operators

The Austrian Federal Government has presented an updated draft law to implement the NIS-2 Directive. The Network and Information Systems Security Act 2026 (NISG 2026) tightens requirements for companies in critical sectors and explicitly assigns responsibility for cybersecurity to senior management. Under the proposed regime, entities are classified as either essential or important based on their size and the sector in which they operate, with stricter obligations for essential entities. The rules aim to address growing digital threats and establish a strict supervisory and control regime – including temporary disqualification from management duties for non-compliant executives.

1. Key elements of the new cyber obligations

• Registration requirement: Essential and important entities must register with the competent cybersecurity authority of the Federal Ministry of the Interior (BMI).
• Governance: Responsibility for implementing and monitoring risk management measures lies explicitly with the management board or executive directors.
• Training: Mandatory cybersecurity training for management and employees will be introduced.
• Supply chain security: Risk management measures must also cover cybersecurity along the supply chain.
• Self-declaration: Entities must report their risk analyses and measures to the authority and provide evidence upon request.
• Control: The BMI will have extensive audit rights, including on-site inspections and security scans.

2. Sanctions and enforcement

• Naming and shaming: In cases of inadequate measures, the BMI may impose additional requirements and inform the public.
• Fines:
  • Breaches of essential obligations may result in fines of up to EUR 10 million or 2% of global turnover (for essential entities) or EUR 7 million / 1.4% (for important entities). These fines mainly target breaches such as failure to provide training, inadequate implementation of risk management measures and non-reporting of significant cybersecurity incidents.
  • For certain other obligations (e.g., registration), fines of up to EUR 50,000 – and up to EUR 100,000 for repeat offences – are envisaged.
• Disqualification: Members of the management body of essential entities may be temporarily prohibited from exercising their management functions in cases of serious breaches.

3. Recommended actions for affected companies

• Check applicability: Companies in critical sectors must promptly determine whether they fall under NISG 2026.
  • Group relief: Consolidation of key figures within corporate groups does not apply if organisational, technical and operational independence exists.
• Preparation:
  • Plan: Registration, self-declaration, reporting channels and audit roadmap.
  • Review: Supply chain, security requirements, evidence.
  • Train: Specific training for employees and executives, including managing directors and board members.

4. Impact on Austrian subsidiaries within international groups

• Conduct a site analysis – Which units in Austria or the EU are likely to fall under NIS-2? How are they structured? Austrian subsidiaries must assess whether they qualify as “essential” or “important” entities under NISG 2026, applying size thresholds and lists of critical sectors. Independently operated subsidiaries (“stand-alone”) may benefit from relief regarding consolidation of corporate figures, preventing automatic threshold breaches for all companies within a larger group.
• Companies within the scope of NISG 2026 must register with the Austrian cybersecurity authority and implement risk management measures, including documented policies and controls as well as cybersecurity training for employees and executives.

5. Timeline & conclusion

Given the extensive new requirements, companies should immediately familiarise themselves with the obligations under NISG 2026 and initiate appropriate compliance measures in good time.

NISG 2026 is scheduled to enter into force nine months after promulgation; companies should begin preparations without delay.