Cybersecurity · Austria
Cybersecurity regulation in Austria (2026)
Austria shaded by its cybersecurity status
Austria has a comprehensive horizontal cybersecurity law: the NISG 2026 transposes the EU NIS2 Directive, was adopted by the Nationalrat on 12 December 2025 with the required two-thirds majority and published in the Bundesgesetzblatt on 23 December 2025 (BGBl. I Nr. 94/2025). It enters fully into force on 1 October 2026, replacing the earlier NIS-G 2018 (which implemented NIS1), and imposes risk-management and staged incident-reporting duties on roughly 4,000 essential and important entities across 18 sectors.
Key points
After the first attempt (NISG 2024) failed to reach the needed two-thirds majority in July 2024 — causing Austria to miss the EU's October 2024 deadline — the revised NISG 2026 was passed on 12 December 2025 and published on 23 December 2025, with entry into force set for 1 October 2026.
The law establishes the Bundesamt für Cybersicherheit (Federal Office for Cybersecurity) as a monocratic authority with nationwide jurisdiction, subordinate to the Federal Minister of the Interior but organizationally outside the Directorate General for Public Security.
Following the NIS2 model, Annex 1 lists 11 sectors of essential entities (e.g. energy, transport, banking, health, water, digital infrastructure, public administration, space) and Annex 2 lists 7 sectors of important entities (e.g. postal/courier, waste, chemicals, food, manufacturing, digital providers, research); about 4,000 medium-and-larger organizations are covered.
For a significant cybersecurity incident, affected entities must submit an early warning to the competent CSIRT (CERT.at) without undue delay and within 24 hours, a full notification within 72 hours, intermediate reports on request, and a final (or progress) report within one month — mirroring NIS2.
Entities must register with the cybersecurity authority within 3 months of entry into force (by 31 December 2026) and submit a self-declaration on implemented risk-management measures within 12 months thereafter (by 30 September 2027).
The NISG 2026 package was passed together with flanking amendments to the Telekommunikationsgesetz (telecoms) and the Gesundheitstelematikgesetz (e-health), aligning sector-specific regimes with the new framework.
Timeline - major decisions & events
Austria's parliament adopted and published the Network and Information System Security Act 2026 (NISG 2026), transposing NIS2 and expanding cybersecurity duties (risk management, incident reporting, registration) to roughly 4,000 essential and important entities across 18 sectors; it enters into force on 1 October 2026 with a new Federal Office for Cybersecurity under the Interior Ministry.
Parlament Österreich ↗The National Council adopted the Critical Entities Resilience Act with a two-thirds majority, transposing the EU CER Directive to protect critical infrastructure across eleven sectors against physical threats and mandating a national resilience strategy and risk analysis; published as BGBl. I No. 60/2025.
RIS – Bundesgesetzblatt ↗The Commission issued reasoned opinions to Austria and 18 other Member States for failing to fully transpose the NIS2 Directive by the 17 October 2024 deadline, escalating infringement pressure that pushed Austria toward the NISG 2026.
European Commission ↗The initial NIS2 implementation bill failed to secure the required parliamentary majority, causing Austria to miss the EU transposition deadline and leaving the older NISG 2018 in force for over a year longer.
European Commission – Shaping Europe's digital future ↗A ransomware attack encrypted around 3,000 government computers in Carinthia, disrupting passport issuance, COVID-19 testing and contact tracing; attackers demanded $5 million and leaked stolen personal data after the state refused to pay, a landmark incident for Austrian public-sector cyber resilience.
BleepingComputer ↗The federal government adopted an updated national cybersecurity strategy, refreshing the 2013 framework and setting the strategic direction for governance, critical-infrastructure protection, incident response and public-private cooperation.
Federal Chancellery of Austria ↗Austria's first dedicated cybersecurity law transposed the EU NIS Directive (2016/1148), imposing security and incident-reporting obligations on operators of essential services, digital service providers and public administration — the foundation of the current framework, covering about 100 entities.
Anlaufstelle NISG (nis.gv.at) ↗The amended Datenschutzgesetz entered into force with the GDPR, establishing the Datenschutzbehörde and national rules that underpin data-security and breach-notification obligations relevant to cybersecurity.
Austrian Data Protection Authority ↗Austria adopted its inaugural national cybersecurity strategy, a comprehensive concept led by the Federal Chancellery covering cybercrime, critical information infrastructure protection, incident response and public-private partnership — the strategic origin point of Austria's cyber framework.
Federal Chancellery of Austria ↗Austria - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →