Cybersecurity - Austria

After the first attempt (NISG 2024) failed to reach the needed two-thirds majority in July 2024 — causing Austria to miss the EU's October 2024 deadline — the revised NISG 2026 was passed on 12 December 2025 and published on 23 December 2025, with entry into force set for 1 October 2026.

The law establishes the Bundesamt für Cybersicherheit (Federal Office for Cybersecurity) as a monocratic authority with nationwide jurisdiction, subordinate to the Federal Minister of the Interior but organizationally outside the Directorate General for Public Security.

Following the NIS2 model, Annex 1 lists 11 sectors of essential entities (e.g. energy, transport, banking, health, water, digital infrastructure, public administration, space) and Annex 2 lists 7 sectors of important entities (e.g. postal/courier, waste, chemicals, food, manufacturing, digital providers, research); about 4,000 medium-and-larger organizations are covered.

For a significant cybersecurity incident, affected entities must submit an early warning to the competent CSIRT (CERT.at) without undue delay and within 24 hours, a full notification within 72 hours, intermediate reports on request, and a final (or progress) report within one month — mirroring NIS2.

Entities must register with the cybersecurity authority within 3 months of entry into force (by 31 December 2026) and submit a self-declaration on implemented risk-management measures within 12 months thereafter (by 30 September 2027).

The NISG 2026 package was passed together with flanking amendments to the Telekommunikationsgesetz (telecoms) and the Gesundheitstelematikgesetz (e-health), aligning sector-specific regimes with the new framework.