NIS Act 2026 · Austria

Does the NIS Act 2026 apply to you — and is your management protected?

With Austria's implementation of the EU NIS2 directive, information security becomes a legal obligation for an entire layer of mid-sized companies. Responsibility lies expressly with management — personally.

Find out in 2 minutes → Request a consultation
4
months until it takes effect (October 2026). Evidence isn't built overnight.
What this is really about

Not "whether IT security". But: affected, demonstrable, protected.

NIS2 shifts the question from technical detail to the responsibility of the leadership level. What changes concretely:

  • Management liability. Responsibility for security measures lies by law with leadership — not in the IT department.
  • Duty of evidence. Risk management, measures and reporting processes must be documented and demonstrable.
  • Reporting deadlines. Significant security incidents must be reported to the authority within tight deadlines.
  • Supply chain. Even those not directly affected are increasingly asked by customers to provide proof.
Free self-check

Are you affected? Three questions are enough for a first assessment.

An indicative orientation — not legal advice. In an initial consultation we clarify your specific case bindingly.

Question 1 of 3 · Sector
In which area is your company mainly active?

Request a consultation →
This assessment does not replace a legal review. Exact applicability depends on sector, size and special provisions and is clarified bindingly in an initial consultation.
Your options

Three paths to NIS2 compliance — you choose the depth.

From a clear start to ongoing support. Each level builds on the previous one.

Option 1

NIS Act positioning

The clear entry point — without committing up front.
  • Applicability analysis: essential or important entity?
  • Gap analysis against your current state
  • Prioritised roadmap of the next steps
  • Liability briefing for management
You know with certainty where you stand.
Option 2

NIS Act implementation support

The roadmap delivered — on proven ISO 27001 methodology.
  • Risk management and security measures
  • Reporting and response processes
  • Policies and security documentation
  • Guidance for your team
Aligned with demonstrably meeting the requirements.
Option 3

Ongoing support

Permanently audit-ready — without your own security team.
  • Ongoing upkeep of your security organisation
  • Preparation and guidance for audits
  • A fixed point of contact when it matters
  • Regular management updates
Information security stays current for the long term.

Each option at a fixed price depending on scope — no counting hours, full planning certainty. We define the right scope in a free initial consultation.

FAQ

Frequently asked questions about the NIS Act 2026

Short, honest answers — a deeper assessment is welcome in an initial consultation.

When does the NIS Act 2026 come into force?

The NIS Act 2026 implements the EU's NIS2 directive in Austria. It is expected to take effect in October 2026; the exact date will be set when published in the Federal Law Gazette. In practice, building a robust security structure is a journey of several months in any case — a well-planned start is the right step at any point in time, even after the act takes effect.

Am I affected as a supplier?

Directly only if your company meets the size thresholds (50+ employees or more than €10m in annual revenue) and operates in a covered sector. Indirectly, NIS2 reaches almost every company because larger customers pass their obligations down the supply chain by contract. In practice, even non-obligated suppliers are increasingly asked to provide evidence.

What are the personal consequences for management?

NIS2 places explicit duties on management. Penalties for breaches can reach up to 1.4 % of worldwide annual revenue (for "essential entities" up to 2 %). In addition, individuals in leadership positions may be temporarily barred from exercising those functions. A documented risk-management structure and demonstrable management involvement are therefore not optional — they are liability protection.

Is ISO 27001 certification enough for NIS2?

An ISMS to ISO 27001 is a very strong foundation — but not automatic compliance. Many NIS2 requirements are already covered: risk management, technical measures, awareness. What needs to be added: NIS2-specific reporting duties (24-hour early warning, 72-hour initial report, final report within one month), supply-chain security, and documented management responsibility. In practice we usually deliver ISMS and NIS2 compliance as one integrated project.

What does implementation cost, roughly?

Effort depends strongly on company size and current maturity — a blanket answer would be misleading. As reference points from past engagements (not a standard, every case considered individually): a positioning (Option 1) typically a few days; a guided implementation (Option 2) spread over several months depending on complexity; ongoing support (Option 3) as a monthly retainer. Each option as a fixed price by scope — no hour counting. We define the right scope together in a free initial consultation.

30 minutes that bring clarity.

Without obligation, we clarify whether and how the NIS Act 2026 applies to you — and which of the three paths makes sense for you.

Request a consultation →