What the new NISG 2026 Means for Businesses – From Risk Management and Self-Declaration to the New Cybersecurity Authority
With the circular resolution adopted by the Council of Ministers on November 20, 2025, Austria officially launched the national implementation of the NIS 2 Directive. The draft Network and Information System Security Act 2026 (NISG 2026) has been submitted to Parliament.
The goal is to achieve a uniformly high level of cybersecurity throughout Europe. The NIS 2 Directive requires operators of essential and important facilities to secure their information systems both technically and organizationally—a crucial step in light of a growing threat landscape.
According to the KPMG/KSÖ study *Cybersecurity in Austria 2025*, one in seven cyberattacks on domestic companies was successful. This increases the pressure on organizations to measurably improve their security management.
Transition periods and new obligations
The current draft bill introduces significant changes compared to the NISG 2024:
- Effective date: nine months after publication, expected in the fall of 2026.
- Self-declaration: Twelve months after the regulation takes effect, companies must demonstrate the effectiveness of their security measures without being asked to do so by the authorities.
- Risk management measures: The reference to a fixed list has been removed. Instead, the law identifies overarching topics that can be specified in greater detail by regulation.
Organizations with existing ISO/IEC 27001 certifications may be able to have some of them recognized—an advantage for organizations that have already implemented an ISMS.
Focus on technical and organizational measures
According to a KPMG study, 34 percent of the companies surveyed consider themselves well-prepared from a technical standpoint, while 39 percent believe they have achieved organizational maturity. It remains to be seen whether this self-assessment will stand up to scrutiny by the so-called Qualified Bodies (QuaSte). These independent audits will be crucial in the future for determining the actual security status.
Cooperation instead of isolated measures
A key element of the NIS 2 implementation is cooperation between the private sector and public authorities.
The planned risk management measures are to be guided, among other things, by EU Implementing Regulation 2024/2690 and the findings of the working groups of the Cyber Security Platform (CSP).
According to KPMG, 38 percent of companies promote knowledge sharing in working groups such as those of the Competence Center for a Secure Austria (KSÖ). These collaborations are considered key to fostering a sustainable cybersecurity culture.
New Scope of Application and Cybersecurity Authority
The scope of the NISG 2026 is being redefined:
- In the future, companies will determine for themselves whether they are subject to NIS 2 requirements and will actively register with the competent authority.
- The previous group-wide privilege no longer applies—each company must be considered separately.
- The competent authority will be a cybersecurity agency within the BMI, comparable to Germany's BSI.
In this way, Austria is establishing a clear, centralized structure for supervision, reporting, and support for affected companies.
Conclusion: View NIS-2 as an opportunity
With the NISG 2026, Austria is establishing the legal framework for a high level of security that is comparable across Europe.
Companies should use the transition period until 2026 to review their technical, organizational, and legal structures and ensure they can be verified.
Those who view compliance as a strategic advantage not only strengthen their security posture but also build trust among customers and partners.
ITanic GmbH helps companies implement NIS-2—from gap analysis and risk management to awareness training, technical security measures, and incident response.