(No) Transposition of NIS2 in Austria

On July 3rd, 2024, the Austrian National Council (Nationalrat) declined to pass a federal act to transpose Directive (EU) 2022/2555 (NIS 2 Directive). The "Federal Act to Ensure a High Level of Cybersecurity of Network and Information Systems (Network and Information System Security Act 2024)" was intended to come into effect on June 1, 2025. The draft legislation was set for a relatively quick passage in the National Council after a nearly identical draft from spring 2024 had failed to receive positive feedback from stakeholders.

The only slightly revised draft still contained several provisions that were unclear and contrary to principles of the allocation of competences between federal and state bodies. Because of this, the government would have needed a qualified majority vote to pass the draft legislation. All opposition parties withheld their approval.

However, it is expected that several key substantive regulations in the eventual national act will be similar to those in the current draft(s). The summary below can therefore serve as a guideline for the obligations to come. The time still available for preparation should be utilized in view of the threat of draconian penalties of up to 10 million Euros. For the extended version of this report please refer to the PDF version on the bottom of this page under "Files".

Key Obligations

1. Registration with the Cybersecurity Authority

All essential and important entities must register with the cybersecurity authority within three months of the NIS2 Act coming into force and provide relevant information electronically.

2. Governance

The act emphasizes the importance of cybersecurity as a management task. Management bodies must ensure compliance with risk management measures and participate in specialized cybersecurity training.

3. Cybersecurity Risk-Management Measures

Essential and important entities must implement appropriate technical, operational, and organizational risk management measures based on current standards and best practices.

4. Demonstration of the Effectiveness of Risk Management Measures

Entities must submit a list of implemented risk management measures within six months of being requested by the Cybersecurity Authority. Essential entities must also provide an audit report within three years of the request.

5. Reporting Obligations

Essential and important entities must immediately report significant cybersecurity incidents to the relevant CSIRT and provide detailed reports on the incident and the measures taken.

Violations and Fines

For violations of the act, essential entities face fines of up to EUR 10 million or 2% of the total worldwide turnover, whichever is higher. Important entities can be fined up to EUR 7 million or 1.4% of the total worldwide turnover.

Contact & Questions:

Andreas Sabadello, attorney at law

+43 1 9971037

office@sabadello.legal