Almost exactly 3 years after the NIS2 Directive was adopted by the European Parliament, it was also put to the vote in the Austrian National Council on December 12, 2025. NIS2 has thus also arrived in Austria and will be transposed into our national law as NISG 2026 – exactly one week after this step was also taken in Germany.
What is the NIS2?
The NIS2 (Network and Information Security Directive 2) was adopted by the European Parliament and Council in 2018. The overarching aim is to achieve a standardized, high level of cybersecurity within the EU. The binding requirements must be transposed into the national law of the member states and serve to protect the IT infrastructures of companies in security-critical sectors. These affected companies must implement technical, organizational and operational measures, such as risk analyses, backup strategies, multi-factor authentication, employee training and supply chain security. Manufacturers, integrators and machine builders as suppliers may also be affected.
What happens now?
First of all: NIS2 is no reason to panic – quite the opposite! It should be seen as an opportunity to protect your company from the very real dangers of cyber attacks.
A look at the chart below also shows that your path to full compliance with the legal requirements includes various intermediate steps and that the timeline provides sufficient space for a considered and structured implementation.
December 12, 2025: NISG 2026
On this date, the decision was made to transpose the European NIS2 Directive into Austrian law. The clock is ticking and affected companies are required to comply with the legal requirements. All preparatory measures required to enable the cybersecurity authority to perform its tasks on time must now be taken (see deadlines below).
October 01, 2026: NISG 2026 comes into force
The previous NIS1 will be replaced by NIS2 with immediate effect and risk management measures must be implemented. This date also marks the three-month period for mandatory registration of significant and important companies under NIS2 with the Cybersecurity Authority –> Deadline: 31.12.2026
October 01, 2027: Deadline for self-declaration
The description of your risk management measures, including the results of risk analyses, must be proactively submitted by you to the cybersecurity authority by September 30, 2027.
October 01, 2028: Request by cybersecurity authority
Material and important entities must provide evidence of the technical, operational and organizational implementation of the risk management measures within two years of being requested to do so by the cybersecurity authority.
By way of derogation, material entities must provide evidence of the operational and organizational implementation of the risk management measures within two months of being requested to do so by the cybersecurity authority. This means that 30.11.2028 is the earliest date for proof of implementation (operational and organizational) for essential institutions!
Essential facilities should always expect to receive such a request from the authorities, while important facilities should only expect to receive such a request in the event of an emergency or on the basis of a risk assessment by the authorities.
30 September 2030: Proof of implementation
You must now provide evidence of the effectiveness of the technical, operational and organizational implementation of the risk management measures in the form of a signed audit report.
Essential vs. important facilities
In this context, it is also important to distinguish between essential and important facilities. These are briefly summarized here:
Essential facilities
Companies in high-risk sectors (Annex I)
+ medium/large or due to criticality
Stricter supervision (proactive audit)
Examples:
Energy suppliers, hospitals, banks
Important facilities
Companies in relevant sectors (Annex II)
+ medium/large or critical role
Reactive supervision (examination on occasion)
Examples:
Machine builders, food producers, research institutes
Contact us“Many companies are currently experiencing NIS2 as complex and challenging. In our day-to-day work, however, we see that a structured approach can take away a great deal of uncertainty. The directive provides guidelines and this is exactly where we come in: We help organizations to translate these guidelines into practicable, effective processes. ”
David SchauerHead of Operator Consulting
NIS compliance with Limes Security
As a qualified body (QuaSte) recognized by the Federal Ministry of the Interior (BMI) and the Federal Office for the Protection of the Constitution and Counterterrorism (BVT) in accordance with the NISG, we are able to carry out organizational and technical audits for you comprehensively and with the highest level of professionalism.
Our inspectors have many years of experience in industry, energy supply and the medical sector. This broad industry knowledge helps us not only to recognize the individual challenges of our customers, but also to respond to them in a targeted manner.
As a qualified body with deep-rooted expertise, we support companies on their path to reliable compliance with NIS requirements. With a tried-and-tested audit process, our readiness check and practical recommendations, we ensure that organizations are optimally prepared for audits and pass them successfully.
The result: regulatory requirements are met – and our customers’ security situation is strengthened in the long term.
