Getting Started with NIS2: What Austrian Businesses Need to Know

Introduction: Why NIS2 Matters Now

The Network and Information Security Directive 2 (NIS2) is the European Union's most significant overhaul of cybersecurity legislation in nearly a decade. Adopted as Directive (EU) 2022/2555, it replaces the original NIS Directive from 2016 and dramatically expands the scope, depth, and enforcement of cybersecurity obligations across all member states.

For Austrian businesses, this is not a distant regulatory concern. The EU set a transposition deadline of October 17, 2024, requiring all member states to incorporate NIS2 into national law. Austria's national implementation — the NISG 2024 (Netz- und Informationssystemsicherheitsgesetz) — brings these requirements into enforceable Austrian law, with supervisory authorities actively preparing enforcement mechanisms throughout 2025 and into 2026.

If your organization operates in Austria, provides services within the EU, or is part of a supply chain that does, NIS2 very likely applies to you. The consequences of non-compliance are severe: substantial financial penalties, personal liability for management, and potential operational restrictions.

NIS2 is not just another compliance checkbox. It represents a fundamental shift in how the EU treats cybersecurity — from voluntary best practice to enforceable legal obligation with real consequences.

What Changed from NIS1 to NIS2

The original NIS Directive, while groundbreaking at the time, suffered from inconsistent implementation across member states, a narrow scope, and limited enforcement power. NIS2 addresses each of these shortcomings comprehensively.

Expanded Scope

NIS1 covered a relatively small number of "operators of essential services" and digital service providers. NIS2 massively broadens this to cover 18 sectors, divided into Essential and Important entities. Tens of thousands of organizations across the EU now fall within scope — many for the first time.

Stricter Security Requirements

Where NIS1 offered general guidance, NIS2 prescribes specific risk management measures that organizations must implement. Article 21 of the directive lists ten minimum security measures, from incident handling and business continuity to encryption policies and supply chain security.

Higher Penalties

NIS1 left penalties largely to member states, resulting in inconsistent enforcement. NIS2 establishes harmonized penalty floors: up to 10 million euros or 2% of global annual turnover for essential entities, and up to 7 million euros or 1.4% of global annual turnover for important entities.

Supply Chain Security

NIS2 introduces explicit obligations around supply chain and third-party risk management. Organizations must assess and address cybersecurity risks arising from their suppliers and service providers. This means that even companies not directly in scope may face contractual cybersecurity requirements from their customers who are.

Management Liability

Perhaps the most consequential change: NIS2 introduces personal liability for management bodies. Board members and senior executives can be held individually responsible for compliance failures. They are also required to undergo cybersecurity training and to approve risk management measures directly.

Who Is Affected in Austria

NIS2 uses a combination of sector classification and size thresholds to determine which organizations fall within scope. In Austria, the NISG 2024 mirrors these criteria closely.

Essential Entities (Wesentliche Einrichtungen)

These are organizations in sectors considered critical to the functioning of society and the economy. They face the strictest requirements and the highest penalties. Essential sectors include:

• Energy — electricity, oil, gas, district heating, hydrogen
• Transport — air, rail, water, road
• Banking and financial market infrastructure
• Healthcare — hospitals, laboratories, pharmaceutical manufacturing, medical device manufacturers
• Drinking water supply and wastewater management
• Digital infrastructure — IXPs, DNS providers, TLD registries, cloud computing, data centers, CDNs, trust service providers, electronic communications networks
• ICT service management (B2B) — managed service providers, managed security service providers
• Public administration (central government level)
• Space

Important Entities (Wichtige Einrichtungen)

Important entities face somewhat lighter supervisory measures but are still subject to the full set of security requirements and significant penalties. These sectors include:

• Postal and courier services
• Waste management
• Chemical manufacturing, production, and distribution
• Food production, processing, and distribution
• Manufacturing — medical devices, computers, electronics, machinery, motor vehicles, and other transport equipment
• Digital providers — online marketplaces, search engines, social networking platforms
• Research organizations

Size Thresholds

As a general rule, NIS2 applies to medium-sized and large organizations within these sectors:

• Medium enterprises: 50 or more employees, or annual turnover / balance sheet exceeding €10 million
• Large enterprises: 250 or more employees, or annual turnover exceeding €50 million

However, certain entities are in scope regardless of size, including qualified trust service providers, TLD registries, DNS service providers, and telecommunications providers. Member states may also designate smaller entities as in scope if they provide critical functions.

If you are uncertain whether your organization falls within scope, err on the side of caution. A formal scoping assessment is a prudent first step — and far less costly than discovering your obligations after an incident.

Key Requirements Under NIS2

Article 21 of the NIS2 directive establishes the core cybersecurity risk management measures that all in-scope entities must implement. These are not optional recommendations — they are legal requirements.

1. Risk Management Measures (Article 21)

Organizations must adopt an all-hazards approach to cybersecurity risk management, implementing measures that are proportionate to the risks faced. The directive specifies a minimum set of measures that must be addressed:

• Risk analysis and information system security policies
• Incident handling procedures
• Business continuity and crisis management
• Supply chain security
• Security in network and information system acquisition, development, and maintenance (including vulnerability handling and disclosure)
• Policies and procedures to assess the effectiveness of cybersecurity measures
• Basic cyber hygiene practices and cybersecurity training
• Policies on the use of cryptography and encryption
• Human resources security, access control, and asset management
• Multi-factor authentication (MFA) and secured communications

2. Incident Reporting

NIS2 introduces a strict, tiered incident reporting regime. When a significant incident occurs, organizations must:

A "significant incident" is defined as one that has caused or is capable of causing severe operational disruption or financial loss, or one that has affected or could affect other natural or legal persons by causing considerable material or non-material damage.

3. Supply Chain Security

Organizations must assess the cybersecurity posture of their direct suppliers and service providers. This includes evaluating the security practices of critical vendors, incorporating cybersecurity requirements into contractual arrangements, and monitoring ongoing compliance. Given the interconnected nature of modern business, a vulnerability in your supply chain is a vulnerability in your organization.

4. Business Continuity and Disaster Recovery

NIS2 requires organizations to have robust business continuity and disaster recovery plans in place, including backup management, crisis management procedures, and the ability to restore operations after a disruptive incident. These plans must be tested regularly.

5. Cybersecurity Training for Management

Management bodies must undergo regular cybersecurity training and must have sufficient knowledge to identify risks, evaluate cybersecurity practices, and approve risk management measures. This is not delegable — the directive explicitly places this responsibility at the board level.

6. Encryption and Access Control

Organizations must implement appropriate policies governing the use of cryptography and, where relevant, encryption. Access control policies must ensure that only authorized individuals can access sensitive systems and data, with multi-factor authentication required where appropriate.

Penalties and Enforcement

NIS2 introduces a penalty framework that is deliberately modeled on the GDPR approach, ensuring that non-compliance carries serious financial consequences.

Beyond financial penalties, supervisory authorities have a range of enforcement powers, including:

• Binding instructions to remedy identified deficiencies
• Orders to implement specific security measures
• Orders to notify affected parties of a breach
• Temporary suspension of certifications or authorizations
• Temporary bans on management functions for responsible individuals

Personal liability for management is a critical aspect of NIS2 enforcement. Where an organization's failure to comply with cybersecurity obligations can be attributed to negligence or deliberate decisions by senior management, those individuals may be held personally liable. This can include temporary bans from exercising managerial functions. Austrian implementation reflects these provisions, making cybersecurity a board-level governance issue rather than a purely technical one.

Six Steps to NIS2 Compliance

Achieving compliance with NIS2 is not a one-time project but an ongoing process. However, every journey begins with concrete first steps. Here is a practical roadmap for Austrian organizations.

Step 1: Determine If You Are in Scope

The first and most important step is establishing whether your organization falls under NIS2. Review your sector classification against the Essential and Important entity lists. Assess your organization's size against the thresholds (50+ employees or €10M+ turnover). If you operate across multiple sectors or jurisdictions, each may need separate analysis. Do not assume you are out of scope simply because you were not covered under NIS1 — the expanded scope catches many organizations that were previously unregulated.

Step 2: Conduct a Gap Analysis

Once you have confirmed your organization is in scope, perform a thorough gap analysis comparing your current cybersecurity posture against the Article 21 requirements. This should cover your existing policies, procedures, technical controls, incident response capabilities, supply chain management, training programs, and governance structures. Document what you have, what you lack, and where improvements are needed.

Step 3: Implement Security Measures

Based on your gap analysis, prioritize and implement the necessary technical and organizational measures. This typically includes deploying or improving:

• Network segmentation and monitoring
• Endpoint detection and response (EDR)
• Multi-factor authentication across all critical systems
• Encryption for data at rest and in transit
• Vulnerability management and patching processes
• Access control and identity management policies
• Security information and event management (SIEM)

Step 4: Establish Incident Response Procedures

Develop or update your incident response plan to meet NIS2's tiered reporting requirements. Ensure your team knows exactly what constitutes a "significant incident," who is responsible for reporting, and how to meet the 24-hour, 72-hour, and one-month deadlines. Identify your national CSIRT and establish communication channels in advance. Run tabletop exercises to test your response procedures under realistic conditions.

Step 5: Document Everything

NIS2 compliance is not just about having the right controls in place — it is about being able to demonstrate that you do. Maintain comprehensive documentation of your risk assessments, security policies, incident response plans, training records, supplier assessments, and audit results. This documentation will be essential during supervisory inspections and, in the event of an incident, will serve as evidence that your organization exercised due diligence.

Step 6: Regular Testing and Auditing

NIS2 explicitly requires organizations to assess the effectiveness of their cybersecurity measures on an ongoing basis. This means regular:

• Penetration testing — simulating real-world attacks to identify vulnerabilities before adversaries do
• Security audits — independent review of your controls, policies, and procedures
• Vulnerability assessments — systematic scanning and evaluation of your infrastructure
• Business continuity testing — validating that your disaster recovery plans actually work under pressure

These assessments should be conducted by qualified professionals and their findings should feed directly back into your risk management process.

How A.KHAT Can Help

At A.KHAT, we specialize in helping Austrian and EU-based organizations navigate the practical realities of cybersecurity compliance. Our team brings hands-on offensive security expertise to every engagement.

We offer services directly aligned with NIS2 requirements:

• NIS2 Scoping Assessment — We help you determine whether your organization falls within scope and which classification applies, eliminating uncertainty early.
• Gap Analysis & Compliance Assessment — A structured review of your current security posture against NIS2's Article 21 requirements, producing a clear roadmap to compliance with prioritized recommendations.
• Penetration Testing — Professional, authorized security testing of your external and internal infrastructure, web applications, and networks. Our reports provide actionable findings that directly address NIS2's requirement to assess the effectiveness of security measures.
• Security Audits — Comprehensive evaluation of your policies, procedures, and technical controls to ensure they meet regulatory standards.
• Incident Response Planning — Assistance in developing and testing incident response procedures that meet NIS2's strict reporting timelines.
• Supply Chain Risk Assessment — Evaluation of your critical suppliers' cybersecurity posture to satisfy NIS2's supply chain security requirements.

Conclusion: Act Now, Not Later

NIS2 represents a watershed moment for cybersecurity regulation in the EU. The expanded scope, stringent requirements, significant penalties, and personal management liability make it impossible to ignore. For Austrian businesses, the question is no longer whether to comply, but how quickly you can achieve compliance.

The organizations that will navigate this transition most successfully are those that start now. A proactive approach — beginning with scoping, moving through gap analysis, and systematically implementing the required measures — is vastly preferable to a reactive scramble triggered by an enforcement action or, worse, a security incident.

Cybersecurity is no longer just an IT issue. NIS2 makes it a governance issue, a legal issue, and a board-level responsibility. The directive's message is clear: treat cybersecurity with the same seriousness as financial reporting, data protection, or workplace safety. The stakes demand nothing less.

The best time to start preparing for NIS2 was when the directive was adopted. The second best time is today.