Zum Hauptmenü Zum Inhalt

NISG 2026 – it’s getting serious

Author: Klara Fuchs

Cybersecurity is being placed on a new foundation with the Network and Information Systems Security Act 2026 (NISG 2026). Starting October 1st, 2026, new obligations will apply to a wide range of companies operating in sectors relevant to society. The responsibility for complying with these obligations clearly lies with corporate management. A particularly critical point: The NISG 2026 also takes effect throughout the supply chain. Even companies that are not directly covered may be indirectly subject to these obligations through the supply chain. This is the case, for example, when major contractual partners demand corresponding proof of cybersecurity measures.

Our Applicability Check offers a quick, free, and straightforward initial assessment of whether the new law applies to your company. Please note: The applicability check is currently available in German only.

Check applicability now

A range of new obligations

Companies that fall within the scope of NISG 2026 must, in particular:

  • Register with the competent authority
  • Implement appropriate and proportionate risk management measures
  • Report significant security incidents without delay

Risk management measures include, among others:

  • Concepts regarding risk analysis and information system security
  • Access control and authentication concepts
  • Functioning backup, emergency, and recovery processes
  • Training
  • Supply chain security

Why companies should act now

There is little time left until the NISG 2026 takes effect, and some of the required measures need sufficient lead time. Companies should therefore not wait until the cybersecurity authority comes knocking. Those who hesitate too long risk severe penalties. The law provides for high administrative fines, which can quickly make any failures costly.

What steps to take

Even before specific measures are planned, processes defined, or responsibilities assigned, one key question should be clarified: Does my company fall under the NISG 2026 at all?

Check applicability now

We are happy to support you in assessing this!

In practice, however, the assessment is not always straightforward. In particular, when attributing key figures of affiliated companies, there may be room for interpretation. In such cases, it is advisable to seek expert advice early on.

Klara Fuchs, quadratisch, Fotografin: Julia Spicker

Klara Fuchs

Attorney-at-Law

Haslinger / Nagele Rechtsanwälte GmbH
Mölker Bastei 5, 1010 Wien

If your company falls within the scope of the NISG 2026, you should begin as soon as possible with defining clear responsibilities and implementing the required measures.

However, even if your company is not directly affected, the following applies: A solid cybersecurity concept is not only advisable but is increasingly expected by customers, business partners, and clients.

Disclaimer

This article is for general information only and does not replace legal advice. Haslinger / Nagele Rechtsanwälte GmbH assumes no liability for the content and correctness of this article.

Author

Klara Fuchs, quadratisch, Fotografin: Julia Spicker

Klara Fuchs

Attorney-at-Law

Further information on this legal field can be found here

Roboter mit Schild, quadratisch

Data Protection, Telecommunications & Digitalization

 

8. April 2026

 
Go back to News
  • Haslinger/ Nagele: JUVE Top Arbeitgeber Österreich 2025
  • Haslinger/ Nagele: JUVE Awards 2018: Kanzlei des Jahres Österreich
  • Haslinger/ Nagele: JUVE Top 20 Arbeitgeber 2024
  • Haslinger/ Nagele: Chambers Europe Top Ranked 2025 Logo
  • Legal500 EMEA Ranking Logo 2025
  • Promoting the best. Women in Law Award
  • Haslinger/ Nagele: Partner im CTC Cleantech Cluster
  • Haslinger/ Nagele: Mitglied Photovoltaic Austria