'''Network and Information Security Directive (NIS2 Directive)'''

Richtlinie (EU) 2022/2555
Titel:	Richtlinie (EU) 2022/2555 des Europäischen Parlaments und des Rates vom 14. Dezember 2022 über Maßnahmen für ein hohes gemeinsames Cybersicherheitsniveau in der Union, zur Änderung der Verordnung (EU) Nr. 910/2014 und der Richtlinie (EU) 2018/1972 sowie zur Aufhebung der Richtlinie (EU) 2016/1148
Kurztitel:	NIS-2-Richtlinie
Bezeichnung: (nicht amtlich)	NIS2-RL
Geltungsbereich:	EWR
Rechtsmaterie:	Binnenmarkt, Cybersicherheit
Grundlage:	AEUV, insbesondere Art. 114
Volltext	Konsolidierte Fassung (nicht amtlich) Grundfassung
Hinweis zur geltenden Fassung von Rechtsakten der Europäischen Union

Overview

Goals	Scope	Content[1]	Synergy	Consequences
Development of cybersecurity capabilities (Recital 1 NIS2)	Annex I (high-criticality sectors)	Obligation for all MS to adopt national cybersecurity strategies (Art 7 NIS2)	Data protection management system	Essential entities: fines of at least EUR 10 million or 2% of global annual turnover
Achieving a high common level of cybersecurity (Art 1 NIS2)	Annex II (other critical sectors) if thresholds in Art 2(1) of the Annex to Recommendation 2003/361/EC are exceeded	Obligation for MS to define various responsibilities and enforcement duties (Art 31 et seq. NIS2)	Security of processing (Art 32 GDPR)	Important entities: maximum fine of at least EUR 7 million or 1.4% of global annual turnover, whichever is higher
Mitigating threats in key sectors (Recital 1 NIS2)	To be transposed by MS by 17 October 2024 (not yet done)	Obligations regarding cybersecurity risk management (Art 20 et seq. NIS2) and reporting (Art 23 NIS2)	Confidentiality clauses	Administrative orders and instructions. Suspension of activity also possible (Art 32 NIS2)
		Provisions and obligations on sharing cybersecurity information (Art 29 et seq. NIS2)		Management bodies can be held personally liable (Art 20 NIS2)

Goals	Scope	Content[2]	Synergy	Consequences
Development of cybersecurity capabilities (Recital 1 NIS2)	Annex I (high-criticality sectors)	Obligation for all MS to adopt national cybersecurity strategies (Art 7 NIS2)	Data protection management system	Essential entities: fines of at least EUR 10 million or 2% of global annual turnover
Achieving a high common level of cybersecurity (Art 1 NIS2)	Annex II (other critical sectors) if thresholds in Art 2(1) of the Annex to Recommendation 2003/361/EC are exceeded	Obligation for MS to define various responsibilities and enforcement duties (Art 31 et seq. NIS2)	Security of processing (Art 32 GDPR)	Important entities: maximum fine of at least EUR 7 million or 1.4% of global annual turnover, whichever is higher
Mitigating threats in key sectors (Recital 1 NIS2)	To be transposed by MS by 17 October 2024 (not yet done)	Obligations regarding cybersecurity risk management (Art 20 et seq. NIS2) and reporting (Art 23 NIS2)	Confidentiality clauses	Administrative orders and instructions. Suspension of activity also possible (Art 32 NIS2)
		Provisions and obligations on sharing cybersecurity information (Art 29 et seq. NIS2)		Management bodies can be held personally liable (Art 20 NIS2)

Introduction

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union^[3] (short: “NIS2 Directive”) is the successor to the EU’s first cybersecurity directive^[4] (“NIS Directive”).

Already under the first NIS Directive and its national implementation (NISG), certain companies were required to adopt cybersecurity measures. The successor, the NIS2 Directive, significantly expands the scope to include many previously uncovered companies and mandates tailored security measures. It also introduces specific requirements for incident notification systems and new liability provisions. The NIS Directive was implemented in Austria via the Network and Information System Security Act (NISG), which is currently (as of October 2024) being revised to implement NIS2^[5]. Also notable is Implementing Regulation (EU) 2024/2690^[6].

The aim of the NIS2 Directive is to establish a robust security infrastructure across the EU based on a risk-based approach. The focus is not on securing each individual device, but on ensuring the resilience of essential and important entities.

Although Austria’s National Council secured a simple majority in July 2024 for the implementation law (NISG-E), the law requires a two-thirds majority due to constitutional provisions, which was not reached. The main reason for opposition was the placement of the national cybersecurity authority within the Ministry of the Interior.^[7] The authors do not expect significant changes to the uncontested provisions in future drafts, which is why the following sections are based on the current draft (NISG 2024; Telecommunications Act, eHealth Act, amendment (326/ME)^[8] – referred to hereafter as NISG).

Scope

NIS2 Directive

Personal/Material Scope

The scope includes both public and private entities. The NIS2 Directive distinguishes between size-dependent (Art 2(1) NIS2) and size-independent (Art 2(3) NIS2) applicability.

Size-dependent scope

To define the size-dependent scope, the NIS2 Directive applies the size-cap rule:

To define the size-dependent scope, the NIS2 Directive applies the size-cap rule:

• Entities with more than 50 employees
• or more than EUR 10 million in annual turnover^[9]

Additionally, the entity’s activity must fall under Annex I or II of the NIS2 Directive:

• Annex I includes sectors such as: Energy | Transport | Banking | Financial market infrastructures | Healthcare | Drinking water | Waste water | Digital infrastructure | ICT service management (B2B) | Public administration | Space

• Annex II includes sectors such as: Postal and courier services | Waste management | Manufacturing and trade of chemicals | Food production and distribution | Manufacturing | Production of goods | Digital service providers | Research

Annex II includes sectors such as:

Postal and courier services | Waste management | Manufacture, production and trade of chemicals | Food production, processing and distribution | Manufacturing industry | Goods manufacturing | Digital service providers | Research

Size-independent Scope

According to Articles 2 and 3 NIS2, entities may fall within the scope of the Directive regardless of their size or the "size-cap rule".

Covered activities include:

Under Article 2(2)(a) NIS2:

• Providers of public electronic communications networks or publicly available electronic communications services
• Trust service providers
• Top-level domain name registries and DNS service providers

Under Article 2(2)(b)–(f) in conjunction with Article 3(1)(e) NIS2:

• Services essential for maintaining critical societal or economic activities
• Services whose disruption could significantly affect public order, public security or public health
• Services whose disruption could pose a significant systemic risk, particularly in sectors with potential cross-border impacts
• Entities considered critical due to their specific importance at national or regional level for their sector, type of service or interdependent sectors
• Certain public administration entities

• Entities designated as critical under the Critical Entities Resilience Directive (CER Directive)
• Domain name registration service providers

Essential and Important Entities

Entities within scope are classified under Article 3 NIS2 as either essential or important.

• Essential entities are subject to both proactive and reactive supervision (Art 32 NIS2)

• Important entities are subject to reactive supervision only (Art 33 NIS2)^[10]

Different sanction regimes apply accordingly.

Territorial Scope

Applies to entities established in the EU or providing services within the EU (Art 2 NIS2).

National Implementation (NISG Draft)

Personal/Material Scope

According to § 2 NISG, the Act applies to essential and important entities operating in defined sectors. These sectors correspond to those listed in the NIS2 Directive and are extended by subsectors listed in Annexes 1^[11] and 2^[12] of the NISG.

An "entity" under § 3(10) NISG is a natural person or a legal person or registered partnership recognized under the applicable national law, capable of exercising rights and bearing obligations in its own name.

Unlike the two-tier approach in Articles 2 and 3 of NIS2, classification under the NISG relies solely on § 24 NISG. This section also distinguishes between sectors with size thresholds and those without.

Size-dependent Scope

Large or medium-sized enterprises

operating in sectors listed in Annexes 1 and 2 of the NISG are deemed important entities under § 42(2) NISG.

A subset of these entities is designated as essential under § 24(1) NISG.

Austria did not make use of the option to automatically classify previous “operators of essential services” or include municipalities and educational institutions within the scope.^[13]

Size-independent Scope

Regardless of size, the following are considered essential entities under § 24(1)(1) NISG:

• Qualified trust service providers
• TLD name registries
• DNS service providers
• Federal-level public administration entities
• Entities designated as essential by the cybersecurity authority (§ 26(1))
• Entities classified as critical under Directive (EU) 2022/2557 (CER Directive)

Additionally, public authorities meeting the criteria in § 25(3) NISG fall under this category. These include federal and state institutions without a commercial mandate whose decisions impact individual rights in cross-border contexts.

Exceptions

Entities already subject to sector-specific EU legislation that mandates their own risk management or incident reporting—ensuring at least equivalent cybersecurity—and that are formally recognised as such by regulation (§ 27 NISG), are exempt. This may apply to entities covered by the DORA Regulation.

Entities in the public administration sector whose activities are primarily related to national security, public safety, military defense, or law enforcement, as well as institutions of higher education, judiciary, legislative bodies (including the Parliamentary Directorate), and the Austrian National Bank, are not considered essential or important entities (§ 24(6) NISG).

Delineation

Entities not directly within the scope may still be contractually required to comply with NIS2 obligations through agreements with in-scope entities. In such cases, it must be assessed which parts of the obligations apply to the indirectly covered entity.

Territorial Scope

Essential and important entities, as well as domain name registration service providers, are subject to the provisions of this chapter only with regard to their establishments located in Austria (§ 28 NISG).

Different rules apply to providers of public communications networks, publicly available electronic communication services, DNS providers, TLD registries, domain name registration services, cloud computing service providers, data center service providers, content delivery networks, managed service providers, managed security service providers, online marketplaces, search engines, and social networking platforms.

For details, see § 28 NISG.

Temporal Scope

As of the time of drafting, the NIS2 Directive has not yet been transposed into Austrian national law.

Key Provisions

Risk Management Measures

NIS2 Directive

The regulation of risk management measures under NIS2 follows a risk-based and proportionate approach^[14]. Companies must consider the following factors when implementing security measures:

• State of the art
• Cost of implementation
• Size of the entity
• Probability of security risks
• Other individual factors

Article 21(2) NIS2 defines ten concrete measures and minimum requirements that Member States must mandate.

These include:

• Policies for risk analysis and information system security
• Incident handling
• Business continuity
• Supply chain management
• Evaluation procedures for cybersecurity measures
• Use of cryptography and encryption
• Personnel security
• Access controls and asset management
• Cybersecurity training
• Security in procurement
• Development and maintenance of network and information systems
• Secure authentication and communication

National Implementation (NISG)

§ 32 NISG implements Article 21 NIS2.

§ 32(1) NISG refers to Annex 3^[15], which lists refined measures based on Article 21 NIS2. The list reflects EU-level efforts within the NIS Cooperation Group^[16]. Measures are categorized as organizational, technical, and operational^[17].

§ 32(2) NISG obliges affected entities to ensure a level of security appropriate to the existing risk, thus reinforcing the risk-based approach.

Entities must consider:

• State of the art (§ 32(2)(1)(a) NISG)
• Relevant national, European, and international standards (e.g., Regulation (EU) No 1025/2012)
• Best practices

Implementation costs must be proportionate to the risks facing the network and information systems (§ 32(2)(1)(b) NISG)^[18]. No excessive financial or administrative burdens should arise.

Measures must follow a cross-hazard approach, covering both cybersecurity and physical security (§ 32(2)(2) NISG), including:

• Protection from system failures, human error, malicious acts, and natural events
• Personnel security
• Appropriate access control strategies

Special focus is placed on supply chain risk management (§ 32(2)(3) NISG):

• Assessment of supplier and provider vulnerabilities
• Consideration of the overall quality and resilience of products and services
• Review of suppliers’ cybersecurity practices and development processes

Entities must identify, assess, and manage risks and dependencies in service provider relationships.

The evaluation must include products and services of direct suppliers and providers. Where services depend significantly on subcontractors, these must also be included in the assessment. This applies to both new procurements and existing contracts^[19].

Entities may be required to submit a list of implemented risk management measures to the cybersecurity authority. They may also be required to undergo an independent audit, with the resulting report signed by a management body. For important entities, this obligation applies only under certain conditions (§ 33 NISG).

Governance Obligations and Liability of Management Bodies

NIS2 Directive

The NIS2 Directive introduces specific governance obligations targeting the executive and management levels, emphasizing their active role. Key aspects include:

• **Accountability**: Corporate leadership (e.g., board, management) is responsible for approving and overseeing the implementation of risk management obligations.
• **Personal liability**: Management bodies may be held personally accountable for non-compliance with these obligations.
• **Training obligation**: Management bodies must undergo cybersecurity training and ensure such training is also available to their employees.
• **Skill development**: Training aims to provide adequate knowledge and capabilities to identify and assess cybersecurity risks and implement appropriate management practices.
• **Preventive approach**: Strengthening leadership competencies is intended to proactively mitigate cybersecurity threats.

National Implementation (NISG)

Definition of Management Body

"Management body" refers to one or more natural persons who, under law, articles of association, or contract, are appointed to manage an entity’s operations or supervise its management (§ 3(1)(11) NISG). Entity and management body may be identical—for example, a Federal Minister^[20]. The definition targets actual leadership (typically executive boards, managing directors, or supervisory boards). Legal representation alone does not establish a management body^[21].

Obligations of Management Bodies

The NISG imposes several obligations on the management bodies of essential and important entities:

• **Implementation of measures**: Management bodies must approve their entity’s cybersecurity measures^[22].

• **Oversight**: They are required to supervise the implementation of cybersecurity measures, ensuring effectiveness and compliance. They must ensure regular review and updates of such measures.
• **Resource allocation**: Management bodies are responsible for providing sufficient financial and personnel resources for cybersecurity. This includes developing and regularly updating a detailed resource allocation plan.
• **Risk oversight**: Management must monitor and manage cybersecurity risks, conduct comprehensive assessments including the identification of critical systems, potential incident impacts, and ensure development and review of incident response plans.
• **Training**: Management must attend cybersecurity training and ensure employees receive training to detect, assess, and manage risks.
• **Accountability**: Management bodies are liable for any breach of cybersecurity obligations that causes damage, unless already covered by the Liability of Public Officials Act (OrgHG), BGBl 181/1967^[23].
• **Strategic priority**: These obligations aim to establish cybersecurity as a strategic priority at the highest level of management.

Incident Reporting Obligations

NIS2 Directive

The directive provides for several deadlines for reporting significant security incidents—24 hours, 72 hours, and one month. These are maximum deadlines; immediate reporting is often expected:

• **Within 24 hours**: Early warning to the national authority, including whether criminal activity or cross-border effects are suspected.
• **Within 72 hours**: A more detailed report including current information, impact assessment, and indicators of compromise.
• **Within one month**: A final report with a comprehensive incident description, classification, severity, impact, remediation actions, and cross-border implications.

Voluntary reporting of incidents, threats, and near misses to CSIRT is also possible—even for non-essential entities. Such reports may be submitted anonymously.

National Implementation (NISG)

Reporting to CSIRT

Incident reporting is governed by §§ 34, 35, and 37 NISG.

§ 34(1) NISG obliges essential and important entities to report every significant cybersecurity incident to their sector-specific CSIRT or, alternatively, to the national CSIRT without delay. The Federal Chancellery maintains a list of CSIRTs under the NISG.

• **Early warning**: Within 24 hours
• **Follow-up report**: Within 72 hours
• **Final report**: Within one month; if the incident persists, a progress report is required, followed by a final report after resolution.

Contents of reports:

• **Early warning**: Indicate whether the incident is suspected to be caused by unlawful or culpable acts or may have cross-border effects.
• **Incident report**: Update early warning with severity assessment, impacts, and compromise indicators.
• **Final report**: Full description of the incident, severity, causes, type of threat, mitigation measures, and possible cross-border effects.

Note: Alerts forwarded to the operator do not qualify as formal reports under § 34 NISG^[24].

Notification to Affected Parties

If a significant incident affects service delivery, the entity must promptly inform service recipients and provide possible mitigation actions.

Definition of Significant Cybersecurity Incident

According to § 35 NISG, an incident is considered significant if:

• It causes or may cause serious operational disruption or financial loss

or

• The affected systems’ role in service delivery
• Severity and technical nature of the threat
• Underlying vulnerabilities
• Past experience with similar incidents

Additional criteria under § 35(2)–(3) NISG:

• Degree of dependency
• Possible consequences of incidents
• Market share of the entity
• Geographic reach
• Sector- and company-specific factors
• Additional criteria may be defined by the Federal Ministry of the Interior

Recital 101 NIS2 provides interpretative guidance. Implementing Regulation (EU) 2024/2690 further specifies what constitutes a significant incident for certain entities.

Case Study

On Friday at 4:00 p.m., its SOC detects a high volume of traffic targeting the firewalls of one data center. The attack is identified as a Distributed Denial of Service (DDoS) targeting a central company platform. Despite DDoS protection, attackers temporarily overload systems.

Impacts:

• Between 5:00 and 8:00 p.m., repeated outages affect a key access service.
• Clients experience connection drops, slow load times, and an inability to process critical data, triggering emergency procedures.

• • Applicability**:

According to § 24(2) NISG, entities operating as medium-sized businesses in highly critical sectors (Annexes 1 and 2 NISG) qualify as important entities. § 25 NISG defines medium-sized businesses as employing at least 50 persons.NisExperts AG meets both criteria: over 50 employees and operation in a critical sector (Annex 1 No. 8—Digital infrastructure). While service disruptions could affect public order and health, this alone does not qualify it as an "essential entity". NisExperts AG is therefore classified as an important entity under the NISG.

Incident Reporting

Important entities are required under § 34 NISG to report any significant cybersecurity incident to their competent sectoral CSIRT, or otherwise to the national CSIRT without delay. In assessing whether an incident qualifies as significant, § 35(2)(b) NISG states that possible effects on public order, security, public health, or the health of the population or large groups must be taken into account.As NisExperts AG provides critical services to several hospitals, and the outage triggered the activation of emergency plans, this likely constitutes a significant cybersecurity incident under § 35 NISG.

According to Article 8 of Implementing Regulation (EU) 2024/2690, a significant incident occurs when the availability of a data centre service operated by the provider is impaired for more than one hour. This condition is met, and thus the event qualifies as a significant incident.

In the absence of a sector-specific CSIRT, NisExperts AG reports the incident to the national CSIRT (cert.at) in accordance with § 34 NISG as follows:

Initial report within 24 hours

• **Content**: Description of the incident, initial assessment of impacts on availability and integrity, and preliminary measures taken.
• **Technical details**: Assessment of attack type (DDoS), affected systems, and possible source of the attack.

Update within 72 hours

• **In-depth analysis**: Clarification of causes, precise damage assessment, and further mitigation and recovery measures.
• **Impact assessment**: Specification of affected client groups and disruptions.

Final report within one month

• **Results**: Documentation of the entire incident management process.
• **Lessons learned**: Recommended preventive measures and future strategies.

Synergies

Reporting Obligations

The reporting obligations under the General Data Protection Regulation (GDPR) and the NIS2 Directive overlap in several areas, although they have different focal points.

Nature of affected data

• **GDPR**: Only applies when personal data is compromised (e.g. unauthorized access, loss or theft).
• **NIS2**: Also applies to incidents affecting the availability, integrity, or confidentiality of systems, regardless of whether personal data is involved—focus is on general IT security.

Conditions for reporting

• **GDPR**: Required if the breach poses a risk to the rights and freedoms of natural persons.
• **NIS2**: Obligations apply for significant incidents with potential impact on the delivery of essential services, based on criteria such as user impact, incident duration, or economic damage.

Overlaps

• Both regulations require reporting of incidents affecting confidentiality, integrity, or availability.
• If both IT systems and personal data are involved, dual reporting may be required—to the data protection authority (GDPR) and the cybersecurity authority (NIS2).
• Operators of essential services handling personal data may be subject to both regimes and must report both the data breach and the cybersecurity incident.

The risk management requirements under the GDPR and NIS2 Directive intersect where both data and IT system protection are concerned. While both require security and risk mitigation measures, they differ in emphasis.

Risk Management

The risk management requirements under the GDPR and NIS2 Directive intersect where both data and IT system protection are concerned. While both require security and risk mitigation measures, they differ in emphasis: