The European Union is tightening the handling of cybersecurity with new legal requirements. The focus is on two central regulations: the NIS 2 Directive or the NISG 2025 and the Cyber Resilience Ordinance. Both are intended to provide more protection in the digital space and affect a large number of companies in Austria.
What are the NIS 2 Directive and the NISG 2025?
The EU’s NIS 2 (Network and Information Security) Directive aims to strengthen cybersecurity and had to be transposed into national law by 17 October 2024. In Austria, this is to be done by the new NISG 2025. Medium-sized and large companies from sectors with high criticality, e.g. the energy, banking, digital infrastructure or drinking water sectors, as well as other critical sectors such as digital service providers are affected.
Companies must register and take risk management measures and participate in cybersecurity training within three months of the NISG 2025 coming into force.
What does the NIS-2 Directive require?
- Organizations must implement comprehensive risk management measures, including security policies, access controls, emergency response plans, and training
- Security incidents must be reported within 24 hours, followed by further reports within 72 hours and a final report within one month
- Clear responsibilities in the company
- Regular training and documentation
- Penalties for violations: up to 10 million euros or 2% of annual global turnover
What are the benefits of the Cyber Resilience Regulation?
With the Cyber Resilience Regulation (CRA), the EU is also targeting security measures, which are intended to standardize cybersecurity rules for products with digital elements – i.e. hardware or software that are directly or indirectly connected to a network. The application obligation begins in December 2027, by which time all products with digital elements must meet the requirements. Products that were already placed on the market before December 2027 may be subject to certain transitional regulations.
Core contents of the ordinance:
- Security requirements for hardware and software over the entire product life cycle
- Obligation to remediate vulnerabilities and security updates
- Clear information obligations towards customers
- CE marking also required for digital products
What does this mean for companies in Austria?
Even though many details are still being specified, it is already clear that cybersecurity will be regulated more strongly by law in the future – and violations can be expensive, with maximum penalties amounting to 10 or 15 million euros or up to 2% or 2.5% of annual turnover. Companies should familiarize themselves with the requirements at an early stage and adapt internal processes accordingly.
Further information can be found here.
