NIS2 Compliance

NIS2 & NISG 2026: Consulting & Implementation

Is your company affected by NIS2? ITworx supports SMEs in Vorarlberg and the DACH region from the applicability assessment through implementation to ongoing operation.

What is NIS2 – and why now?

NIS2 is the EU-wide cybersecurity directive (EU 2022/2555). In Austria it is transposed by the NISG, which enters into force on 1 October 2026. In-scope organisations must demonstrate a minimum level of IT security, report incidents and secure their supply chain – or face significant fines.

NIS2 at a glance
NISG in force
1 October 2026 (Austria)
Registration
by 31 December 2026
In scope
from ~50 staff or €10m turnover
18 sectors
plus customers' supply chain
Fines
up to €10m or 2 % of turnover
Responsibility
personal management liability

Am I affected by NIS2?

Three questions for a first, non-binding orientation. Not a substitute for a legal assessment.

1 Does your company have at least 50 employees or more than €10 million annual turnover?

2 Do you operate in a NIS2 sector? (incl. energy, transport, health, digital infrastructure, ICT services, manufacturing, food, waste, chemicals, public administration)

3 Do you supply or serve customers that are themselves in scope of NIS2?

The key dates

NIS2 becomes concrete in 2026. Starting early avoids time pressure.

06 Mar 2026
Germany: BSI registration
Registration deadline for in-scope entities – with no transition period.
01 Oct 2026
Austria: NISG enters into force
The Austrian implementation act takes effect; obligations apply.
31 Dec 2026
Austria: registration
Deadline to register in-scope entities.
ongoing
Reporting & evidence duties
Report incidents (24 h / 72 h / 1 month), evidence measures, secure the supply chain.

The 10 minimum measures – and how we deliver them

NIS2 requires concrete technical and organisational measures. Each of them maps to our managed services.

Risk analysis & security policies

IT audit, risk analysis and security policies as the foundation.

Handling of security incidents

24/7 Managed Detection & Response (MDR) and SOC monitoring.

Backup & business continuity

Managed backup, disaster recovery and continuity planning (BCP).

Supply chain security

Securing and assessing suppliers and service providers.

Procurement, development & maintenance

Patch and vulnerability management across the lifecycle.

Effectiveness of measures

Ongoing security audits, reporting and metrics.

Cyber hygiene & training

Security awareness training and phishing simulations.

Cryptography & encryption

Encryption of e-mail, data, endpoints and VPN.

Access control & asset management

IAM, Zero Trust, permission concepts and device management.

MFA & secured communication

Multi-factor authentication and secured communication channels.

NIS2-ready in four steps

From the first check to ongoing operation – you have a single partner for everything.

1 · Readiness check

Clarify applicability and estimate the rough scope of action.

2 · Gap analysis

Target/actual comparison of the ten minimum measures with a prioritised plan.

3 · Implementation

Implement and harden technical and organisational measures.

4 · Operation & reporting

Ongoing monitoring, vulnerability management and incident reporting.

This page provides general orientation on NIS2/NISG and does not replace legal advice. The binding classification of your company follows from the law.

Frequently asked questions about NIS2

Is my company affected by NIS2?
As orientation: NIS2 covers organisations from roughly 50 employees or €10 million turnover in one of 18 sectors (incl. energy, transport, health, digital infrastructure, ICT services, manufacturing, food). Smaller businesses are often affected indirectly via the supply chain of their in-scope customers. The binding classification follows from the law – we help with the assessment but do not replace legal advice.
When does NIS2 apply in Austria and Germany?
In Austria the NISG transposes the directive and enters into force on 1 October 2026; in-scope entities must register by 31 December 2026 and report incidents in stages (24 hours / 72 hours / 1 month). In Germany the BSI registration deadline is 6 March 2026 with no transition period.
What are the penalties for non-compliance?
NIS2 provides for fines of up to €10 million or 2 % of global annual turnover. In many cases, management also bears personal responsibility for risk management.
What is the difference between NIS2 and NISG?
NIS2 is the EU Directive (EU) 2022/2555. The NISG is the Austrian law transposing this directive into national law. In Germany the corresponding implementation act is called NIS2UmsuCG.
We are a small business – does NIS2 still affect us?
Possibly yes. Even if you are not directly in scope, in-scope customers increasingly require security evidence from their suppliers and service providers. Through these supply-chain requirements, NIS2 effectively reaches smaller businesses too.
How does ITworx support with NIS2?
In stages: a readiness check on applicability, a gap analysis against the ten minimum measures, technical and organisational implementation, and ongoing operation with monitoring and support for incident reporting. As a Managed Service Provider we are ourselves in scope of NIS2 and know the requirements from practice.

Tackle NIS2 in good time – we support you.

Start with a no-obligation NIS2 readiness check. Together we clarify your applicability and the next steps.