Knowhow & News

NIS2 directive: what organisations need to know about cyber security

8. April 2026

Cyber Security

In many organisations, cyber security is still seen primarily as a technical issue — something that sits squarely with the IT department. At the same time, dependence on digital systems, external service providers and interconnected processes continues to grow year by year. Cyber attacks are also becoming more professional and, with the increasing use of AI, more complex.

With the Network and Information Security Act 2026 (NISG 2026), Austria’s implementation of the NIS2 Directive, security measures and incident reporting obligations are becoming legally binding. From 1 October 2026, organisations within scope must be able to demonstrate that cyber security is managed in a structured, documented and continuous way. For many, this goes far beyond a technical challenge. It requires organisational change that questions and reshapes existing structures.

Before discussing implementation steps, it is worth taking a closer look at the requirements and how they evolved.

What is NIS2 and why does it exist?

The original NIS Directive (Network and Information Security) was introduced in 2016 to harmonise cyber security for critical infrastructure across the EU. It was the first attempt to define minimum cyber security standards at EU level. Over time, however, it became clear that its scope was too limited. The threat landscape had changed, and the directive had become outdated. Cyber attacks grew more sophisticated, organisations more interdependent, and supply chains more deeply interconnected.

In response, the EU fundamentally revised the directive in 2022 and expanded it into what is now known as NIS2. Its aim is to reduce regulatory differences between member states and limit room for interpretation.

NIS2 has been in force across the EU since January 2023 and obliges all member states to transpose it into national law. Although the deadline for implementation was 17 October 2024, most member states missed it. In Austria, transposition is taking place through the NISG 2026.

While EU‑wide minimum standards apply everywhere, national details differ slightly. For internationally active organisations, this means complying with European baseline requirements while also addressing country‑specific rules.

What changes with NIS2 and the NISG 2026?

NIS2 is not just another security guideline — it represents a significant expansion and tightening of existing requirements.

Expanded scope

NIS2 applies to far more organisations than its predecessor. It now includes not only traditional critical infrastructure sectors such as energy, healthcare and transport, but also organisations considered essential due to their size or sector relevance. The objective is to cover services and sectors that are vital for economic and social stability within the internal market.

Expanded scope
Obligations instead of recommendations

Security measures must not only be introduced, but demonstrably practised. Organisations are required to establish a formal framework — an Information Security Management System (ISMS) — that ensures compliance with security requirements. Documentation and auditability are central. An ISMS based on ISO 27001 is a recognised way of meeting structured risk management, incident reporting and security requirements.

Obligations instead of recommendations
Risk management as a core principle

NIS2 sets concrete requirements for risk management measures, including how they are applied. It mandates systematic risk assessments, targeted vulnerability management and a robust security concept. The goal is to prevent cyber attacks or at least limit their impact. Proactive identification of risks forms the foundation of NIS2 implementation.

Risk management as a core principle
Focus on supply chain management

Most organisations rely on numerous external suppliers — from hardware, software and networks to power providers and data centres. A single insecure supplier can jeopardise the stability of the entire organisation. NIS2 therefore places strong emphasis on assessing and documenting the security of IT service providers and external partners.

One project supported by our expert illustrates the complexity involved: identifying all relevant service providers alone required several extensive work packages. Many organisations are unaware of how many systems and partners are embedded in their core processes until a security initiative forces transparency.

Focus on supply chain management
Management responsibility

Governing bodies carry explicit responsibility. Senior management must actively enforce cyber security and ensure compliance. This includes clearly defined roles, escalation paths and employee training. Management themselves must also participate in cyber security training.

In cases of non‑compliance or gross negligence, executives may face personal liability. Responsibility cannot be delegated entirely to staff or external providers. In addition to personal consequences, organisations risk fines of up to €10 million or 2% of global annual turnover.

Management responsibility

Who is affected?

Cyber security is particularly critical for sectors such as energy, transport, water, healthcare and public administration. Failures here can have severe societal consequences. A power outage, a disrupted wind farm or halted rail traffic affects entire regions, not just individual companies.

However, NIS2 also affects organisations outside officially designated critical infrastructure. Many act as suppliers or service providers to critical systems. A vulnerability in a smaller organisation can have far‑reaching consequences. Cyber security therefore extends beyond internal systems and always forms part of a broader ecosystem.

Cyber security operates on three levels

According to cyber security expert Mag. Walter Sedlacek, MSc, MBA, sustainable cyber security rests on three levels: technology, processes and organisation. Only by addressing all three can a resilient security architecture be achieved. Too often, organisations focus mainly on technology while underestimating the importance of processes and organisational structures.

1. Technology

Firewalls, encryption, authentication and monitoring are essential — they form the technical foundation. But technology alone is insufficient. It only protects what it covers. Even state‑of‑the‑art security infrastructure becomes ineffective if organisational or process‑related gaps exist. Many organisations invest heavily in technology while overlooking other attack vectors.

2. Processes

Many successful cyber attacks exploit processes rather than systems. Processes often evolve uncontrolled and are rarely reviewed from a security perspective.

An example from one project illustrates this clearly: a security consultant was tasked with obtaining sensitive salary data within one hour. No one believed it possible — SAP was well protected. Yet within ten minutes, the data was accessed. The consultant did not attack the technical system. Instead, he analysed the process and assumed the executive assistant had access. He was right. The salary data was stored in an unprotected Excel file on the assistant’s laptop used prior to system entry.

Such cases are not exceptions but surprisingly common. Security gaps frequently arise when processes are unclear, overly complex or undocumented.

3. Organisation

Cyber security is only as strong as its weakest link. Even the best technology and processes fail if responsibilities are unclear. In many organisations, cyber security sits “somewhere in IT”, while no one truly feels accountable.

Cyber criminals exploit this deliberately, increasingly relying on social engineering rather than technical attacks. They target people — the weakest link in the security chain — by impersonation or exploiting trust.

In one example, an actor was hired as an employee. His credentials were never verified. Within days, through conversations, visible passwords and careless information sharing, he obtained access to sensitive security‑relevant information. Again, the failure was organisational, not technical.

Why NIS2 is an organisational project

Why NIS2 is an organisational project

Many organisations engage with cyber security only after an incident — a system failure, data loss or imminent audit. Reactive action is usually more expensive and more error‑prone than proactive planning. Often, isolated measures are introduced instead of a sustainable security framework. A single tool, training session or audit changes little if unchecked processes remain.

NIS2 aims to ensure that risk management measures work long term. Achieving this requires strategic structures, professional project management and strong leadership. A NIS2 initiative resembles any major change programme: it needs a realistic starting point, clearly defined responsibilities and a structured plan integrated into day‑to‑day operations.

For this reason, many organisations choose external expertise — not due to lack of internal skills, but because cyber security programmes demand specialised experience that cannot be built on the side.

Cyber security is only as strong as its weakest link

The NISG 2026 highlights just how tightly technology, processes and organisation are intertwined — and how vulnerable organisations can be at these interfaces. Complex supply chains, increasing dependencies, growing use of AI and professionalised cyber attacks are no longer abstract risks.

Those who act early gain time to understand their security posture. Those who wait are forced to react under pressure — increasing the likelihood of mistakes. Last‑minute compliance measures may be formally correct but practically ineffective.

Our conclusion: Cyber security does not result from isolated actions or protecting individual departments. It is a cross‑organisational initiative — and the greatest weaknesses usually lie not in technology, but in processes and organisational structures.

Key takeaways

  •  The scope of NIS2 is significantly broader than the original NIS directive.
  • The NISG 2026 makes NIS2 legally binding in Austria.
  • Under NIS2, managing directors carry personal liability for breaches of duty.
  • Cyber security is built on technology, processes and organisation.
  • Many real‑world attacks occur via process or organisational weaknesses.
  • Supply chains are becoming a central attack surface.
  • NIS2 requires structured action and clearly defined accountability.
  • Early action reduces risk and avoids rushed last‑minute implementations.

About the author

Mag. Walter Sedlacek, MSc, MBA is Managing Director of next level consulting APAC. Find out more about the IT security expert here.
View profile
Increase security within your organisation.
We help you define a clear framework for implementation.
+43 676 840806600
office@nextlevelconsulting.com
Request