On 13 November 2025, more than a year after the implementation deadline expired, the Austrian government presented a new draft bill for the implementation of the EU Cybersecurity Network and Information Security Directive (“NIS2 Directive“) which will be up for the vote by the Austrian Parliament on 12 December. On 6 December 2025 the German NIS2 Implementation Act entered into force.
Recent incidents, such as the security breach in a popular messenger service uncovered by researchers at the University of Vienna and SBA Research — which affected around 3.5 billion accounts and the cyberattacks on EU airports a few months ago, are just two of many examples that highlight the urgency of clear legal provisions in cybersecurity.
The EU legislator responded to this challenge with the NIS2 Directive,1 which Member States should have transposed into national law by 17 October 2024. Austria and Germany failed to meet this deadline, joining most Member States except for a few, such as Hungary and Belgium.2
Austria‘s first attempt at implementation in summer 2024 failed to secure the two-thirds majority in the National Council required for constitutional provisions. The Austrian federal government is now making a new attempt, publishing the new draft bill for implementation (“NISG 2026“) on 13 November 2025. Unfortunately, NISG 2026 fails to eliminate the ambiguities and wide scope for interpretation already present in the NIS2 Directive. This makes it difficult for companies to prepare adequately for the upcoming implementation and has caused discontent in the domestic economy. Cautious entrepreneurs recognise that implementing comprehensive cybersecurity measures requires sufficient lead time. The threat of fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher, and the possibility of management being held liable for damages, add fuel to the fire.
The German NIS2 Implementation Act also contains ambiguities, causing uncertainty in the market given the potentially severe sanctions.
Broad and unclear scope raises numerous questions
NIS2 targets organisations in a number of critical sectors3 whose failure could have serious consequences. However, some definitions are so broad that companies often do not know whether they are covered.
The NIS2 Directive does not provide any general exemptions for ancillary activities. This means that even companies whose core business does not fall within the scope of application may be regulated by NIS2 simply because of their ancillary activities. In such cases, not only the system affected by this ancillary activity, but likely the entire entity, is subject to NIS2 obligations because the NIS2 Directive regulates at the entity level.
On national level the German NIS2 Implementation Act contains an exception for business activities that are “negligible” in relation to the entity’s overall business activities. In the explanatory memorandum to the law, the German legislator mentions as possible indicators of a “negligible business activity” e.g. the number of employees working in this area, the turnover generated by this business activity, and the balance sheet total for this area. A counterargument against this classification would be if the business activity in question is mentioned in the shareholder agreement, articles of association or a comparable founding document. This shows that a thorough case by case assessment is required to assess whether this exception applies. However, the Austrian NISG 2026 does not follow this example. This means that even companies in sectors that are not actually “critical” must deal with the definitions in NIS2 to ensure that ancillary activities do not lead to applicability and, if necessary, avoid such applicability through strategic measures.
Due to the low thresholds for applicability (if relevant at all) and the addition of data from partner or linked enterprises within the meaning of the Commission Recommendation 2003/361/EC, numerous smaller companies will also fall within the scope of application. However, the German NIS2 Implementation Act provides an exception: when assessing whether a company is covered, the data from partner or linked companies is not added if, based on the legal, economic and factual circumstances with regard to the nature and operation of the information technology systems, components and processes, the company being assessed is independent of its partner or linked companies. According to the explanatory memorandum to the law, this in particular is the case if the company itself makes fundamental decisions on the procurement and operation of its IT systems. For example, according to the explanatory memorandum to the law, if the IT systems are entirely operated by a parent company, independence is regularly denied; however, if the IT systems were operated by a service provider on behalf of the company, independence is regularly affirmed. However, a thorough case by case assessment is required to assess whether this exception applies. The Austrian NISG 2026 includes a similar exception.
The existing legal uncertainties and the wide scope of application are major obstacles for companies. Depending on the company structure and existing cybersecurity standards, extensive measures may be necessary, requiring time and resources. The fact that companies are sometimes unclear as to whether they are subject to the strict regulations at all, and that extensive checks are often necessary to reach a conclusion, cannot be the intention of legislation that aims to strengthen domestic cybersecurity.
Challenges from NIS2 implementation laws across member states
NIS2 contains complex rules on jurisdiction that vary depending on the sector. In principle, a company falls under the jurisdiction of the EU Member State in which it is established. For NIS2, this means that the business activity must be carried out permanently and effectively through a fixed establishment, regardless of whether it is a branch or a subsidiary.
Special rules of jurisdiction apply to certain digital services, such as managed services, managed security services, cloud services, data centres and online marketplaces. The decisive factor here is, in which Member State the key decisions on cybersecurity risk management are made. If such Member State cannot be clearly determined, the Member State in which the security measures are implemented or in which the establishment with the highest number of employees within the EU is located may be considered as an alternative. If a company in the aforementioned areas is not established in the EU, a representative must be appointed within the EU, with the representative’s place of establishment determining the local jurisdiction. If no representative is appointed, any Member State in which the company provides services may take legal action for violation of NIS2.
As a result, a single company may be subject to the national NIS2 implementation laws of several Member States due to different economic activities. This entails numerous difficulties. The areas of application in the Member States are often not identical, so companies must register with the authorities of several Member States and, under certain circumstances, report security incidents to several authorities. In addition, companies in these cases are subject to different obligations to implement security measures. However, as NIS2 only provides for minimum harmonisation, these obligations may differ from one another. Implementation laws in other Member States show that national legislators are making use of this option. NISG 2026, for example, provides that the cybersecurity authority can define the requirements in more detail by means of a regulation.
NIS2-regulated companies that are subject to the jurisdiction of several Member States due to their activities are burdened with having to examine the security requirements of the respective Member States in detail, analyse them and compare them in order to implement the strictest requirements in each case.
Overregulation due to lack of group privilege for IT services
Intra-group services are also not exempt. For example, if a company operates an intra-group technology helpdesk, it may be covered by the scope of NIS2. Any relaxation of the rules could only be implemented at the national level. NISG 2026 does not provide for any such relaxation.
Furthermore, it is unclear whether a group company that provides internal cloud services falls within the scope of NIS2 if, as is often the case, it is only the contractual provider and not the actual technical provider. This cannot be ruled out due to the connecting factor under NIS2 – the provision of services(in European telecommunications law, companies that offer services purely by way of resale generally also fall within the scope of the regulation). Also in this regard companies are still waiting for clarification.
Conclusion
NISG 2026, which, on 12 December, the National Council will vote on, provides for a transition period of nine months. This gives covered companies some leeway, but they should not waste any time and should take the first steps now. Because one thing is clear: organisations that remain in the starting blocks until the official starting signal will probably not be able to cross the finish line on time.
The German NIS2 Implementation Act is already in force and thus, time is also running out for covered companies in Germany.
Communication channels should be established between multidisciplinary stakeholders, such as the legal department, management and the CISO, and clear areas of responsibility should be defined. From a legal perspective, it is essential to quickly determine whether an entity’s various activities fall within the scope of NISG 2026 or the German NIS2 Implementation Act. Groups of companies, in particular, should also address strategic issues at an early stage to avoid overregulation as far as possible. Furthermore, the current security standard should be assessed in good time and a gap analysis carried out, and processes should be created to enable compliance with the strict reporting regime with 24-hour deadlines for cybersecurity incidents in the event of an emergency.
Unfortunately, the complexity and lack of clarity create a great deal of uncertainty for companies and lead to stagnation rather than progress. This can have devastating consequences, such as high fines, management liability and, in serious cases, significant damage and losses due to cyberattacks.
1 For information on the scope of application and key obligations of the NIS2 Directive, see https://connectontech.bakermckenzie.com/europes-enhanced-cybersecurity-regime-who-does-nis2-apply-to-and-what-are-the-key-obligations/.
2 See https://connectontech.bakermckenzie.com/is-europe-ready-for-nis2/.
3 For information on the scope of application and key obligations of the NIS2 Directive, see https://connectontech.bakermckenzie.com/europes-enhanced-cybersecurity-regime-who-does-nis2-apply-to-and-what-are-the-key-obligations/.
