NISG 2026 — Employee Training Obligation: What Austrian Companies Must Implement by October

By Fabian Hable · April 2026 · Updated: July 10, 2026

On December 23, 2025, Austria's Network and Information Systems Security Act 2026 (NISG 2026) was published in the Federal Law Gazette. With that, the European NIS2 Directive is now applicable law in Austria as well. The central obligations enter into force on October 1, 2026 — with no transition period.

For around 4,000 companies in Austria this means: security awareness training is no longer voluntary. It is a documentable compliance obligation that directly concerns management.

This article explains what the NISG 2026 specifically requires, who is affected, and how companies can implement the training obligation pragmatically.

What the NISG 2026 Requires of Companies

The NISG 2026 transposes the European NIS2 Directive into Austrian law. The core obligations are based on Articles 20 and 21 of the directive and can be summarized in three areas.

First, members of management must personally attend cybersecurity training. This is not something to delegate to the IT department — management itself must demonstrate sufficient knowledge to assess cybersecurity risks and make management decisions.

Second, companies must regularly offer training to all employees so they can recognize risks and respond appropriately. The law speaks of "sufficient knowledge and skills to identify and assess risks".

Third, these measures must be documented. In an audit or after a security incident, the company must be able to demonstrate that training took place, which topics were covered, and who participated.

The sanctions are substantial: up to 10 million euros or 2 percent of worldwide annual turnover. In addition, authorities can prohibit individuals in management from exercising their function.

Training Obligation for Governing Bodies (Section 31) — Why Employee Training Is Not Enough Here

One point is frequently overlooked in practice: the NISG 2026 contains two separate training obligations. Section 31 obliges managing directors and board members personally to attend cybersecurity training designed specifically for governing bodies. The general awareness training for the workforce explicitly does not fulfill this obligation — not even if management participates in it.

For both levels: participation must be evidenced. The law does not specify fixed repetition intervals — how often training takes place is to be determined and justified on a risk basis within the company. Whoever plans the training should therefore budget and document the leadership level and the workforce separately.

Who Is Affected?

The NISG 2026 distinguishes between "essential" and "important" entities. The classification depends on the sector and the company size.

Affected are companies from 18 defined sectors — including energy, transport, healthcare, digital infrastructure, food production, waste management, and manufacturing. A company falls under the NISG if it employs at least 50 people, or generates annual turnover of more than 10 million euros and has a balance sheet total of more than 10 million euros.

Important: companies that do not fall directly under the law can also be affected — namely as part of the supply chain of an affected company. The NISG 2026 requires affected entities to consider cybersecurity risks in their supply chain. In practice this means customers will increasingly demand evidence of security measures from their suppliers.

Affected entities must also classify themselves and register with the new Federal Office for Cybersecurity at the Ministry of the Interior — the deadline runs until December 31, 2026. This is followed by a structured self-declaration of the implemented measures (by September 2027), which include the training.

What "Sufficient Knowledge and Skills" Means

The law does not define in detail which topics a training must cover. There are, however, clear points of orientation.

ENISA (the European Union Agency for Cybersecurity) recommends the following core topics for employee training: recognizing phishing and social engineering, secure password practices and authentication, secure handling of mobile devices and remote access, physical security in the workplace, reporting processes for security incidents, and handling AI tools and shadow IT.

What matters is not the length of the training but that it demonstrably took place, covered relevant topics, and is repeated regularly. A one-off 30-minute video from two years ago will not convince any auditor.

Documented Training Records — What Auditors Want to See

A common mistake is the assumption that an email with the subject "Please have a look at this PDF" counts as a training record. Auditors expect more.

A solid training record contains: the participant's full name, the date of the training, the topics covered, a form of learning verification (quiz, assessment), and the confirmation of the provider or platform. Ideally, there is also an aggregated company report showing how many employees were trained, which topic areas are covered, and where gaps remain.

Digital training platforms generate these records automatically. Whoever relies on classroom training must keep attendance lists and document content — a considerably higher effort.

Implementation in Practice — Three Paths

For practical implementation, there are three proven models that can also be combined.

The first path is a cloud training with email login. Employees sign in with their email address and receive an access code — no password, no IT rollout required. This also works for employees without a company laptop or company email, for instance in production or logistics.

The second path is a SCORM package for your own LMS. Companies that already use a learning management system such as SAP SuccessFactors or Moodle can import a SCORM 1.2 package. The content runs directly in the existing system, and the LMS handles the tracking.

The third path supplements the training with your own phishing campaign. Regular, unannounced test emails show whether what was learned arrives in everyday work — strong evidence of effectiveness toward auditors. Important for data protection and the works council: execution is best kept in-house (your own IT or a tool of your choice) so that no employee data flows to third parties — external support is brought in for concept, design, and evaluation logic.

Deadlines at a Glance

The most important dates at a glance:

Companies that start implementation now still have enough time for a structured rollout. Whoever waits until summer risks a hectic last-minute implementation — and in the worst case, incomplete documentation at the first review.

Frequently Asked Questions About the NISG 2026 Training Obligation

From when does the training obligation apply?

The obligations enter into force on October 1, 2026 — with no transition period. The law itself has been published in the Federal Law Gazette since December 23, 2025.

Does the training obligation apply to all employees?

Affected entities must regularly offer awareness training to all staff. For managing directors and boards, an additional, stricter obligation under Section 31 applies — general employee training explicitly does not fulfill it.

How often must training be repeated?

The NISG 2026 does not prescribe a fixed interval; repetition is to be determined on a risk basis. In practice, an annual rhythm with refreshers during the year has become established — a one-off training does not count as "regular".

What records do auditors demand?

Per participant: name, date, topics covered, a learning verification (e.g. a quiz), and the confirmation of the platform or provider. Ideally also an aggregated company report on participation rates and topic coverage.

What are the penalties for violations?

Fines of up to 10 million euros or 2% of worldwide annual turnover. Failure to register can be penalized with up to 100,000 euros; individuals in management can additionally be prohibited from exercising their function.

This article provides general orientation on the training obligation under Austria's NISG 2026. It does not replace legal advice. For an individual assessment of whether your company is affected, we recommend consulting a specialized advisor.

Start now with the free training — training records included. Learn more in the free security awareness training.

Start for free →