What NIS2 means in concrete terms for IT teams in Austria
For a long time, NIS2 was a distant regulatory goal. Since the adoption of the revised Network and Information System Security Act (NISG 2024) in Austria, that distant goal has become part of day-to-day operations. For IT teams, this means not only new obligations on paper, but also very specific requirements for processes, technologies, and the ability to demonstrate compliance.
This article is aimed at everyone who is now facing the question: What do we actually need to do—and where do we start?
Who is affected? More companies than many realize
The biggest difference from the old NIS Directive is the expanded scope. NIS2 distinguishes between “critical” and “important” facilities, thereby covering significantly more industries than before. In addition to traditional sectors such as energy, transportation, healthcare, and finance, areas such as digital infrastructure, manufacturing, waste management, food production, and public administration now also fall under the regulation.
In Austria, this affects an estimated several thousand companies—many of them for the first time. The criterion here is not only the industry sector but also the size of the company: As a rule, organizations with 50 or more employees or an annual turnover of 10 million euros fall within the scope of application. IT teams that previously had only a peripheral involvement with compliance issues are suddenly at the center of implementation.
The four core obligations that IT teams must now implement
NIS2 sets out a series of requirements that can be translated into four key areas of action.
Risk Management and Technical Measures
Companies must establish a systematic risk management framework for their network and information systems. This may sound abstract, but it entails very concrete steps: documented risk analyses, defined protective measures, and their regular review. Technically, this includes access controls, network segmentation, encryption, and structured vulnerability management.
For IT teams, this means: It is not enough to simply run firewalls and antivirus software. NIS2 requires traceable processes that demonstrate how risks are identified and which measures are derived from them.
Incident Detection and Reporting Requirements
One of the most noticeable aspects of NIS2 is the stricter reporting requirements. Significant security incidents must be reported to the competent authority within 24 hours as an early warning, followed by a detailed report within 72 hours and a final report within one month.
This requires that security incidents be reliably detected in the first place. Without a functioning Security Information and Event Management (SIEM) system and end-to-end log management, this will be nearly impossible to achieve. This is precisely where solutions like SIEMOC and LOMOC from COMPRISE come into play. As an integrated SIEM, SIEMOC offers real-time detection of security threats with a central command center for compliance reporting, fraud detection, and forensics. LOMOC complements this as a log monitoring solution that centrally analyzes and professionally visualizes system, application, and security logs—and is explicitly designed for compliance with NIS2, ISO 27001, and other frameworks.
Access Control and Identity Management
NIS2 requires robust access control mechanisms. Who is allowed to access which systems? Is privileged access specially protected? Are there traceable approval processes? These questions are not new, but NIS2 makes answering them a legal requirement.
An Identity & Access Management (IAM) system forms the operational foundation for this. With AccessKeeper, COMPRISE offers an IAM system that centrally and transparently manages users, roles, and permissions throughout the entire lifecycle. In combination with Privileged Access Management and Continuous Verification, a Zero Trust architecture can be established that meets the NIS2 requirements for access control. Those interested in learning more about this integration can find a detailed overview in the COMPRISE blog article “AccessKeeper as the Foundation for Zero Trust”.
Furthermore, NIS2 requires not only the management of access rights but also their regular review and verifiability. Identity Governance & Administration (IGA) provides precisely this strategic governance layer: recertification campaigns, segregation of duties, and seamless audit trails. The article “How Identity Governance & Administration (IGA) Extends an IAM System Like AccessKeeper” describes how IAM and IGA work together in practice.
Business Continuity and Supply Chain Security
NIS2 extends beyond a company’s own boundaries. Organizations must ensure that their supply chains and service providers also maintain an appropriate level of security. Additionally, documented emergency plans, backup strategies, and recovery procedures are required.
For IT teams, this means that not only must their own infrastructure be monitored and secured, but also the interfaces with partners and suppliers. Unified monitoring with COMMOC can help here by providing transparency across the entire IT landscape—on-premises and in the cloud.
What many underestimate: The obligation to provide evidence
It is not enough to simply implement measures. NIS2 requires that companies be able to demonstrate their compliance at any time. This applies to risk analyses, security measures, incident response processes, and, of course, access control. Anyone who has to spend weeks gathering Excel lists and email threads in the event of an audit has a problem.
That is precisely why investing in systems that automatically generate audit trails, reports, and compliance evidence is not optional—it is mandatory. Whether it’s SIEM reports from SIEMOC, log analyses from LOMOC, or authorization records from AccessKeeper—the ability to demonstrate at the push of a button who accessed which systems, when, and why is becoming a decisive factor.
Three steps IT teams can take to get started now
Even though the scope of NIS2 requirements may seem overwhelming at first, implementation can be broken down into pragmatic steps.
First: Assess impact and conduct a gap analysis. Does your company fall under NIS2? Which requirements are already covered, and where are the gaps? A structured assessment lays the foundation for everything that follows.
Second: Close critical gaps first. In practice, missing incident detection capabilities and uncontrolled access rights are the most common vulnerabilities. A SIEM system and a structured IAM are therefore often the first sensible investments.
Third: Consider accountability from the very beginning. Any measure that is not documented and auditable is only half as valuable in the context of NIS2. That is why reporting and audit capabilities should be a key criterion when selecting tools and processes.
Conclusion: NIS2 is not merely a compliance project
NIS2 implementation doesn’t just affect the legal department or the CISO – it lands directly on the IT teams’ desks. Tightening access controls, centrally logging data, detecting incidents in real time, and providing evidence at the touch of a button: these are operational tasks that require operational tools.
European solutions such as the products from COMPRISE – SIEMOC, LOMOC, AccessKeeper and COMMOC – are not only technically designed to meet these requirements, but, as products of European origin, also offer the advantage that data sovereignty and compliance are built into their very design.
Those who act now will not only ensure regulatory compliance, but will also build an IT security architecture## Conclusion: NIS2 is not merely a compliance project
NIS2 implementation doesn’t just affect the legal department or the CISO – it lands directly on the IT teams’ desks. Tightening access controls, centrally logging data, detecting incidents in real time, and providing evidence at the touch of a button: these are operational tasks that require operational tools.
European solutions such as the products from COMPRISE – SIEMOC, LOMOC, AccessKeeper and COMMOC – are not only technically designed to meet these requirements, but, as products of European origin, also offer the advantage that data sovereignty and compliance are built into their very design.
Those who act now will not only ensure regulatory compliance, but will also build an IT security architecture
Interested in this topic? – Get in touch!
Get in touch