Argana Consulting GmbH 
Let's rather talk about how to solve the problems.

Please note: The Federal Act on the Assurance of a High Level of Cyber Security of Network and Information Systems (Network and Information Systems Security Act 2024 – NISG 2024) has not yet been adopted by the National Council and is not legally valid. The lists of sectors with high criticality and other critical sectors are included as appendices to the NISG 2024 and are therefore not yet legally valid. This also applies to all other excerpts from the NISG 2024 Act.

Essential and important facilities NIS-2

The Network and Information Systems NIS-2 Directive of the European Union defines essential and important facilities as companies and organisations that provide services that are critical to the smooth functioning of society and the economy from a cybersecurity perspective.

Excerpt from NISG 2024 [NOTE: Following is a translation of the German version of the NISG 2024, not the Official english version]

§ 24. (1) The following shall be considered essential facilities

1. regardless of the size of the company,

     a. qualified trust service providers,
     b. top-level domain name registers (TLD name registers),
     c. domain name system service providers,
     d. public administration bodies at federal level in accordance with subsection 4,
     e. bodies classified as essential facilities by the Cyber Security Authority
        (§ 26) and
     f. organisations that have been identified as critical organisations within the meaning of Directive            (EU) 2022/2557);
2. organisations that operate a medium-sized enterprise as defined in § 25 (3) and are providers
    of public electronic communications networks and providers of publicly available
    electronic communications services;
3. organisations of the type listed in Annex 1 to this Act that operate a large enterprise
    as defined in § 25 (2).


(2) The following shall be deemed to be important organisations

1. organisations of the type listed in Annexes 1 and 2 to this Act that operate a large or
    medium-sized enterprise, and
2. organisations in the public administration sector at the federal state level in accordance with                subsection (5) and
3. irrespective of their size
     a. providers of public electronic communications networks or publicly
         accessible communications services, 
     b. trust service providers, and
     c. organisations that have been classified as important organisations by the Cyber Security                     Authority (§ 26 paragraph 1)
and that organisation is not already a significant organisation under subsection 1.

(3) Organisations in the public administration sector are organisations that

1. were established for the purpose of fulfilling non-commercial tasks in the public interest,
2. are subject to the supervision of the Federal Government or a Land or are bound by the instructions of a supreme body or have a management or supervisory body, the majority of whose members are appointed by federal or Land authorities or by other public-law bodies established at federal or Land level, or in which the Federal Government or a Land holds at least 50 per cent of the capital stock, share capital or equity capital or are members of the Federal Government and
3. are authorised, within the scope of their legally assigned tasks, to issue decisions that affect the rights of individuals in the cross-border movement of persons, goods, services or capital, with the exception of municipalities and associations of municipalities


(4) Institutions in the public administration sector at federal level are institutions pursuant to para. 3 that are also appointed to deal with matters of federal administration and have either been established as federal authorities or have legal personality.

(5) Institutions in the sector of public administration at provincial level are the offices of the provincial governments and the district administrative authorities as well as institutions pursuant to para. 3 which are also appointed to deal with matters of provincial administration and have legal personality.

(6) Institutions in the public administration sector whose activities are predominantly carried out in the areas of national security, public safety, national military defence or law enforcement, as well as university, higher education and school institutions, judicial institutions, legislative institutions, including the parliamentary directorate, and the Austrian National Bank shall not be considered essential or important institutions. This paragraph shall not apply to trust service providers.

(7) The relevant provisions of this Regulation and national implementing provisions shall take precedence over institutions that fall within the scope of Regulation (EU) 2022/2554. This shall also apply to those organisations that have been excluded from the scope of Regulation (EU) 2022/2554 in accordance with Article 2(4) of Regulation (EU) 2022/2554 as part of national implementation.

(8) ICT third-party service providers pursuant to Art. 3 No. 23 of Regulation (EU) 2022/2554 are also subject to the provisions of this federal law.


Essential facilities

NIS2 - Sektoren mit hoher Kritikalität.pdf (108.14KB)
NIS2 - Sektoren mit hoher Kritikalität.pdf (108.14KB)


Important facilities

NIS2 - Sonstige kritische Sektoren.pdf (86.8KB)
NIS2 - Sonstige kritische Sektoren.pdf (86.8KB)