Skip to content

A Brief Look at the NISG 2026

In a nutshell: The NISG 2026 contains unclear provisions on CSIRT capabilities stemming from a rejected EU Parliament draft. Recital 44 on monitoring internet assets lacks a corresponding article in the legislation and creates interpretation uncertainty.

The Austrian CISO perspective on innovations in the Network and Information Security Act 2026. Little has changed between the rejected 2024 draft and the new version from November – yet two points deserve special attention and clarification.

Between the rejected 2024 draft and the text introduced on 20 November, only minor changes have been made. However, two aspects merit particular consideration.

Recital 44 from the NIS2 Directive was adopted verbatim into the explanatory memorandum of the Austrian bill. It states that CSIRTs should, on request from essential or important entities, monitor their internet-based facilities – both within and outside business premises. The aim is to identify, understand and manage organisational overall risks regarding new security vulnerabilities in the supply chain or critical weaknesses. The entities should inform CSIRTs whether privileged administrative interfaces are operated, as this affects the speed of remedial measures.

**Origin and interpretation unclear**

The problem: it is unclear what EU legislation actually intends by this. While explanatory memoranda are not binding, ignoring them is unsatisfactory. Closer research reveals that this recital does not appear in the original Commission proposal, but stems from an EU Parliament compromise.

Parliament originally had far more comprehensive ideas: CSIRTs should develop technical capabilities such as real-time network monitoring with anomaly detection, intrusion prevention and detection, forensic data analysis, malware filtering and analysis of cyber threats. These technical requirements were fortunately removed from the final text – but the associated recital remained and thus hangs without a corresponding article.

This creates interpretation uncertainty: the explanatory memorandum for the NISG 2026 cites this recital when explaining “§8(1) Tasks of CSIRTs”. Presumably paragraph 1 is meant – the monitoring and analysis of cyber threats, vulnerabilities and cybersecurity incidents at national level as well as support for affected entities in monitoring their networks. But this too remains guesswork without reliable guidance.


Source: www.cert.at

Share on: