Is My Company in Scope for NIS-2 in Germany? A Practical Test
Germany transposes Directive (EU) 2022/2555 (NIS-2) via the NIS2UmsuCG. Approximately 29,500 entities are estimated in scope, far more than the previous KRITIS regime. This guide walks you through a three-step scoping test: sector annex, size threshold and supply-chain exception, with documentation requirements for officers.
Directive (EU) 2022/2555 (NIS-2 Directive) requires Member States to apply enhanced cyber-security obligations to a far broader range of entities than its predecessor. Germany transposes the directive via the NIS-2 Implementation and Cyber-Security Strengthening Act (NIS2UmsuCG). The German federal government estimates that approximately 29,500 entities will be in scope, compared with around 4,500 under the previous KRITIS regulation. Whether your company is among them depends on three combinable tests: sector listing in Annexes I or II, the size threshold defined in Article 2 NIS-2, and the small set of automatic-inclusion exceptions that override size.
This article walks through the scoping logic step by step and points out where the German implementation deviates from the directive baseline. You will get a structured test that you can apply to your own entity, a list of the documentation triggers that follow from a positive result, and the operating-model questions that need to be answered when scope is confirmed. The objective is a defensible scope decision that an information security officer can sign and a management board can rely on. CIVAC is a compliance platform and officer-as-a-service that operationalises this decision in a workspace with an audit trail.
Auf einen Blick
- NIS-2 applies to entities listed in Annex I (highly critical sectors) or Annex II (other critical sectors) that meet the size threshold of 50 employees or 10 million euro turnover.
- Some entities are in scope regardless of size, including qualified trust service providers, top-level domain registries, providers of public electronic communications networks and public administration.
- A confirmed in-scope status triggers governance, risk management, incident notification (24 hours and 72 hours) and supply-chain duties under Sections 30 to 33 NIS2UmsuCG.
Step 1: Does your sector appear in Annex I or II of NIS-2?
Annex I of NIS-2 covers highly critical sectors: energy (electricity, district heating and cooling, oil, gas, hydrogen), transport (air, rail, water, road), banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure (internet exchange points, DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, trust service providers, public electronic communications networks, public electronic communications services), ICT service management (B2B), public administration and space. Annex II covers other critical sectors: postal and courier services, waste management, manufacture, production and distribution of chemicals, food production processing and distribution, manufacturing (specifically medical devices, computer/electronic/optical products, electrical equipment, machinery, motor vehicles, other transport equipment), digital providers (online marketplaces, online search engines, social networking services platforms) and research.
The German NIS2UmsuCG implements these annexes in its Section 28 catalogue. If your principal activity falls within an annex, you proceed to the size test. If you operate in multiple sectors, each entity within the group is assessed separately. A holding company that itself does not perform an annex activity is typically not in scope, while its operating subsidiaries can be. The information security officer takes lead responsibility for documenting this sector mapping, with input from legal and corporate structure data. Bestellurkunde, unterschrieben, abgelegt, belegbar.
Step 2: Do you meet the size threshold?
Article 2(1) NIS-2 references the medium-sized enterprise definition under Recommendation 2003/361/EC. An entity is in scope if it employs at least 50 staff or has an annual turnover or annual balance-sheet total of at least 10 million euro. The directive distinguishes two categories above this floor. Essential entities are large entities (250+ employees, or 50+ million euro turnover and 43+ million euro balance sheet) in the Annex I sectors, or any entity specifically designated as essential by the Member State or directly listed in Article 3(1) NIS-2 (such as qualified trust service providers, top-level domain registries, public electronic communications networks and providers of public electronic communications services). Important entities are medium-sized entities in Annex I sectors, all in-scope entities in Annex II sectors that are not classified as essential, and entities specifically designated as important.
The size calculation includes partner and linked enterprises within the meaning of the SME Recommendation. Group structures therefore need an entity-level assessment that explicitly addresses partner thresholds and linked-entity consolidation. For German entities, the calculation must include staff and turnover of foreign subsidiaries where the linked-enterprise test under Article 3 of the Annex to Recommendation 2003/361/EC is met. A medium-sized German entity that becomes large through linked German and EU group entities can become essential. The size test result, with supporting evidence, is part of the scope dossier that the responsible officer files in the workspace.
Step 3: Are you in scope regardless of size?
Article 2(2) NIS-2 lists categories of entities that are in scope regardless of size. These include providers of public electronic communications networks or publicly available electronic communications services, trust service providers, top-level domain name registries, DNS service providers and providers of qualified trust services. Public administration entities at central and (depending on Member State choice) regional level are also covered. Germany has implemented this in Section 28 NIS2UmsuCG and specifies the public administration scope further in Section 29.
Two additional triggers can pull a small or micro entity into scope. First, Article 2(4) NIS-2 allows Member States to designate specific entities below the threshold as essential or important on the basis of risk relevance. Germany makes use of this for selected sectors. Second, Article 2(2)(b) and (c) extend scope to entities where disruption would have significant impact on public safety, public security or public health, including some sole-providers in their sector. Furthermore, KRITIS operators under the BSI-Kritisverordnung that are not otherwise captured remain in scope, with KRITIS-specific duties under Section 8a BSIG converging into the new framework. Officers should also check whether they qualify as digital service providers in the meaning of Annex I point 8, where the size threshold still applies but the regime is more prescriptive than for other digital providers under Annex II.
Reading the German NIS2UmsuCG specifics
The NIS2UmsuCG is the German law that transposes Directive (EU) 2022/2555 and supersedes parts of the BSI-Gesetz. Section 28 contains the catalogue of in-scope sectors, Section 29 lists the federal administration entities, and Section 30 sets out the risk-management duties. Section 32 specifies the incident notification timelines: 24-hour early warning, 72-hour detailed notification, intermediate updates on request, and a final report within one month. Section 33 introduces management board accountability with personal duties: the management board must approve the risk-management measures, oversee implementation and undergo specific training. Failure can be sanctioned personally under Section 64 NIS2UmsuCG in addition to corporate fines.
For essential entities, fines reach up to 10 million euro or 2 percent of total worldwide annual turnover, whichever is higher. For important entities, the cap is 7 million euro or 1.4 percent of total worldwide annual turnover. These thresholds are aligned with the directive's Article 34. The Federal Office for Information Security (BSI) is the competent supervisory authority for most sectors, with sector-specific deviations defined in the Act. Officers reporting to the management board need to capture which authority is competent for their entity, which timelines apply to their classification and which sanctions can attach in case of breach. The NIS-2 implementation overview tracks current status of the federal legislative process. Frist läuft ab Kenntnis.
Common scope edge cases for German entities
Five edge cases generate most scoping questions in practice. First, manufacturers of medical devices under Annex II point 5 sub-paragraph (a): if you produce devices under Regulation (EU) 2017/745, you are in an Annex II sector regardless of whether you are classified as a manufacturer under the MDR. Even contract manufacturers and importers can be in scope. Second, food production, processing and distribution under Annex II point 4: industrial-scale operations meeting the size threshold are in scope, while small retail food businesses typically are not.
Third, B2B information and communication technology service management under Annex I point 8: managed service providers and managed security service providers are explicitly addressed. Whether classified as essential or important depends on size. Fourth, research entities under Annex II point 7: only research organisations conducting research and development of products that play a key role in economic activity or relate to national security are in scope; pure academic research is generally outside scope. Fifth, group entities: each legal entity is assessed individually, but linked-enterprise consolidation under the SME Recommendation can push a medium-sized German entity into the essential category, especially if it has foreign group affiliations. A documented scoping decision per entity, signed by the responsible officer, prevents downstream disputes with the supervisory authority. Andere führen Compliance wie einen Aktenschrank. Wir führen sie wie Software.
Documentation triggered by an in-scope status
A confirmed in-scope status triggers a structured documentation package. The risk-management measures under Section 30 NIS2UmsuCG must be documented and cover at least: policies on risk analysis and information security, incident handling, business continuity and crisis management, supply-chain security, security in network and information systems acquisition and development, policies to assess effectiveness of risk-management measures, cyber-hygiene practices and training, cryptography, human resource security, access control, asset management, multi-factor authentication and secured communications. ISO/IEC 27001:2022 with its 93 controls is the recognised baseline for satisfying these duties, but other frameworks (such as the BSI IT-Grundschutz) are accepted where coverage is comparable.
The incident notification process must be documented end-to-end: detection thresholds aligned with the BSI definition of significant incidents, internal escalation, drafting of the 24-hour early warning, drafting of the 72-hour notification, the legal classification decision and the records of communications with the competent authority. Supply-chain duties under Section 30(2) NIS2UmsuCG require a documented assessment of the security of the supply chain and direct supplier relationships, including criteria for selecting suppliers and the contractual security obligations. Management board training records under Section 33 NIS2UmsuCG must be kept on file. The CIVAC workspace organises this documentation around the 490 ready-to-use audit templates and links each record to the underlying NIS2UmsuCG section. Der Prüfer ruft an, der Nachweis liegt bereit.
Officer roles and the operating model
NIS-2 does not prescribe a single officer title, but in German practice the duties cluster around the information security officer, who reports to the management board. For essential entities, an explicit reporting line and regular reporting cadence are expected. The information security officer coordinates with the data protection officer where personal data is affected by an incident, with the compliance officer where management board duties under Section 33 NIS2UmsuCG meet broader governance obligations, and with the internal whistleblowing channel where insider reports of significant incidents arise.
The operating model question is whether to staff this internally or to use external officers. Internal staffing builds institutional knowledge but takes 2 to 6 weeks to find and onboard suitable candidates, and turnover is a known weak point. External officer-as-a-service models close the gap quickly: CIVAC appoints qualified officers within a 2 business-day SLA, with a documented Bestellurkunde and reporting line to the management board. Lizenzieren Sie den Workspace für Ihre internen Beauftragten oder lassen Sie unsere Beauftragten bestellen. The dual model lets entities choose per role, often combining an internal information security officer with externally appointed data protection officer, compliance officer or supply-chain audit lead. Both setups produce the same artefacts in the workspace and the same documented reporting line.
When to revisit your scoping decision
NIS-2 scope is not a one-time decision. Several events should automatically trigger a re-assessment. First, mergers and acquisitions: an in-scope acquirer that buys a target operating in a different annex sector creates a multi-sector entity with parallel obligations. The acquirer must consolidate scope across all annex activities. Second, organic growth past the size threshold: a previously out-of-scope medium-sized entity moves into scope at 50 employees or 10 million euro turnover. The internal monitoring should align with annual financial reporting, with a review scheduled within 60 days of the year-end close.
Third, regulatory updates: the European Commission can update Annexes I and II through delegated acts, and the German federal government adjusts Section 28 NIS2UmsuCG via amending legislation. Quarterly review of the BSI guidance and the EUR-Lex feed for Directive 2022/2555 is a low-cost safeguard. Fourth, supply-chain reclassification: contractual obligations on the supply chain mean that an out-of-scope supplier may still face NIS-2-equivalent requirements imposed by an in-scope customer. These contractual cascades increasingly drive de-facto scope. Fifth, KRITIS designation: an entity newly designated under the BSI-Kritisverordnung enters scope under both the KRITIS and NIS-2 regimes, with overlapping but distinct duties. The workspace tracks the trigger events and prompts the officer to re-run the three-step test. Audit-fest, dokumentiert, paragraph-fest.
From scoping decision to live operating model with CIVAC
The scoping decision is the entry door, not the destination. Once you confirm that your entity is in scope, the operational programme spans: risk-management measures under Section 30, incident notification capability under Section 32, supply-chain security under Section 30(2), management board accountability and training under Section 33, and ongoing reporting to the competent authority. Building this from scratch typically takes 6 to 12 months. Buying it ready-configured shortens the timeline materially.
CIVAC is a compliance platform and officer-as-a-service with EU data residency and an ISO/IEC 27001:2022-certified information security management system. The workspace ships with a NIS-2 scope test, the 490 audit templates aligned to Section 30 measures, the 24-hour and 72-hour notification drafting workflow, and a supply-chain security register. Lizenzieren Sie den Workspace für Ihre internen Beauftragten oder lassen Sie unsere Beauftragten bestellen. The CIVAC SLA for officer appointment is 2 business days.
Aus dem Lesen einen Auftrag machen: write to info@civac.de or use the contact form on civac.de for a 45-minute structured scoping conversation. You receive a written scope determination with annex mapping, size assessment, identified exceptions and the resulting documentation backlog. From there, the workspace setup is a matter of days, not months. Der Prüfer ruft an, der Nachweis liegt bereit.
FAQ
Does NIS-2 apply automatically on the directive date or only after German transposition?
NIS-2 applies in Germany through the NIS2UmsuCG. The directive set a transposition deadline of 17 October 2024; the German law has been delayed and is expected to take effect in 2026. Obligations are legally binding once the NIS2UmsuCG enters into force. Sensible preparation should not wait for the formal date: most measures take months to implement, and supply-chain customers already require evidence today.
How is the size threshold calculated for group entities?
Article 2 NIS-2 references the medium-sized enterprise definition under Recommendation 2003/361/EC. Partner and linked enterprises are included in the calculation. A medium-sized German entity that is part of a larger group with linked enterprises must aggregate staff and turnover, which can push it from out-of-scope to important entity or from important to essential, with the corresponding heavier obligations.
What if my company is below 50 employees but provides services to KRITIS operators?
Direct NIS-2 obligations typically do not apply below the size threshold, but indirect duties through customer contracts increasingly do. KRITIS operators must secure their supply chain under Section 30(2) NIS2UmsuCG and routinely impose equivalent obligations on suppliers. Documenting your security posture in a CIVAC workspace makes such customer audits significantly faster and more defensible.
Does my entity need a dedicated NIS-2 officer?
NIS-2 does not prescribe a separate officer title, but Section 30 risk-management duties and Section 33 board duties make the information security officer the natural focal point. The role can be staffed internally or via an officer-as-a-service appointment with a documented Bestellurkunde and reporting line to the management board, depending on capacity and the entity's classification as essential or important.
How does NIS-2 interact with the existing KRITIS regime?
The KRITIS framework under the BSI-Kritisverordnung continues to apply, and the NIS2UmsuCG integrates the new NIS-2 duties without removing the KRITIS designation. KRITIS operators usually qualify as essential entities under NIS-2 and face the more onerous duties. Officers should map their obligations across both regimes to avoid duplication while ensuring full coverage of sector-specific KRITIS thresholds.
What happens if we are unsure whether we are in scope?
The safest default is to run the three-step test (annex, size, exception) in writing and have the result signed by the information security officer. If the result is uncertain, document the reasoning and consult the Federal Office for Information Security or external counsel. CIVAC offers a structured scoping conversation that produces a written determination with annex mapping, size assessment and identified exceptions.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.