Am I Affected by NIS2? Quick Self-Check for SMEs

Whether your company falls under NIS2 depends on sector and company size. 18 sectors, size thresholds and special cases — explained step by step.

Whether your company falls under NIS2 depends on two factors: sector affiliation and company size. In Germany, approximately 29,500 entities across 18 sectors are affected. Since December 2025, all obligations apply immediately. The Pre-Check from NIS2Compass shows in just a few minutes where your company stands and which requirements you already meet.

What Does the NIS2UmsuCG Regulate Regarding Applicability?

The NIS2UmsuCG defines in §28 BSIG which companies qualify as "essential" or "important" entities. The determining factors are the sector (Annex 1 and 2 of the BSIG) and company size. Compared to the previous IT Security Act, the number of regulated entities rises from approximately 4,500 to 29,500, an increase of over 550 percent.

Why Does Germany Have Its Own National Law?

The NIS2 Directive (2022/2555) requires all member states to enact national transposition laws. In Germany, the result is the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG). It was passed by the Bundestag on 13 November 2025 and entered into force on 6 December 2025 (BGBl. I Nr. 301).

The critical point: the law provides no transitional period. All obligations have applied immediately since it took effect.

Which Legal Provision Determines Whether a Company Is Affected?

The central provision is §28 BSIG. It defines which entities are classified as "essential" (paragraph 1) and which as "important" (paragraph 2). The classification depends on two criteria:

Sector affiliation: The company must operate in one of the 18 sectors listed in Annex 1 (sectors of high criticality) or Annex 2 (other critical sectors).
Company size: The EU thresholds for medium-sized enterprises apply: at least 50 employees OR more than 10 million euros in annual revenue.

"In consulting practice, many SMEs underestimate whether they are affected. The OR-linkage in the size thresholds catches most people off guard," explains Dr. Markus Hartmann, Senior Compliance Consultant. A company with 30 employees but 12 million euros in revenue already falls within scope.

How Big Is the Leap Compared to the Previous IT Security Act?

Under the previous IT Security Act 2.0, approximately 4,500 entities were regulated, predominantly operators of critical infrastructure. The NIS2UmsuCG now covers roughly 29,500 entities. This increase of over 550 percent primarily affects mid-sized companies that were previously not subject to any cybersecurity regulation.

The BSI registration deadline expired on 6 March 2026. Companies that have not yet registered already risk fines. The NIS2 Guide from NIS2Compass walks you through the entire implementation process step by step, from the applicability assessment to BSI registration.

Which 18 Sectors Are Affected by NIS2?

The NIS2UmsuCG covers 18 sectors, divided into two annexes. Annex 1 lists 11 sectors of high criticality, including energy, healthcare and digital infrastructure. Annex 2 names 7 other critical sectors such as manufacturing, postal and courier services, and food production.

With over 80 different types of entities, this is the most comprehensive cybersecurity regulation the EU has ever adopted. What matters for classification is not your company's industry code. Only the type of goods or services provided counts.

Which Sectors Have High Criticality?

Annex 1 of the BSIG defines 11 sectors of high criticality:

Energy — 5 subsectors: electricity, district heating/cooling, crude oil, natural gas, hydrogen
Transport — 4 subsectors: air transport, rail transport, maritime shipping, road transport
Banking — credit institutions as defined by CRR
Financial market infrastructures — trading venues and central counterparties
Healthcare — hospitals, laboratories, medical device manufacturers, research institutions
Drinking water — extraction and distribution of drinking water
Wastewater — collection, disposal and treatment of wastewater
Digital infrastructure — DNS services, TLD registries, cloud computing, data centres, CDNs
ICT service management (B2B) — managed service providers and managed security service providers
Public administration — federal government entities and certain state authorities
Space — operators of ground-based infrastructure

Which Other Critical Sectors Exist?

Annex 2 of the BSIG covers 7 additional sectors:

Postal and courier services — providers of postal services
Waste management — collection, transport and treatment of waste
Chemicals — manufacturing and trading of chemical substances
Food — production, processing and distribution of food products
Manufacturing sector — 6 subsectors: medical devices, computer equipment, electrical equipment, mechanical engineering, motor vehicles, other transport equipment
Digital service providers — online marketplaces, search engines, social networks
Research — research institutions with critical infrastructure relevance

What Applies When You Operate in Multiple Business Areas?

Many companies operate across multiple areas. §28 para. 3 BSIG governs the so-called ancillary activity rule: if your company provides services in a regulated sector, even when this is not your core business, the NIS2 obligations may still apply. A mechanical engineering company with its own logistics division, for example, could potentially fall under two sectors simultaneously.

A complete sector classification requires a thorough analysis of your business activities. The Knowledge Hub from NIS2Compass provides detailed explanations of each sector and its subsectors.

At What Size Does NIS2 Apply to My Company?

NIS2 generally applies from 50 employees or annual revenue and an annual balance sheet total each exceeding EUR 10 million. This size-cap rule is based on EU Recommendation 2003/361/EC. For certain types of entities, the thresholds do not apply: they fall under the regulation regardless of size.

What Thresholds Does §28 BSIG Define?

The NIS2-Umsetzungsgesetz distinguishes two categories with different thresholds. The classification determines the scope of obligations and the level of potential fines.

Essential entities (§28 para. 1 no. 4 BSIG): Companies in Annex 1 sectors with 250 or more employees or with annual revenue exceeding EUR 50 million and an annual balance sheet total exceeding EUR 43 million.

Important entities (§28 para. 2 no. 3 BSIG): Companies in Annex 1 and Annex 2 sectors with 50 or more employees or with annual revenue exceeding EUR 10 million and an annual balance sheet total exceeding EUR 10 million.

Why Is the OR-Linkage So Critical?

A common misconception: Many companies only check their employee count. Yet simply exceeding the financial thresholds is enough, regardless of headcount. A company with 30 employees but EUR 15 million in revenue and a EUR 12 million balance sheet total falls under NIS2.

The reverse also holds: from 50 employees, NIS2 applies even with low revenue. Employee counts are calculated based on full-time equivalents. Part-time staff count proportionally.

Are Affiliated Companies Counted?

Yes. Under §28 para. 4 BSIG, partner and affiliated companies must be included in the calculation. If your company belongs to a corporate group, employee count, revenue and balance sheet total are assessed at group level. A standalone small subsidiary can exceed the thresholds as a result.

According to the legislative proposal (BT-Drs. 20/13184), the legislator estimates average compliance costs of EUR 86,900 per affected entity. What these costs specifically cover is analysed in the article NIS2 Consultant or DIY? A Cost Comparison.

What Does the Applicability Assessment Look Like in Practice?

A mid-sized mechanical engineering company employs 80 staff with EUR 18 million in annual revenue and a EUR 12 million balance sheet total. The company belongs to the "manufacturing sector/manufacture of goods" sector, an Annex 2 sector under the NIS2-Umsetzungsgesetz.

The assessment shows: with 80 employees, the company exceeds the threshold of 50 staff. It qualifies as an important entity under §28 para. 2 no. 3 BSIG. Even if the headcount were just below 50, the revenue and balance sheet total would exceed the financial thresholds.

The typical starting position: the IT manager bears sole responsibility for cybersecurity. There is no dedicated information security officer. This is exactly the situation the NIS2 Guide from NIS2Compass was built for, providing a structured implementation path from initial assessment to BSI registration.

Essential vs. Important: What Is the Difference?

The NIS2UmsuCG distinguishes between "essential" and "important" entities. The distinction is not academic: essential entities are subject to stricter supervision (proactive audits by the BSI) and higher penalty limits (up to EUR 10 million instead of EUR 7 million).

Who Qualifies as an Essential Entity?

The law clearly defines in §28 BSIG which organisations are classified as "essential." The category includes several groups:

KRITIS operators — always essential, regardless of company size
Qualified trust service providers, TLD registries and DNS service providers — also size-independent
Telecommunications providers with 50 or more employees — telecommunications is highly critical infrastructure
Annex 1 entities with 250 or more employees or over EUR 50 million in revenue — the standard large enterprise threshold

Who Qualifies as an Important Entity?

Important entities form the broader category. This includes Annex 1 and Annex 2 entities with 50 or more employees, non-qualified trust service providers, and telecommunications providers with fewer than 50 employees. The threshold is significantly lower; many mid-sized companies fall into this group.

Where Do the Practical Differences Lie?

The risk management obligations under §30 BSIG apply identically to both categories. Executive liability under §38 BSIG also applies equally to both. The differences concern supervision and sanctions:

Supervisory regime: Essential entities are subject to proactive audits by the BSI (§61 BSIG). Important entities are only supervised reactively, meaning after an incident or when there is a concrete suspicion (§62 BSIG).
Penalty framework: For essential entities, §65 BSIG allows fines of up to EUR 10 million or 2% of global annual revenue. For important entities, the limit is EUR 7 million or 1.4% of revenue. The NIS2 fine calculator translates these caps into a rough estimate for your own company.

KRITIS operators have a special status: they are always classified as essential and must fulfil additional requirements under §31 and §39 BSIG. Which penalties apply in detail is explained in the article NIS2 Fines: What Penalties Can You Expect?.

What Exceptions and Special Cases Exist?

Not all companies in regulated sectors are automatically affected, and some fall under the law even below the size thresholds. The NIS2UmsuCG includes size-independent applicability, exemption decrees and sector-specific special rules that make an individual assessment indispensable.

Which Companies Are Affected Regardless of Size?

Certain entities fall under the NIS2UmsuCG regardless of employee count and revenue. According to §28 para. 1 BSIG, these include KRITIS operators, qualified trust service providers, TLD registries and DNS service providers. They are always classified as essential entities, subject to the strictest obligations.

Additionally, there is the ancillary activity rule under §28 para. 3 BSIG: if a company provides only a minor portion of its services in a regulated sector, the classification may not apply. However, the threshold is narrowly defined and requires careful examination.

What Special Rules Apply to Certain Sectors?

Three industries are subject to partially different regulations:

Telecommunications providers: §28 para. 5 BSIG refers to the Telekommunikationsgesetz (TKG), which provides its own security obligations.
Financial companies: §28 para. 6 BSIG clarifies that the DORA regulation (EU 2022/2554) takes precedence. Banks and insurers fulfil NIS2 obligations primarily through DORA.
Energy sector: The Energiewirtschaftsgesetz (EnWG) contains its own IT security requirements that partially take precedence.

Additionally, the Federal Ministry of the Interior can issue an exemption decree under §37 BSIG, for instance when national security or defence is concerned. In practice, this occurs rarely.

How Is an IT Service Provider Classified?

A mid-sized managed service provider (MSP) employs 60 staff with EUR 8 million in revenue and a EUR 6 million balance sheet total. Although the financial figures fall below the thresholds, the employee count of 50 or more is sufficient for classification as an important entity. The size criteria are defined as an OR-linkage: exceeding a single criterion is enough.

MSPs are explicitly listed in Annex 1 of the NIS2UmsuCG (sector 9: ICT service management). This means dual applicability: directly through the company's own NIS2 obligations and indirectly through the supply chain requirements of its clients.

NIS2Compass analyses show that sector classification is the most common stumbling block in the applicability assessment. The Pre-Check from NIS2Compass helps you systematically clarify your classification in a few minutes rather than weeks of internal research.

How Do I Check My NIS2 Applicability Step by Step?

The applicability assessment follows a clear decision tree: first check for special status (KRITIS, telecommunications, trust services), then determine sector affiliation, then compare against size thresholds. The BSI provides an online tool for this purpose. NIS2Compass' Pre-Check goes one step further and also identifies the specific actions required.

Is There a Special Status That Overrides the Size Thresholds?

Some entities fall under the NIS2-Umsetzungsgesetz regardless of their size. These include KRITIS operators, trust service providers, TLD registration authorities, DNS service providers and telecommunications providers. Check first whether your company belongs to one of these categories. If so, applicability is already established.

Which Sector Does My Company Operate In?

§28 BSIG defines the affected sectors in two annexes. Annex 1 lists sectors of high criticality (energy, transport, banking, healthcare, water, digital infrastructure, space). Annex 2 covers other critical sectors (postal services, waste, chemicals, food, manufacturing, digital services, research). Assign your main activity to one of these sectors.

Does My Company Exceed the Size Thresholds?

The thresholds operate as an OR-linkage: at least 50 employees or more than 10 million euros in annual revenue or more than 10 million euros in balance sheet total. Meeting a single criterion is enough. You reach essential entity status from 250 employees or EUR 50 million in revenue; below that, you qualify as an important entity.

What Obligations Arise from the Category?

In the final step, you identify your specific obligations: §33 BSIG (BSI registration), §32 BSIG (reporting obligations for security incidents), §30 BSIG (risk management measures) and §38 BSIG (executive liability). The BSI registration portal was launched on 6 January 2026, and the 3-month deadline expired on 6 March 2026. The NIS2 Guide from NIS2Compass walks you through all obligations across 8 structured chapters.

What Are the Next Steps If I Am Affected?

Affected companies must register with the BSI, implement 10 risk management measures under §30 BSIG, establish reporting processes and involve executive management. NIS2Compass supports this process across 8 chapters with ready-made templates and a structured NIS2 Implementation Guide.

Is BSI Registration Still Possible?

The registration deadline under §33 BSIG expired on 6 March 2026; the obligation remains. Companies that have not yet registered should do so without delay. Non-compliance risks fines of up to EUR 500,000. Registration is completed via the BSI portal and requires information on contact details, sector and IT infrastructure.

What Measures Does Risk Management Require?

§30 BSIG defines 10 areas of measures, including risk analysis, incident response, business continuity, supply chain security, cryptography and access controls. These measures must correspond to the state of the art and be proportionate. NIS2Compass covers all 10 areas with concrete steps and over 20 ready-made templates.

How Do the Reporting Obligations Work?

§32 BSIG prescribes a three-stage reporting procedure. An initial report must be submitted to the BSI within 24 hours. An updated report with a preliminary assessment follows within 72 hours. A final report must be submitted within one month at the latest. Without an established reporting process, you risk not only fines but also delayed responses to actual incidents.

Why Does NIS2 Also Affect Executive Management Personally?

Executive liability under §38 BSIG cannot be delegated. Managing directors and board members must approve the risk management measures, oversee their implementation, and regularly attend training. In the event of a breach of duty, they are personally liable. This topic requires early involvement. The article on NIS2 and ISMS shows which gaps existing management systems typically have.

Frequently Asked Questions

Does NIS2 Also Apply to Companies with Fewer Than 50 Employees?

Generally not: the size-cap rule applies at 50 employees or EUR 10 million in annual revenue. However, the legislator has defined exceptions: qualified trust service providers, TLD registries, DNS service providers and KRITIS operators fall under the NIS2UmsuCG regardless of their size. Additionally, indirect applicability through supply chain requirements can arise when regulated clients demand security certifications.

Do I Have to Register with the BSI?

Yes. Essential and important entities are required to register with the BSI (§33 BSIG). The deadline expired on 6 March 2026. Late registration remains mandatory. The BSI portal has been live since 6 January 2026. Failure to register risks fines of up to EUR 500,000. The NIS2 Guide from NIS2Compass walks you through the registration process step by step.

What Is the Difference Between NIS2 and the IT Security Act?

The NIS2UmsuCG replaces the IT Security Act 2.0. The most significant change: the scope of affected companies grows from approximately 4,500 to roughly 29,500 entities. Instead of 10, the law now regulates 18 sectors. The size thresholds drop considerably. New is the personal liability of executive management for breaches of duty. Existing KRITIS operators remain regulated as a subset.

Are Affiliated Companies Included in the Size Assessment?

Generally yes. Under §28 para. 4 BSIG in conjunction with EU Recommendation 2003/361/EC, employee count, revenue and balance sheet total of affiliated companies are aggregated. An exception applies when the IT systems are demonstrably operated independently of one another. The Pre-Check from NIS2Compass helps with an initial assessment of your applicability.

Can I Apply for an Exemption Decree?

§37 BSIG allows the BMI to grant exemptions in three cases: national security, defence or law enforcement. The prerequisite is that equivalent security requirements already apply. For typical SMEs in the private sector, this route is not relevant. Instead, a structured implementation of the NIS2 requirements is recommended. The NIS2 Guide from NIS2Compass provides a clear implementation path for exactly this purpose.

Further answers on sector classification, thresholds and special cases are available in the official BSI FAQ on NIS-2 (German only).