Are You In Scope for NIS2 in Germany? The Threshold Test
A practitioner threshold test for NIS2 Germany scope under the NIS2UmsG — sectors, size criteria, and how to confirm whether you are an important entity.
If there is one question we are asked more than any other since the NIS2UmsG took effect, it is deceptively simple: "Are we actually in scope?" The answer matters enormously — it is the difference between a regulated obligation backed by fines of up to EUR 10M and personal management liability, and a contractual obligation you negotiate with customers. This article gives you the threshold test we use with clients, written for people who have to make the call and defend it later.
TL;DR / Key takeaways
- NIS2 Germany scope turns on two tests applied together: a sector test and a size test. You need both to be true to be directly in scope as an important entity.
- The NIS2UmsG applied from 6 December 2025 with no transition period. The BSI registration portal opened 6 January 2026; the deadline was 6 March 2026 — late registration is still mandatory.
- Important entities: 50+ staff or >EUR 10M turnover. Particularly important entities: 250+ staff, or >EUR 50M turnover and >EUR 43M balance sheet — these face proactive supervision and the higher fine ceiling.
- Thresholds are counted across linked and partner enterprises, so small German subsidiaries of large groups are frequently caught.
- Self-assessment is your duty. The BSI does not pre-approve it. Document the analysis; fines reach EUR 10M or 2% of global turnover, and management is personally liable.
Why the scope question is harder than it looks
The original NIS Directive applied to a relatively narrow set of operators of essential services that national authorities individually identified. NIS2 inverted that model. Instead of waiting to be designated, organisations must now self-assess against objective criteria and register themselves. The German transposition, the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsG), follows this logic closely and removes the comfort of a grace period.
That shift is what makes scoping a genuine engineering and legal exercise rather than a formality. We have walked several mid-sized industrial and digital-infrastructure clients through this analysis, and the recurring lesson is the same: the people who assume they are out of scope are often the ones who are in, usually because of group structure or a sector annex they had not read closely.
Step 1 — The sector test
NIS2 is sectoral first. If your activity does not appear in the annexes, the size thresholds are irrelevant. The NIS2UmsG mirrors the directive's two-tier sector model:
| Sector tier | Examples | Typical classification |
|---|---|---|
| High-criticality (Annex 1) sectors | Energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, ICT service management (B2B), public administration, space | Usually particularly important if large enough |
| Other critical (Annex 2) sectors | Postal and courier, waste management, manufacture of chemicals, food, manufacturing (incl. medical devices, machinery, vehicles), digital providers (online marketplaces, search engines, social platforms), research | Usually important |
Two traps appear repeatedly. First, "digital infrastructure" and "ICT service management" sweep in cloud providers, data-centre operators, managed service providers and MSSPs — many of whom think of themselves as ordinary B2B software firms. Second, manufacturing is far broader than heavy industry; producers of machinery, vehicles, electronics and medical devices are squarely in Annex 2.
If your activity is on neither annex, you are out of direct scope — but read Step 4 before you close the file.
Step 2 — The size test
Once a sector match exists, apply the size thresholds. NIS2 uses the EU SME definition mechanics, which means two things people routinely get wrong.
- The criteria are alternatives, not cumulative, for the lower tier: 50 staff or EUR 10M turnover is enough.
- Headcount and turnover are assessed including linked and partner enterprises, not the standalone German GmbH.
| Classification | Staff | Turnover | Balance sheet |
|---|---|---|---|
| Out of scope (micro/small, by size alone) | < 50 | <= EUR 10M | — |
| Important entity (wichtige Einrichtung) | >= 50 | > EUR 10M | — |
| Particularly important entity (besonders wichtige Einrichtung) | >= 250 | > EUR 50M | and > EUR 43M |
This is where a "small" German subsidiary of a larger European group is frequently pulled in. If the parent and sister companies are linked enterprises, their figures consolidate into the assessment. We have seen clients with 40 German employees land firmly inside scope once the group was counted correctly. Do this calculation deliberately and write it down.
Step 3 — Classify: important vs particularly important
The distinction is not cosmetic. Particularly important entities are subject to proactive, ex-ante supervision by the BSI (audits and inspections that can occur without a triggering incident), while important entities are generally subject to reactive, ex-post supervision (the authority acts when it has cause). Both must implement the same baseline of risk-management measures under the law and meet the same incident-reporting timeline, but the supervisory intensity and the maximum fine ceiling differ.
Either way, the operational obligations are demanding. The incident-reporting clock — 24-hour early warning, 72-hour detailed report, one-month final report — applies to significant incidents regardless of tier. If you are working out whether your detection and escalation tooling can actually hit those windows, we cover the mechanics in our NIS2 incident reporting 24/72-hour runbook.
Step 4 — Special designations that override size
A handful of categories are in scope irrespective of headcount or turnover. Do not skip this step just because you are below the SME thresholds. These include, among others:
- Qualified and certain non-qualified trust service providers
- Top-level domain name registries and DNS service providers
- Providers of public electronic communications networks or services (subject to the relevant telecoms rules)
- Entities that are the sole provider in a member state of a service essential for societal or economic activity
- Entities individually designated by the competent authority, or covered by sector-specific German rules (e.g. existing KRITIS operators, where additional or stricter obligations apply)
If any of these describe you, the size test is moot — you are in.
A decision flow you can actually use
Run the test in this order and stop at the first definitive answer:
- Special designation? If yes → in scope. Skip to registration.
- Sector match in Annex 1 or 2? If no → not directly in scope (read the supply-chain note below). If yes → continue.
- Size thresholds met (with linked/partner enterprises)? If no → not directly in scope. If yes → continue.
- Which tier? 250+ staff or >EUR 50M turnover and >EUR 43M balance sheet → particularly important. Otherwise → important.
- Register with the BSI and retain your scope analysis as evidence.
"We are below the thresholds" is not the end of the story
Even a clean out-of-scope result rarely means you can ignore NIS2. In-scope entities carry an explicit supply-chain security obligation, which they discharge by pushing requirements onto suppliers. In practice that means your in-scope customers will start sending you security questionnaires, demanding audit rights, contractual incident-notification clauses, and evidence of controls. The regulation reaches you indirectly through procurement long before any authority does.
Our consistent advice: if you sell to regulated sectors, build the capability now. The cost of being demonstrably ready is far lower than losing a tender because you cannot answer a supplier-assurance request. A pragmatic baseline — identity hardening, segmentation, logging, and an incident process — is exactly the Zero Trust foundation that satisfies both NIS2 risk-management expectations and customer due diligence.
What being in scope actually obliges you to do
Confirming scope is the start, not the finish. An in-scope entity must:
- Register with the BSI via the portal and keep registration data current. The step-by-step is in our NIS2 BSI registration walkthrough.
- Implement risk-management measures proportionate to risk — covering risk analysis, incident handling, business continuity, supply-chain security, secure development and acquisition, cryptography, access control and MFA, and asset management.
- Meet the incident-reporting timeline for significant incidents.
- Ensure management oversight and approval of the risk-management measures. Under the NIS2UmsG, the Geschäftsleitung is personally liable for this oversight — a duty that cannot be fully delegated away. We unpack the governance implications in NIS2 management liability in Germany.
Document your decision
Whatever you conclude, write it down. The BSI does not bless your self-assessment in advance, so your defence — if questioned — is a dated, reasoned scope analysis showing the sector mapping, the consolidated size figures, and the classification logic. We deliver this as a short, signed scoping memo for every client; it takes a day and saves a great deal of argument later.
Where we come in
Scoping looks binary but is full of edge cases — group consolidation, ambiguous sector fit, and special designations that override the obvious answer. If you want a defensible scope determination and a pragmatic path to the risk-management baseline behind it, our team has done this work hands-on across industrial and digital-infrastructure clients. Have a look at our Zero Trust and cybersecurity services, or get in touch for a focused scoping review.
FAQ
How do I know if my company is in scope for NIS2 in Germany?
Run two tests in sequence. First, sector: does your organisation operate in one of the sectors listed in the NIS2UmsG annexes? Second, size: do you have 50 or more staff, or more than EUR 10M annual turnover? If both are yes, you are at least an important entity and must register with the BSI and apply the risk-management obligations.
What is the difference between an important entity and a particularly important entity under the NIS2UmsG?
An important entity (wichtige Einrichtung) has 50 or more staff or more than EUR 10M turnover. A particularly important entity (besonders wichtige Einrichtung) is larger — 250 or more staff, or more than EUR 50M turnover and more than EUR 43M balance sheet total — or falls into a specially designated category. Particularly important entities face proactive supervision and the higher fine ceiling.
When did the NIS2UmsG start to apply and what was the registration deadline?
The German NIS2 implementation law (NIS2UmsG) applied from 6 December 2025 with no transition period. The BSI registration portal opened on 6 January 2026 and the registration deadline was 6 March 2026. If you missed it, you are still legally required to register and should do so without further delay.
Do the staff and turnover thresholds count only the German entity?
No. Headcount and turnover are assessed at the level of the legal entity together with linked and partner enterprises, following the EU SME definition logic. A small German subsidiary of a large group can therefore be in scope even if the local entity alone looks small. This catches many groups by surprise.
We are below the thresholds. Are we completely exempt from NIS2?
Possibly from direct registration, but not from the practical impact. If you supply in-scope entities, they must manage supply-chain risk and will cascade security requirements, audit rights, and incident-notification clauses into your contracts. Some smaller entities are also designated regardless of size. Treat sub-threshold status as a reason to be ready, not to ignore the regime.
What happens if we get the in-scope decision wrong?
Self-assessment is the duty of the organisation; the BSI does not pre-approve your decision. Getting it wrong by under-scoping means missing registration, reporting and risk-management duties, with fines up to EUR 10M or 2% of global turnover and personal liability for management. Document your scope analysis so you can defend it.
Topics