Am I a data centre provider under NIS 2?
NIS 2 lists data centre services in Annex I sector 8 (Digital Infrastructure). Article 6(31) defines the service to include power and cooling. The standard size test from Article 2(1) and Recommendation 2003/361/EC then decides whether the duties apply. Germany transposes through §28 BSIG. KRITIS-V (3.5 MW IT load) is a separate national overlay, not the NIS 2 entry point.
The short version
If you sell a data centre service to third parties, you are in scope as soon as you meet the standard NIS 2 size threshold. Annex I sector 8 names data centre service providers directly under Digital Infrastructure. Article 6(31) tells you what counts as the service: the IT and network estate plus the supporting power distribution and environmental control. The roof, the UPS, the chillers and the diesel generator are part of the service, not adjacent to it.
The size test is the standard one for NIS 2. Article 2(1) of the Directive ties scope to Recommendation 2003/361/EC: medium-sized entities (50 or more staff, or annual turnover and balance sheet above EUR 10 million) fall under the regime, large entities are 'essential' rather than 'important'. There is no regardless-of-size carve-in for data centres, unlike telecoms or DNS.
Germany transposes through §28 BSIG. The KRITIS-Verordnung threshold (3.5 MW IT load) is a separate German overlay that decides whether the same data centre is additionally KRITIS, with extra duties. It does not decide whether NIS 2 applies. CIR (EU) 2024/2690 lists data centre service providers in its Annex, so parts of the implementing regulation bind data centres directly without further national transposition.
NIS 2 Directive (2022/2555), Annex I Sector 8 and Article 6(31)
'data centre service' means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of information technology and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control.
Two things to read together. Annex I sector 8 names data centre service providers as Digital Infrastructure. Article 6(31) tells you the service is not just the IT racks. Power distribution and environmental control are part of the legal definition. That is what locks the building services (UPS, generators, cooling, fire suppression) into the NIS 2 risk management framework.
Commission Implementing Regulation (EU) 2024/2690, Annex
This Regulation lays down the technical and methodological requirements of the measures referred to in Article 21(2) of Directive (EU) 2022/2555 with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, of online search engines and of social networking services platforms, and trust service providers.
Data centre service providers are listed in the CIR Annex by name. That means the technical risk management requirements in the CIR (asset management, access control, cryptography, supply chain, incident handling) bind data centres directly. National transposition is not required for the CIR layer. The Directive layer still needs §28 BSIG to take effect in Germany.
§28 BSIG (Germany) and the KRITIS-Verordnung
Anbieter von Rechenzentrumsdiensten gelten ab dem Schwellenwert für mittlere Unternehmen als wichtige Einrichtungen, ab dem Schwellenwert für große Unternehmen als besonders wichtige Einrichtungen im Sinne dieses Gesetzes.
§28 BSIG transposes the NIS 2 data centre obligations. The Article 2(1) size test (50 staff / EUR 10m turnover) decides whether the entity is 'wichtig' or 'besonders wichtig'. The KRITIS-Verordnung is a separate German layer with its own threshold of 3.5 MW IT load for data centres. KRITIS adds duties on top, it is not the entry condition for NIS 2. A 25 MW co-location operator is in both regimes. A 200-staff colocation site at 1 MW IT load is in NIS 2 scope but not KRITIS.
Do you sell a data centre service?
Article 6(31) is the test. You provide structures dedicated to the centralised accommodation, interconnection and operation of IT and network equipment, together with the power and environmental control infrastructure. Co-location, hosting and dedicated halls all qualify. The IT load and the building services are one service in law.
Are you above the size threshold?
Article 2(1) NIS 2 references Recommendation 2003/361/EC. Medium-sized entities (50 or more staff, or annual turnover and balance sheet total above EUR 10 million) fall under the regime as 'important'. Large entities (above 250 staff or turnover above EUR 50 million) fall under it as 'essential'. There is no regardless-of-size carve-in for data centres.
Does the German KRITIS overlay apply?
KRITIS-V sets a 3.5 MW IT load threshold for data centres in Germany. Crossing it makes the site KRITIS in addition to NIS 2, with extra duties (audit cycle, sector-specific minimum standards). KRITIS is not the NIS 2 entry condition. A 1 MW colocation operator with 200 staff is NIS 2-in but KRITIS-out.
Co-location, hosting and dedicated all qualify
The Article 6(31) definition does not distinguish between delivery models. Whether you rent out racks (co-location), rent out servers (managed hosting) or run a single-tenant facility for a paying customer, the service is the same in law: centralised accommodation of IT and network equipment, plus the supporting power and environmental control. The duties attach to the service, not to the commercial wrapper.
In-house data centres are not a data centre service
If you run a data centre purely for your own group, you are not providing a data centre service in the NIS 2 sense. There is no service to a third party. The facility may still feed into another scoping route (your group may be in scope on a different sector with its own assets), but it does not catch you under Annex I sector 8 as a data centre provider. The test turns on whether the service is sold.
BSI / §28 BSIG
The BSI is the central NIS 2 authority. Registration, risk management framework and incident reporting under NIS 2 all run through the BSI. §28 BSIG names data centre service providers above the medium-enterprise threshold as 'wichtige Einrichtungen' and above the large-enterprise threshold as 'besonders wichtige Einrichtungen'.
BSI C5 and IT-Grundschutz
BSI also owns the sector-relevant baselines. The C5 catalogue (Cloud Computing Compliance Criteria) covers the cloud and hosting side. IT-Grundschutz building blocks INF.1 (general building) and INF.2 (computer centre / server room) are the German implementation reference for the physical and environmental controls that Article 6(31) folds into the service. Auditors expect to see them mapped into your CIR framework.
ENISA
ENISA, the EU cybersecurity agency, coordinates across member states and publishes Technical Implementation Guidance under CIR (EU) 2024/2690. Data centre service providers are listed in the CIR Annex by name, which means parts of the implementing regulation are directly binding on data centres without needing further national transposition.
National cybersecurity authorities
Every member state has its own NIS 2 authority: NCSC-NL in the Netherlands, ANSSI in France, NCSC.AT in Austria, ACN in Italy. The Annex I sector 8 row and the Article 6(31) definition are the same EU-wide because the Directive sets one floor. What differs: who you register with, which incident form you use, and whether the country layers a national critical-infrastructure regime on top (Germany has KRITIS-V, others use different thresholds).
We run a server room for our own company, so we are a data centre provider.
Not on the data centre leg. Article 6(31) describes a service. If the IT estate is operated only for your own group and not sold to third parties, you are not providing a data centre service in the NIS 2 sense. Your group may still be in NIS 2 scope through its own sector (manufacturing, energy, waste, health and so on), but the Annex I sector 8 data centre row does not catch the in-house room.
We are well below the 3.5 MW KRITIS threshold, so NIS 2 does not apply.
KRITIS-V and NIS 2 are two regimes with two thresholds. The 3.5 MW IT load threshold is the German KRITIS overlay. NIS 2 has its own size test from Article 2(1): medium-sized as soon as you cross 50 staff or EUR 10m turnover and balance sheet total. A 200-staff colocation operator at 1 MW IT load is in NIS 2 scope but not in KRITIS. The KRITIS-out finding is not a NIS 2-out finding.
We only do co-location, the customer owns the servers, so we are not providing a data centre service.
Co-location is one of the textbook delivery models for the Article 6(31) service. The definition covers structures dedicated to the centralised accommodation of IT and network equipment plus the power and environmental control. It does not require that the racks belong to you. Selling rack space, power and cooling is the service. The customer-owned-server argument does not change the legal classification.
A 60-staff regional co-location operator with two halls and roughly 2 MW combined IT load is clearly in NIS 2 scope as a 'wichtige Einrichtung'. Annex I sector 8 names the sector. Article 6(31) catches the service end to end, including the building services. The Article 2(1) size test puts the company above the medium-enterprise threshold. KRITIS-V at 3.5 MW IT load is not crossed, so the KRITIS overlay does not apply. The operator runs the full NIS 2 risk management framework but does not pick up the KRITIS audit cycle.
What we see in practice: the risk register starts with the building services (utility feed, UPS strings, generator runtime and fuel, cooling redundancy, fire suppression, physical access) and then layers the IT and network estate (core switching, customer cages, OOB management, monitoring) on top. The §2 CIR risk management framework runs against that combined inventory. Article 21(1) proportionality applies, so a 60-staff regional operator does not implement at the depth of a hyperscale region. The phasing is written down, justified by the risk picture, and signed off by management.
Our applicability check walks the data centre route step by step. It asks whether you sell the service to third parties, how the delivery model is structured (co-location, hosting, dedicated), what your headcount and turnover are, and where you sit relative to the German KRITIS-V threshold. The output names the Annex I row, the BSIG classification ('wichtig' or 'besonders wichtig'), and whether the KRITIS overlay applies on top.
The asset inventory lets you model the building services (utility feed, UPS, generator, cooling, fire suppression, physical access) and the IT and network estate on one list. The §2 CIR risk management framework runs against that inventory, so the same asset list feeds both the NIS 2 track and, if you cross 3.5 MW IT load, the KRITIS audit without double maintenance.
- Directive (EU) 2022/2555 (NIS 2), Annex I Sector 8 and Article 6(31) data centre service definition — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Directive (EU) 2022/2555 (NIS 2), Article 2(1) size test referencing Commission Recommendation 2003/361/EC — eur-lex.europa.eu/eli/reco/2003/361/oj
- Commission Implementing Regulation (EU) 2024/2690 (CIR), Annex (data centre service providers listed by name) — eur-lex.europa.eu/eli/reg_impl/2024/2690/oj
- BSI Act (BSIG), §28 as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- KRITIS-Verordnung (BSI-KritisV), sector Informationstechnik und Telekommunikation, threshold 3.5 MW IT load for data centres
- BSI IT-Grundschutz, building blocks INF.1 (Allgemeines Gebäude) and INF.2 (Rechenzentrum sowie Serverraum); BSI C5 cloud catalogue — bsi.bund.de