Are we a public administration entity under NIS 2?
Public administration sits in NIS 2 Annex I sector 10 and Article 2(2)(f). Central government is in regardless of size. Regional government is in if your member state has run the risk-based assessment. The carve-outs in Article 2(5) to (7) are narrow and functional, not institutional.
The short version
Public administration is in NIS 2 Annex I sector 10. The size test that knocks small private companies out does not apply here. Article 2(2)(f) says public administration entities of central government are in regardless of size, and public administration entities at regional level are in if the member state has identified them following a risk-based assessment.
The directive then carves out specific activities, not specific institutions. Article 2(5) keeps out national security, defence, public security, law enforcement and judicial activities. Article 2(7) keeps out parliaments and central banks. A police authority that runs internal HR and finance IT is in for that IT. The same authority is out for its operational law-enforcement systems. Function decides, not the badge on the door.
In Germany, §28 BSIG operationalises the rule for the Bundesverwaltung. §29 BSIG gives the Länder the legal basis to bring their Landes- and Kommunalverwaltung into scope. Until a Land uses §29 BSIG, municipalities in that Land are formally out, even though every NIS 2 conference agenda treats them as in. Read your Landes-Cybersicherheitsgesetz before you scope yourself.
Article 2(2)(f) NIS 2 Directive (2022/2555)
This Directive applies to entities of a type referred to in Annex I or II, regardless of their size, where the entity is a public administration entity (i) of central government as defined by a Member State in accordance with national law; or (ii) at regional level as defined by a Member State in accordance with national law that, following a risk-based assessment, provides services the disruption of which could have a significant impact on critical societal or economic activities.
Verbatim from OJ L 333/110. Two halves. Central government is in automatically. Regional government is in only after the member state has run the risk-based assessment and identified the entities. The size test in Article 2(1) does not apply to either.
Article 2(5) NIS 2 Directive (carve-outs)
This Directive does not apply to public administration entities that carry out their activities in the areas of national security, public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences.
Carve-out is functional. The exclusion follows the activity, not the institution. A federal police authority is out for its law-enforcement systems and in for its corporate IT. Article 2(7) adds parliaments and central banks. Article 2(6) lets member states exempt entities that carry out activities under Article 2(5) only in those areas.
§28 and §29 BSIG (Germany)
§28 BSIG transposes the central-government rule and binds Einrichtungen der Bundesverwaltung. §29 BSIG empowers the Länder to bring Einrichtungen der Landes- und Kommunalverwaltung into scope through their own Landes-Cybersicherheitsgesetze, following the risk-based assessment required by Article 2(2)(f)(ii) NIS 2.
Two German anchors, not one. Bundesverwaltung is in by federal law. Landesverwaltung and Kommunalverwaltung wait on Land legislation. Some Länder have already published draft Landes-Cybersicherheitsgesetze; others have not. The legal status of a Kommune depends on which Land it sits in.
Central government
Public administration entities of central government, as defined by national law, are in regardless of size. Federal ministries, federal agencies, federal authorities. No size threshold. In Germany this is the Bundesverwaltung under §28 BSIG. The 'central' label is set by national law, so the list differs between member states, but the structural rule is the same.
Regional government
Public administration entities at regional level are in only if the member state has identified them following a risk-based assessment. The directive does not designate them automatically. In Germany the Länder use §29 BSIG and their Landes-Cybersicherheitsgesetze to run that identification and bind Landesverwaltung and Kommunalverwaltung. Until the relevant Land has acted, regional entities are formally outside the directive.
Functional carve-outs
Article 2(5) excludes activities in national security, public security, defence and law enforcement. Article 2(7) excludes parliaments and central banks. The exclusion attaches to the activity, not the institution. A ministry's general administrative IT stays in. A police force's case-management system is out. Document which systems sit on which side of the line.
Size does not apply
The Article 2(1) size test (50 staff, 10 million euros) does not apply to public administration. Article 2(2)(f) is a regardless-of-size override. A 12-person federal authority is in. A 4-person Bundesoberbehörde is in. The only filters are 'is this central government', 'is this regional government that the member state has identified', and 'is this activity carved out by Article 2(5) or (7)'.
Carve-outs follow function, not institution
Recital 8 makes this explicit. The exclusions in Article 2(5) are not a blanket pass for police, defence and intelligence services. They cover the activities in those areas. The same authority can be out for its operational systems and in for its corporate IT, HR systems, finance systems and supplier-facing systems. Map your activities, then map your systems against them.
BSI / §28 BSIG
The BSI is the competent authority for Bundesverwaltung under §28 BSIG. Federal ministries and agencies are in by federal law, no size test, no opt-in. The BSI publishes specific Verwaltungsvorschriften and IT-Grundschutz profiles for federal authorities (Mindeststandards nach §8 BSIG).
Landes-Cybersicherheitsgesetze
§29 BSIG empowers each Land to legislate which Landes- and Kommunalverwaltung entities are in scope. The Land runs the risk-based assessment Article 2(2)(f)(ii) requires. Until that legislation exists, the federal BSIG does not bind regional entities. Check whether your Land has published a draft Cybersicherheitsgesetz before you scope a Kommune.
ENISA NIS 2 transposition tracker
ENISA publishes a NIS 2 transposition page that lists the national laws, the competent authorities per member state, and the national scoping decisions for public administration. It is the cleanest single source for cross-border authorities or shared-services organisations working out which regulator they file with in each country.
National transposition laws
Article 2(2)(f) binds public administration across the EU. NL covers it through the Cyberbeveiligingswet, FR through Ordonnance n° 2024-1093, AT through the NISG. The directive's regardless-of-size rule is the same everywhere. Each member state decides what counts as central and which regional entities pass the risk-based assessment.
We are a Kommune, so we are automatically in NIS 2.
Not by federal law alone. §28 BSIG binds Bundesverwaltung. Landes- and Kommunalverwaltung enter scope through §29 BSIG and the relevant Landes-Cybersicherheitsgesetz, after the Land has run the risk-based assessment Article 2(2)(f)(ii) requires. Check your Land's status before you assume.
We do law-enforcement work, so we are out of NIS 2.
The Article 2(5) carve-out is functional. It covers the law-enforcement activities, not the whole institution. A police authority is out for its case-management and surveillance systems, and in for its HR, finance, procurement and general administrative IT. Same authority, two scopes. Document the line by system.
Our Stadtwerk is municipally owned, so it falls under public administration in sector 10.
Ownership does not move a Stadtwerk into sector 10. A municipally owned utility is in NIS 2 through Annex I sectors 1 (energy), 6 (drinking water), 7 (waste water) or 8 (digital infrastructure), with the ordinary size test in Article 2(1). Sector 10 is for public administration entities as defined by the member state, not for state-owned commercial operators.
Typical case: a federal agency with 90 staff. Article 2(2)(f)(i) applies (Bundesverwaltung), so the size test never runs. The agency runs general administrative IT and one specialised platform that supports federal law-enforcement coordination. Article 2(5) carves the law-enforcement platform out. The administrative IT stays in. Result: a single Anwendbarkeitsprüfung that lists which systems fall under §30 BSIG and which sit behind the carve-out, with the management body's signature.
Typical case at regional level: a Kommune of 220 staff in a Land that has not yet adopted its Landes-Cybersicherheitsgesetz. Formally out of NIS 2 today. Practitioners still build the baseline (risk register, supplier list, incident process) because the draft law is in consultation and the obligations will land in 2026 or 2027. Treat the gap year as preparation, not a holiday.
The applicability check walks the three elements in order: are you central government, are you a regional entity that your member state has identified, and which of your activities sit behind an Article 2(5) or (7) carve-out. You answer the questions once and get a written Anwendbarkeitsprüfung that names the legal hook (§28 BSIG, §29 BSIG plus your Landesgesetz, or out of scope) and the carved-out systems.
The output is not a yes/no. It is a justification: which provision applies, what the member state has decided about regional entities, and which systems sit on which side of the functional carve-out. Signed by the management body, stored with audit trail, version-pinned to the EU and BSIG text we cite.
- Directive (EU) 2022/2555 (NIS 2), Article 2(2)(f), Article 2(5) to (7), recitals 7 and 8, Annex I sector 10 — eur-lex.europa.eu/eli/dir/2022/2555/oj
- BSI Act (BSIG), §28 (Bundesverwaltung) and §29 (Länder) as amended by the NIS2-Umsetzungsgesetz
- ENISA NIS 2 transposition tracker — enisa.europa.eu/topics/nis-directive
- Landes-Cybersicherheitsgesetze (per Land, drafts and adopted laws)