Self-classification under NIS 2: silence from the BSI is not a defence
Most Mittelstand teams wait for a letter that will never arrive. NIS 2 puts the obligation on you to figure out if you are in scope, and the clock runs whether you check or not.
The most expensive misconception
Many Mittelstand entities take the absence of a BSI letter as evidence they are not in scope of NIS 2. They are wrong. The directive and §33 BSIG put the registration duty on the entity, not on the authority.
The mechanism is straightforward. Art. 27(1) NIS 2 obliges Member States to set up a registry of essential and important entities. §33(1) BSIG transposes this: entities register within three months of meeting the conditions. The deadline starts when you meet the criteria, not when someone tells you.
In practice this means a 70-person waste-management firm in Annex II can quietly be in scope for over a year, accumulating fines under §65 BSIG and personal liability under §38 BSIG, until somebody finally checks the Annex.
Art. 27(1) NIS 2 (registry duty)
Member States shall require essential and important entities to submit at least the following information to the competent authorities: name; address; up-to-date contact details; sector and subsector; list of Member States where they provide services.
The duty runs from the entity to the authority, not the other way around. There is no provision in NIS 2 that requires the authority to identify in-scope entities first.
§33(1) BSIG (3-month deadline)
Wesentliche und wichtige Einrichtungen registrieren sich innerhalb von drei Monaten nach erstmaligem Eintritt der Voraussetzungen beim Bundesamt.
Three months from the moment the entity first meets the conditions. There is no waiting period for a letter from the BSI. The clock runs on the entity's own calendar.
Art. 2 + Annex I/II NIS 2 (sector + size)
This Directive applies to public or private entities of a type referred to in Annex I or II which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or which exceed the ceilings for medium-sized enterprises.
Two questions decide in-scope: are you a type in Annex I or II, and are you at least medium-sized (50+ employees and either >€10m turnover or >€10m balance sheet). Plus 'regardless of size' overrides for trust services, DNS, TLD registries, public administration, sole providers in a Member State.
Check Annex I and II against your business
Annex I is essential entities (energy, transport, banking, financial market, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space). Annex II is important entities (postal, waste, chemicals, food, manufacturing, digital providers, research). Match by the actual activity, not by the legal form.
Check size against the EU SME definition
Medium-sized: 50 to 249 employees AND (turnover or balance sheet over €10m). Large: 250+ employees OR turnover over €50m OR balance sheet over €43m. Use Recommendation 2003/361/EC verbatim, count linked and partner enterprises per the recommendation rules.
Check the regardless-of-size overrides
Sole provider of a service in a Member State, public administrations of central government, DNS service providers, TLD name registries, qualified trust service providers fall in scope regardless of size. Memory: if you are in any of those, the size threshold does not apply.
Administrative fine under §65 BSIG
Up to 10 million euro or 2 percent of worldwide annual turnover, whichever is higher, for essential entities. Up to 7 million euro or 1.4 percent for important entities. The fine attaches to the entity. The breach is not registration tardiness alone; it is the underlying non-compliance with Art. 21 and Art. 23 obligations that accumulated during the silent period.
Personal liability of the management body under §38 BSIG
Art. 20(1) NIS 2 transposed into §38 BSIG makes the management body responsible for approving and overseeing the risk-management measures. Late discovery is not a defence; the body should have ensured the classification was done.
Supervisory power escalation
Art. 32 NIS 2 lets the competent authority impose obligations, demand audits, and in the worst case suspend operations. Late entrants tend to attract more supervision because the authority needs to verify catch-up.
Run the applicability check today
Map your activity to Annex I or II, count employees and revenue, walk through the regardless-of-size overrides. Document the result even if it is negative. A written 'not in scope' analysis is the only defence in a later dispute.
If in scope, register within three months
Via the BSI portal under §33 BSIG. Requires an ELSTER organisation certificate which itself takes two to three weeks. Start the ELSTER application first if the registration deadline is tight.
Re-run the check annually
Annexes can be amended (NIS 2 Art. 6 review). Your headcount and turnover move. A 'not in scope' position becomes stale. Schedule a yearly re-check.
- Directive (EU) 2022/2555 (NIS 2), Art. 2, Art. 3, Annex I, Annex II, Art. 27, www.eur-lex.europa.eu
- Act on the Federal Office for Information Security (BSIG), §33, §38, §65, www.gesetze-im-internet.de
- Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises, www.eur-lex.europa.eu
- NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG)
This page provides structured guidance based on publicly available sources (NIS 2 Directive, BSIG, EU SME Recommendation). It does not constitute legal advice within the meaning of §2 RDG. For specific cases consult an admitted lawyer. As at 2026-06-04.