Art. 27 NIS 2 + §33 BSIG

Self-classification under NIS 2: silence from the BSI is not a defence

Most Mittelstand teams wait for a letter that will never arrive. NIS 2 puts the obligation on you to figure out if you are in scope, and the clock runs whether you check or not.

Simon OrzelSimon Orzel·

The most expensive misconception

Many Mittelstand entities take the absence of a BSI letter as evidence they are not in scope of NIS 2. They are wrong. The directive and §33 BSIG put the registration duty on the entity, not on the authority.

The mechanism is straightforward. Art. 27(1) NIS 2 obliges Member States to set up a registry of essential and important entities. §33(1) BSIG transposes this: entities register within three months of meeting the conditions. The deadline starts when you meet the criteria, not when someone tells you.

In practice this means a 70-person waste-management firm in Annex II can quietly be in scope for over a year, accumulating fines under §65 BSIG and personal liability under §38 BSIG, until somebody finally checks the Annex.

Where the obligation sits
Two articles do the heavy lifting. One in the directive, one in the German transposition.

Art. 27(1) NIS 2 (registry duty)

Member States shall require essential and important entities to submit at least the following information to the competent authorities: name; address; up-to-date contact details; sector and subsector; list of Member States where they provide services.

The duty runs from the entity to the authority, not the other way around. There is no provision in NIS 2 that requires the authority to identify in-scope entities first.

§33(1) BSIG (3-month deadline)

Wesentliche und wichtige Einrichtungen registrieren sich innerhalb von drei Monaten nach erstmaligem Eintritt der Voraussetzungen beim Bundesamt.

Three months from the moment the entity first meets the conditions. There is no waiting period for a letter from the BSI. The clock runs on the entity's own calendar.

Art. 2 + Annex I/II NIS 2 (sector + size)

This Directive applies to public or private entities of a type referred to in Annex I or II which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or which exceed the ceilings for medium-sized enterprises.

Two questions decide in-scope: are you a type in Annex I or II, and are you at least medium-sized (50+ employees and either >€10m turnover or >€10m balance sheet). Plus 'regardless of size' overrides for trust services, DNS, TLD registries, public administration, sole providers in a Member State.

How self-classification works in practice
Three checks. The first one is sectoral, the second is size, the third is overrides.
Schritt 1

Check Annex I and II against your business

Annex I is essential entities (energy, transport, banking, financial market, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space). Annex II is important entities (postal, waste, chemicals, food, manufacturing, digital providers, research). Match by the actual activity, not by the legal form.

Schritt 2

Check size against the EU SME definition

Medium-sized: 50 to 249 employees AND (turnover or balance sheet over €10m). Large: 250+ employees OR turnover over €50m OR balance sheet over €43m. Use Recommendation 2003/361/EC verbatim, count linked and partner enterprises per the recommendation rules.

Schritt 3

Check the regardless-of-size overrides

Sole provider of a service in a Member State, public administrations of central government, DNS service providers, TLD name registries, qualified trust service providers fall in scope regardless of size. Memory: if you are in any of those, the size threshold does not apply.

What happens when you are discovered late
Two cost centres open at the same time: administrative fines and personal liability.

Administrative fine under §65 BSIG

Up to 10 million euro or 2 percent of worldwide annual turnover, whichever is higher, for essential entities. Up to 7 million euro or 1.4 percent for important entities. The fine attaches to the entity. The breach is not registration tardiness alone; it is the underlying non-compliance with Art. 21 and Art. 23 obligations that accumulated during the silent period.

Personal liability of the management body under §38 BSIG

Art. 20(1) NIS 2 transposed into §38 BSIG makes the management body responsible for approving and overseeing the risk-management measures. Late discovery is not a defence; the body should have ensured the classification was done.

Supervisory power escalation

Art. 32 NIS 2 lets the competent authority impose obligations, demand audits, and in the worst case suspend operations. Late entrants tend to attract more supervision because the authority needs to verify catch-up.

What to do now
Three steps. None of them depends on hearing from the BSI.

Run the applicability check today

Map your activity to Annex I or II, count employees and revenue, walk through the regardless-of-size overrides. Document the result even if it is negative. A written 'not in scope' analysis is the only defence in a later dispute.

If in scope, register within three months

Via the BSI portal under §33 BSIG. Requires an ELSTER organisation certificate which itself takes two to three weeks. Start the ELSTER application first if the registration deadline is tight.

Re-run the check annually

Annexes can be amended (NIS 2 Art. 6 review). Your headcount and turnover move. A 'not in scope' position becomes stale. Schedule a yearly re-check.

Sources
  • Directive (EU) 2022/2555 (NIS 2), Art. 2, Art. 3, Annex I, Annex II, Art. 27, www.eur-lex.europa.eu
  • Act on the Federal Office for Information Security (BSIG), §33, §38, §65, www.gesetze-im-internet.de
  • Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises, www.eur-lex.europa.eu
  • NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG)

This page provides structured guidance based on publicly available sources (NIS 2 Directive, BSIG, EU SME Recommendation). It does not constitute legal advice within the meaning of §2 RDG. For specific cases consult an admitted lawyer. As at 2026-06-04.

Find out today if you are in scope
The free applicability check walks the three steps, produces a written result, and tells you what the §33 BSIG deadline is in your case.