NIS 2 and research organisations
Annex II sector 10 covers research organisations that work on applied research or experimental development for commercial use. Universities are out by default. Member States may extend the scope.
Why this article exists
Annex II of the NIS 2 Directive ((EU) 2022/2555) lists research organisations as sector 10. The category sits in Annex II, so qualifying entities are classified as important entities (wichtige Einrichtungen).
The scope is narrower than the everyday meaning of research. NIS 2 looks at one specific type of activity: applied research or experimental development intended to produce results that are then exploited commercially. Basic research, pure academic work, and educational activities are not in scope by default.
The page sets out the EU layer first (Annex II, Article 6(41), Recital 39, Article 2(1) size test), then the German implementation in §28 BSIG and the practical pitfalls we see most often when research bodies run an applicability check.
Annex II, Sector 10 (Directive (EU) 2022/2555)
Research organisations
Annex II point 10 lists the sector with the single entity type 'research organisations'. The substantive definition lives in Article 6(41) and is reinforced by Recital 39.
Article 6(41), Recital 39 (Directive (EU) 2022/2555)
'Research organisation' means an entity which has as its primary goal to conduct applied research or experimental development with a view to exploiting the results of that research for commercial purposes, and which does not include educational institutions.
Recital 39 adds that this Directive should not apply to educational institutions, in particular universities or research centres which carry out research activities on a non-commercial basis. Member States may decide that educational institutions are to fall within the scope of this Directive on the basis of their national policies and approaches.
§28 BSIG (NIS2UmsuCG, Germany)
Forschungseinrichtungen mit Sitz in Deutschland, die die in §28 Absatz 1 BSIG genannten Schwellenwerte erreichen oder überschreiten, gelten als wichtige Einrichtungen.
Germany transposes Annex II sector 10 into §28 BSIG. The entity stays an important entity (wichtige Einrichtung) and falls into the §65 BSIG penalty band of up to 7 million euro or 1.4 percent of global annual turnover, whichever is higher.
Applied research with a commercial purpose
Primary activity is applied research or experimental development, with the intent that the results are exploited commercially. Licensing, spin-offs, contract research for industry, or sale of prototypes are typical signals. Pure curiosity-driven research, teaching, and outreach are not.
Medium-sized or above
Article 2(1) NIS 2 applies the EU Recommendation 2003/361/EC threshold. The entity reaches it with at least 50 staff or annual turnover and balance sheet total above 10 million euro. Below the threshold the entity is not in scope unless a Member State applies a regardless-of-size override.
National extension to universities
Member States may decide to bring educational institutions, including universities, into the scope through national law. Without such an extension, universities are out, even if they run large applied-research units. Whether the country has extended is a question for the national transposition act.
Educational institutions are excluded by default
Recital 39 is explicit: NIS 2 does not apply to educational institutions, in particular universities or research centres which carry out research activities on a non-commercial basis. A university research unit doing contract work for industry is not automatically swept in. The exclusion is at the level of the institution, not the project.
Funding source does not decide scope
The definition turns on the activity (applied research, commercial exploitation), not on who pays. A privately funded research GmbH and a publicly funded Fraunhofer institute are both in scope if they meet the definition and the size test. A purely publicly funded basic-research institute is not in scope because the activity is wrong, not because the funding is public.
BSI as competent authority
The Bundesamt für Sicherheit in der Informationstechnik (BSI) is the competent authority for research organisations under §28 BSIG. Registration runs through the BSI portal; the obligations are identical to other important entities under §§30 to 32 BSIG.
ENISA guidance
ENISA Technical Implementation Guidance (v1.2, August 2025) treats research organisations the same as other Annex II entities for the Article 21 risk-management measures. There is no research-specific carve-out in the implementing regulation. Sectoral specifics show up only in incident-reporting thresholds via national supervisory practice.
No general university extension in §28 BSIG
Germany has not, in the NIS2UmsuCG, made a general extension of NIS 2 to universities. Hochschulen and university research centres therefore remain out of NIS 2 scope at federal level, although other federal or state laws (for example IT-security laws of individual Länder) may still apply.
Universities are also research, so they must be in scope.
By default, no. Recital 39 carves out educational institutions, in particular universities and non-commercial research centres. They are only in scope if the Member State has expressly extended NIS 2 to them by national law. In Germany, that extension has not been made.
Only publicly funded research institutes are in scope.
Wrong direction. The definition looks at activity and commercial exploitation intent, not at the funding source. A private contract-research company can be fully in scope. A purely publicly funded basic-research body is out because the activity is non-commercial, not because the funds are public.
We are a non-profit, so NIS 2 does not apply.
Legal form does not decide scope. A gemeinnützige GmbH or e.V. running applied research for commercial exploitation can meet the definition. The test is the activity and the size threshold, not the tax status.
In applicability checks we run, the close call is almost always a contract-research arm of a university or a publicly funded institute with a strong technology-transfer pipeline. The right question is not whether the entity does research, but whether its primary purpose is applied research or experimental development with a commercial exploitation route.
If the answer is yes and the entity meets the Article 2(1) size threshold, it is in NIS 2 as an important entity, regardless of whether it sees itself as part of the public research landscape. The platform applicability check walks through Article 6(41) and Article 2(1) explicitly so this is not left to interpretation.
Sector 10 entities run the same NIS 2 obligation register as any other important entity: registration under Article 27, governance under Article 20, the ten risk-management areas in Article 21(2), and incident reporting under Article 23. The platform structures all of these as continuous obligations rather than a one-off project.
Where a research organisation has a specific evidence pattern (for example, technology-transfer contracts that have to satisfy Article 21(2)(d) supply-chain clauses), this lives in the supplier and contract modules. There is no separate research module because the Article 21 measures are sector-neutral.
- Directive (EU) 2022/2555 (NIS 2), Annex II point 10 (Research)
- Directive (EU) 2022/2555 (NIS 2), Article 6(41), definition of research organisation
- Directive (EU) 2022/2555 (NIS 2), Recital 39, exclusion of educational institutions and optional Member State extension
- Directive (EU) 2022/2555 (NIS 2), Article 2(1), scope and size threshold via Recommendation 2003/361/EC
- BSIG (Gesetz zur Umsetzung der NIS-2-Richtlinie, NIS2UmsuCG), §28, sectoral scope including research organisations
- BSIG §65, penalty band for important entities (up to 7 million euro or 1.4 percent of global annual turnover)
- ENISA Technical Implementation Guidance for NIS 2 Article 21, v1.2 (August 2025)