Are we a waste water operator in NIS 2 scope?
NIS 2 Annex I sector 7 covers undertakings that collect, dispose of or treat urban, domestic or industrial waste water. The size test from Article 2(1) is the second gate. KRITIS is a stricter regime that sits on top for the largest plants, but it does not gate NIS 2.
The short version
If your entity collects, disposes of or treats urban waste water, domestic waste water or industrial waste water as a core activity, you are inside NIS 2 Annex I sector 7. The Directive defines those three waste water types by reference to Council Directive 91/271/EEC (Urban Waste Water Treatment Directive). One sentence of Annex I decides the sector question.
Article 2(1) of NIS 2 adds the size test: medium enterprise or larger, meaning at least 50 staff, or more than 10 million euro turnover and more than 10 million euro balance sheet. Most municipal operators that run a treatment plant of any meaningful size pass that test once you count operations, maintenance and administration together.
The KRITIS-Verordnung sets a separate, stricter threshold for the German KRITIS regime: a population equivalent of 500,000 for waste water treatment. A plant below that figure is not KRITIS, but is still a NIS 2 entity under §28 BSIG. The KRITIS regime adds duties on top of NIS 2. It does not replace NIS 2 and it does not gate it.
NIS 2 Directive (EU) 2022/2555, Annex I sector 7 Waste Water
Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water as defined in point (1), (2) and (3) of Article 2 of Council Directive 91/271/EEC, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity.
Three things to read carefully. First, the activity definitions come from the Urban Waste Water Treatment Directive 91/271/EEC, not from NIS 2 itself. Second, all three waste water types count: urban, domestic and industrial. Third, the only carve-out is for entities where waste water work is a side activity. If treatment or disposal is part of your core operations, you are inside sector 7.
Article 2(1) NIS 2 plus Recommendation 2003/361/EC
This Directive applies to public or private entities of a type referred to in Annex I or Annex II which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article.
Medium enterprise means at least 50 staff, or more than 10 million euro turnover and more than 10 million euro balance sheet. Apply the test to the legal entity that runs the waste water activity. A Zweckverband, a Stadtwerk daughter company, an Eigenbetrieb or a private operator are all treated the same way once they pass the size test.
§28 BSIG (Germany) plus KRITIS-Verordnung
Besonders wichtige Einrichtungen und wichtige Einrichtungen sind natürliche oder juristische Personen oder rechtlich unselbständige Organisationseinheiten einer Gebietskörperschaft, die einer der in den Anlagen 1 oder 2 genannten Einrichtungsarten zuzuordnen sind und die Schwellenwerte nach Artikel 2 der Empfehlung 2003/361/EG erreichen oder überschreiten.
§28 BSIG is the German entry into NIS 2. Anlage 1 lists 'besonders wichtige' types (essential), Anlage 2 lists 'wichtige' types (important). Waste water sits in this list. A plant that also crosses the KRITIS threshold of 500,000 population equivalents in the KRITIS-Verordnung counts as 'Betreiber einer Kritischen Anlage' and lands in the stricter 'besonders wichtige' bucket on top.
Do you collect, dispose of or treat waste water as a core activity?
Walk the three Directive 91/271/EEC categories. Urban waste water is the mix of domestic waste water with industrial waste water or run-off rainwater. Domestic waste water comes from residential buildings. Industrial waste water comes from production. If any of those flows through your sewers, your pumping stations or your treatment plant as part of your core operations, you are inside sector 7.
Are you at least a medium enterprise?
At least 50 staff, or more than 10 million euro turnover and more than 10 million euro balance sheet. Count the whole legal entity, not the plant in isolation. A Zweckverband with 65 staff across operations, lab work and administration passes the test even if the plant itself runs with a small night shift. Below the bar a narrow set of entities can still be in scope where Article 2(2) brings them in regardless of size, but the general rule for sector 7 is the size test.
Do you cross the KRITIS threshold of 500,000 population equivalents?
The KRITIS-Verordnung sets the German waste water threshold at a population equivalent of 500,000. Cross that figure and you are also 'Betreiber einer Kritischen Anlage', with the three-yearly audit cycle under §65 BSIG and the stricter classification. Most municipal plants in Germany sit well below 500,000 EW. They are not KRITIS, but they are still NIS 2 entities under §28 BSIG.
Side-product waste water does not put you in sector 7
The Annex I carve-out is explicit. If waste water work is a non-essential part of your general activity (an on-site pre-treatment unit at a factory, a parking-deck oil separator, a small in-house sewage plant at a remote site) the operator is not in sector 7 on that basis. The factory itself may still be in scope under a different Annex I or II sector. The waste water work is what falls outside, not the legal entity.
Inside a Stadtwerk, waste water is one of several sectors
A Stadtwerk often runs electricity, drinking water and waste water under one legal entity. NIS 2 still treats that as one entity with one registration. The waste water activity does not get a separate file. The risk register, the assets module and the incident reporting cover all sectors in one place. See the Stadtwerk article for the full multi-sector treatment.
BSI under §28, §32 and §33 BSIG
The BSI is the cyber authority for waste water under §28 BSIG. It runs the §33 BSIG registration portal, accepts §32 BSIG significant-incident notifications and, for KRITIS operators above 500,000 EW, takes the three-yearly audit evidence under §65 BSIG. For operators below the KRITIS threshold there is no audit duty, but registration and reporting still apply.
Umweltbundesamt and KA-Sicherheitsstandard
The Umweltbundesamt and the wastewater industry associations (DWA, BDEW) maintain the sector-specific cyber security standard for waste water plants (B3S Wasser/Abwasser). The B3S is what the BSI accepts as the recognised security standard for the sector under §31 BSIG for KRITIS operators. Non-KRITIS NIS 2 operators are not required to follow the B3S but in practice use it as the working playbook.
Federal states (water authorities)
The environmental side of waste water (discharge permits, treatment quality, sludge handling) sits with the Landesbehörden für Wasserwirtschaft under federal-state water law. NIS 2 does not change any of that. The state water authority is a different conversation than the BSI conversation. A cyber incident that also has an environmental impact may require notifications to both lines.
ENISA Technical Implementation Guidance
ENISA's TIG covers sector 7 explicitly and maps the Article 21 control catalogue to ISO 27001 and NIST CSF 2.0. Operators that already run an environmental ISO management system have a partial head start. The TIG is non-binding but is the EU-wide reference for what 'appropriate and proportionate' under Article 21(1) looks like.
We treat our own factory waste water on site, so we are a sector 7 operator.
Annex I sector 7 excludes operators where waste water work is a non-essential part of the general activity. An on-site pre-treatment unit at a chemicals plant does not make the chemicals plant a sector 7 entity. The plant may still be in NIS 2 scope under a different Annex I or II sector (chemicals, manufacturing, food), but not through the waste water line.
Our plant is below 500,000 EW, so NIS 2 does not apply.
The 500,000 population equivalents figure is the KRITIS threshold from the KRITIS-Verordnung. It gates the KRITIS regime, not NIS 2. A plant at 80,000 EW is below KRITIS but a typical Mittelstand-sized waste water operator above the size test of Article 2(1). It is a NIS 2 entity under §28 BSIG with the full Article 21 control catalogue, registration and incident reporting duties.
We are an Eigenbetrieb of the city, so NIS 2 does not apply.
Annex I covers 'public or private entities'. The legal form (Eigenbetrieb, Zweckverband, Anstalt des öffentlichen Rechts, GmbH) does not change the sector test. The only narrow public-sector carve-out in NIS 2 is for national security and defence functions. A municipal waste water operation is not that.
A typical waste water operator we talk to runs a treatment plant at 80,000 to 200,000 population equivalents, a sewer network, a couple of pumping stations and a small lab. Staff sits between 30 and 90. The legal form is either a Zweckverband, an Eigenbetrieb or a GmbH owned by the city. KRITIS does not apply. NIS 2 does, through Annex I sector 7 plus the size test, plus §28 BSIG.
The §30 BSIG risk register has to cover the SCADA on the treatment plant, the telemetry on the pumping stations, the SIM cards in the level sensors, the lab IT and the office IT. The §32 incident reporting flows to the BSI. The §33 registration is one submission for the legal entity. The B3S Wasser/Abwasser is the working playbook even where the audit duty does not apply, because it is the document the BSI knows.
The applicability check walks the sector 7 definition exactly as Annex I writes it: urban, domestic, industrial waste water, with the side-activity carve-out as a separate question. The size test from Article 2(1) is the second step. The KRITIS-Verordnung threshold of 500,000 EW is the third, and is presented as 'on top of NIS 2', not as a gate.
The assets module covers SCADA, telemetry, pumping stations and lab IT under one inventory. The B3S Wasser/Abwasser controls slot into the Article 21(2) catalogue without a parallel list. If you also cross the KRITIS threshold, the three-yearly audit cycle under §65 BSIG turns on as a separate workflow on top of the same evidence.
- Directive (EU) 2022/2555 (NIS 2), Annex I sector 7 Waste Water — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Directive (EU) 2022/2555 (NIS 2), Article 2(1) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Council Directive 91/271/EEC concerning urban waste water treatment, Article 2 points (1), (2), (3)
- Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises
- BSIG, §28 (Anwendungsbereich), §32 (Meldepflichten), §33 (Registrierung), §65 (Nachweise) as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- BSI-Kritisverordnung (KRITIS-Verordnung), Anhang 1 Teil 2 Wasser — population equivalent of 500,000 for waste water treatment
- Branchenspezifischer Sicherheitsstandard Wasser/Abwasser (B3S), DWA / BDEW