Am I a cloud computing provider under NIS 2?
NIS 2 lists cloud computing services in Annex I sector 8 (Digital Infrastructure). Article 6(30) sets the legal definition covering IaaS, PaaS and SaaS. Article 2(1) then applies the normal medium-enterprise size test. CIR (EU) 2024/2690 puts cloud providers in its Annex, which means parts of that Regulation bind you directly across the EU.
The short version
If you provide a cloud computing service to customers, you are in NIS 2 scope as soon as you cross the medium-enterprise size threshold. Annex I sector 8 names cloud computing service providers directly under Digital Infrastructure. The Article 6(30) definition is broad: IaaS, PaaS, SaaS, public cloud, private cloud sold as a service, hybrid offerings, all count.
Unlike telecoms or DNS, cloud providers are not on the regardless-of-size list in Article 2(2). The normal Article 2(1) test applies: medium-sized under Recommendation 2003/361/EC means 50 staff or more, or annual turnover above EUR 10 million. Cross either threshold and you fall in scope. Stay under both and you are normally out, with the limited exceptions in Article 2(2) and (3) that do not apply to cloud as such.
Germany puts this into national law through §28 BSIG. The BSI is your authority. On top of the Directive, Commission Implementing Regulation (EU) 2024/2690 lists cloud providers in its Annex, so its technical and methodological requirements bind you directly without needing further German law. This page walks the Directive, the EU definition and the German transposition in that order.
NIS 2 Directive (2022/2555), Annex I Sector 8 and Art. 6(30)
Sector 8 Digital Infrastructure: providers of cloud computing services. 'Cloud computing service' means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations.
Two passages have to be read together. Annex I sector 8 names cloud computing service providers as essential infrastructure. Article 6(30) defines what counts as a cloud computing service. The wording is technology-neutral and covers IaaS, PaaS and SaaS. There is no further EU regulation that redefines this term, so the Directive's own definition controls.
Commission Implementing Regulation (EU) 2024/2690 (CIR), Annex
This Regulation applies to the entities referred to in Article 3 of Directive (EU) 2022/2555 listed in the Annex to this Regulation, namely: DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, of online search engines and of social networking services platforms, and trust service providers.
CIR (EU) 2024/2690 lists cloud computing service providers in its Annex. This is the legal trick that matters: a Regulation is directly applicable, no national transposition needed. The CIR sets the detailed risk management framework (§2), the requirements for incident management, supply chain security, vulnerability handling and the 'significant incident' thresholds for these sectors. Cloud providers therefore deal with a Directive layer (BSIG-transposed) plus a Regulation layer that binds them in the same wording across all member states.
§28 BSIG, Germany
Anbieter von Cloud-Computing-Diensten gelten als besonders wichtige Einrichtungen im Sinne dieses Gesetzes, sofern sie die Schwellenwerte für mittlere Unternehmen nach Empfehlung 2003/361/EG erreichen.
Germany transposes the cloud duties through §28 BSIG. The BSI is the central NIS 2 authority for registration, the risk management framework and incident reporting. Cloud providers above the size threshold are classified as 'besonders wichtige Einrichtungen' (essential entities). Below the threshold, the duties do not apply unless one of the limited Article 2(2) or (3) carve-ins is triggered. Cloud as such is not in those lists.
Do you provide a cloud computing service?
Apply the Article 6(30) definition. The service must be digital, on demand, broadly remotely accessible, and run on a scalable and elastic pool of shareable resources. IaaS (compute, storage, network), PaaS (managed runtimes, databases as a service), and SaaS (multi-tenant business applications sold over the network) all meet the definition. A single-tenant hosted application sold as a service usually does too, because the underlying resource pool is shared at the provider level.
Do you cross the size threshold?
Cloud providers follow the normal Article 2(1) test. Under Recommendation 2003/361/EC, medium-sized starts at 50 staff or annual turnover above EUR 10 million (with annual balance sheet total above EUR 10 million as the alternative). At 250 staff or turnover above EUR 50 million you become a large enterprise and are classified as 'essential'. Below 50 staff and turnover under EUR 10 million, you are normally out of scope as a cloud provider.
The CIR binds you directly
Once you are in scope, two layers stack. The BSIG (in Germany) transposes the Directive. CIR (EU) 2024/2690 lists you in its Annex and binds you directly. That means the §2 CIR risk management framework, the supply chain rules in §6 and the incident-significance thresholds apply in the same wording in every member state. There is no national variant of the CIR to consult.
All three service layers count
Article 6(30) is layer-neutral. IaaS, PaaS and SaaS all satisfy the definition because all three rest on a scalable and elastic shared resource pool. A common mistake is to assume that 'cloud' means hyperscaler IaaS only. The text catches a German SaaS vendor selling a multi-tenant HR tool just as it catches AWS, Azure and GCP. The size threshold then filters who actually has duties.
Elastic and shareable is the line
If the resource pool is not scalable and elastic, or not shareable, the service is not a cloud computing service under Article 6(30). A single-customer dedicated server with fixed capacity that you operate on the customer's behalf is hosting, not cloud. A customer-dedicated data centre cage is colocation, not cloud. Both may still sit under other rows of Annex I sector 8 (data centre service, managed service), but not under the cloud row. The definition does the filtering.
BSI / §28 BSIG
The BSI is the central NIS 2 authority. Registration, the risk management framework, the incident reporting timeline (24h early warning, 72h notification, 1-month final report) all run through the BSI. §28 BSIG classifies in-scope cloud providers as 'besonders wichtige Einrichtungen'. Once you cross the size threshold, you register with the BSI.
BSI C5 (operational reference)
C5 is the BSI's cloud security catalogue. It is not an NIS 2 obligation, but in practice many German cloud customers ask for a C5 type 2 attestation in their contracts. The control set overlaps heavily with the CIR §2 risk management framework, so providers who already hold a C5 attestation can reuse most of the evidence for their NIS 2 risk management documentation.
ENISA / CIR Annex
ENISA, the EU cybersecurity agency, publishes Technical Implementation Guidance for the CIR. Because cloud providers are listed in the CIR Annex, that guidance is the day-to-day reference for §2 risk management, supply chain expectations and the 'significant incident' threshold model. The text is identical EU-wide, so a cloud provider serving DE, NL, FR and IT applies the same CIR wording in every market.
National cybersecurity authorities
Every member state has its own NIS 2 authority running the registration and supervision layer: RDI in the Netherlands, ANSSI in France, ACN in Italy, INCIBE in Spain. The Directive duties are transposed locally, the CIR binds the same wording everywhere. For a cloud provider selling across the EU, the registrations are national, the risk management framework is one document used everywhere.
We rent dedicated servers, so we are a cloud provider under NIS 2.
Usually not, on the cloud row. Article 6(30) requires a scalable and elastic pool of shareable resources. A bare-metal server rented to one customer with fixed capacity is hosting. It may bring you under the data centre service row of Annex I sector 8 (different definition, same sector), or under managed service provider if you also operate it for the customer, but not under cloud computing service. Read the definitions, not the marketing label on your own price list.
We are a small SaaS, so cloud rules do not apply to us.
The legal test is two-part. First Article 6(30): a multi-tenant SaaS sold over the network on a shared infrastructure meets the definition. Second Article 2(1): the size threshold. If you are under 50 staff and under EUR 10 million turnover, you are out of scope on the cloud row. If you cross either, you are in. 'Niche' is not a legal category. The numbers and the definition do the work.
We run a private cloud for our own group, so we are an in-scope cloud provider.
Usually not. The Article 6(30) service has to be provided to customers. A purely internal private cloud serving only your own organisation is not a service in the regulatory sense, so it does not count for the cloud row. You may still be in NIS 2 scope on the sector your group operates in (energy, health, transport, manufacturing), but not as a cloud computing service provider on the back of an internal platform.
A 60-person German SaaS vendor with a multi-tenant product and EUR 12 million in annual turnover is in NIS 2 scope on the cloud row. Annex I sector 8 names cloud computing service providers; Article 6(30) is met because the resource pool is shared, elastic and remotely accessible; Article 2(1) is met because the company is medium-sized. §28 BSIG classifies it as 'besonders wichtige Einrichtungen'. The CIR Annex puts it under the directly binding §2 risk management framework. None of this is discretionary.
What we see in practice: the provider writes a §2 CIR risk management framework against its production stack (application, runtime, data layer, identity, supporting cloud accounts), maps Article 21(2) topics onto the framework, and uses Article 21(1) proportionality to scale depth to a 60-person operation. Incident detection, the 24h / 72h / 1-month notification cadence and the supply chain duties in §6 CIR all rest on the same asset list. A C5 type 2 attestation, if the provider holds one, covers a large share of the §2 evidence and is reused as documentation, not redone.
Our applicability check walks Article 6(30) step by step. It asks what you provide, whether the resource pool is shared and elastic, and whether the service is sold to customers. The output tells you which Annex I row applies (cloud, data centre, managed service, all separate definitions), whether the Article 2(1) size threshold catches you, and which CIR Annex categories bind you directly in addition to the BSIG.
The assets module covers the production stack on one inventory: tenant boundaries, identity providers, data stores, supporting cloud accounts, third-party processors. The §2 CIR risk management framework then runs against that inventory, so the same asset list feeds the BSI registration, the §6 CIR supply chain assessments and the C5 attestation evidence without double maintenance.
- Directive (EU) 2022/2555 (NIS 2), Annex I Sector 8 and Article 6(30) cloud computing service definition — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Directive (EU) 2022/2555 (NIS 2), Article 2(1) size and sector scope; Article 2(2) regardless-of-size carve-ins — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises — eur-lex.europa.eu/eli/reco/2003/361/oj
- Commission Implementing Regulation (EU) 2024/2690 (CIR), Annex (lists cloud computing service providers among the entities directly bound) — eur-lex.europa.eu/eli/reg_impl/2024/2690/oj
- BSI Act (BSIG), §28 as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- BSI C5 (Cloud Computing Compliance Criteria Catalogue), current edition — bsi.bund.de