Are we a drinking water provider in NIS 2 scope?
Annex I sector 6 of NIS 2 covers suppliers and distributors of water intended for human consumption. The size threshold is medium enterprise or larger. The KRITIS threshold of 22 million cubic metres per year is a separate, stricter regime that sits on top.
The short version
NIS 2 lists drinking water as Annex I sector 6. The definition of drinking water is taken from Directive (EU) 2020/2184, the recast Drinking Water Directive: water intended for human consumption, supplied through a distribution network or from a tanker, or used in food production. If your entity supplies or distributes that water, you are inside the sector.
Article 2(1) NIS 2 adds the size test: at least 50 staff, or more than 10 million euro turnover and balance sheet, measured per Recommendation 2003/361/EC. A municipal water utility, a regional Wasserverband or a Stadtwerk water arm usually passes that bar by a wide margin. The KRITIS regime kicks in only above 22 million cubic metres per year, which is a much higher bar than NIS 2.
Germany puts this into national law through §28 BSIG. The KRITIS-Verordnung sets the 22 million cubic metres threshold for the German KRITIS regime. Most German drinking water suppliers are NIS 2 entities but not KRITIS operators. Both layers are independent. Failing the KRITIS threshold does not remove NIS 2.
NIS 2 Directive (2022/2555), Annex I sector 6 Drinking water
Suppliers and distributors of water intended for human consumption as defined in point 1 of Article 2 of Directive (EU) 2020/2184 of the European Parliament and of the Council, but excluding distributors for whom distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods.
The sector test is binary. If you supply or distribute drinking water as a core activity, sector 6 applies. The carve-out is narrow: it removes distributors of other commodities who happen to also pass on drinking water as a side activity. A water utility, Wasserverband, Zweckverband or Stadtwerk water arm does not fall under that carve-out.
Article 2(1) NIS 2 + Recommendation 2003/361/EC + KRITIS-Verordnung
This Directive applies to public or private entities of a type referred to in Annex I or Annex II which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article.
The size test is medium enterprise or larger: at least 50 staff, or more than 10 million euro annual turnover and balance sheet. KRITIS uses a separate sector specific threshold for drinking water: more than 22 million cubic metres per year, set in the KRITIS-Verordnung. KRITIS thresholds do not gate NIS 2.
§28 BSIG (Germany)
Besonders wichtige Einrichtungen und wichtige Einrichtungen sind natürliche oder juristische Personen oder rechtlich unselbständige Organisationseinheiten einer Gebietskörperschaft, die einer der in den Anlagen 1 oder 2 genannten Einrichtungsarten zuzuordnen sind und die Schwellenwerte nach Artikel 2 der Empfehlung 2003/361/EG erreichen oder überschreiten.
§28 BSIG is the German entry door into NIS 2. Drinking water sits in Anlage 1 (besonders wichtige Sektoren) as Trinkwasser. Crossing the KRITIS-Verordnung threshold of 22 million cubic metres per year adds the Betreiber kritischer Anlagen layer with the three year audit cycle under §65 BSIG. Below that threshold a drinking water supplier is still a besonders wichtige Einrichtung in the NIS 2 sense.
Do you supply or distribute drinking water?
Drinking water means water intended for human consumption per Article 2(1) of Directive (EU) 2020/2184. That includes water supplied through a public network, water from a tanker, and water used in food production. If your entity captures, treats, supplies or distributes that water as a core activity, sector 6 applies. Bottled water producers are out of sector 6 (they sit under food production, a different Annex I sector in the original directive draft and now outside NIS 2 sector 6).
Are you at least a medium enterprise?
At least 50 staff, or more than 10 million euro annual turnover and balance sheet. The headcount and the financial ceilings come from Recommendation 2003/361/EC. Public ownership does not change the test. A Zweckverband or municipal utility counts staff and turnover the same way as a private GmbH.
Do you cross 22 million cubic metres per year?
The KRITIS-Verordnung sets a single threshold for drinking water: more than 22 million cubic metres of supplied water per year. Cross that line and the KRITIS regime applies on top of NIS 2: independent audit every three years under §65 BSIG, additional reporting duties, registration as Betreiber einer kritischen Anlage. Below that line, you owe NIS 2 only. Roughly 80 percent of German drinking water suppliers sit below the KRITIS threshold but inside NIS 2.
The side-activity carve-out is narrow
Annex I sector 6 carves out distributors for whom drinking water is a non-essential part of their general activity of distributing other commodities. That clause exists for retailers and logistics businesses that happen to pass on bottled water alongside other goods. It does not exempt a water utility or a Stadtwerk water arm. If drinking water is a named line of business, the carve-out does not apply.
Drinking water plus waste water plus electricity is one NIS 2 entity
A municipal utility that supplies drinking water, treats waste water and runs an electricity grid touches three Annex I sectors at once. Inside one legal entity that is still one NIS 2 obligation. One registration with the BSI. One management body sign-off. One risk register that covers the OT and IT across all three. Splitting the work per business unit produces overlapping evidence and gaps at the seams.
BSI / §28 BSIG and KRITIS-Verordnung
The BSI is the cyber authority for drinking water. It runs the §33 BSIG registration portal, takes §32 BSIG significant-incident notifications, and publishes the branchenspezifischer Sicherheitsstandard Wasser. If the supplier is also KRITIS, the BSI is the addressee for the three-yearly audit evidence under §65 BSIG.
Umweltbundesamt and Gesundheitsämter
Water quality, not cyber, sits at the Umweltbundesamt and the regional health offices under the German Trinkwasserverordnung (which transposes Directive (EU) 2020/2184). NIS 2 does not change that. The cyber duties under §28 BSIG run in parallel to the water quality duties under the Trinkwasserverordnung.
ENISA Technical Implementation Guidance
ENISA's TIG covers Annex I sector 6 explicitly. It explains how the Article 21 control catalogue applies to drinking water operators and how it maps to existing ISO 27001 or NIST CSF 2.0 work via the official TIG mapping table. A supplier that already runs an ISMS has a documented crosswalk to NIS 2 evidence.
Drinking water suppliers elsewhere
Other member states transpose NIS 2 with the same sector definition (Annex I is EU law). Austria runs it through NISG, the Netherlands through Cyberbeveiligingswet, Belgium through NIS2-Wet. What differs is the supervising authority and the timing of any sector-specific audit cycle. The 22 million cubic metres threshold is a German KRITIS rule, not an EU NIS 2 rule.
We are well below 22 million cubic metres per year, so NIS 2 does not apply to us.
The 22 million cubic metres threshold gates the KRITIS regime, not NIS 2. A Wasserverband supplying 4 million cubic metres per year is below KRITIS but still a NIS 2 entity under Annex I sector 6 and §28 BSIG, with the full Article 21 control catalogue, §33 BSIG registration and §32 BSIG incident reporting duties. NIS 2 starts at 50 staff or 10 million euro, not at a volume threshold.
We bottle mineral water for retail, so we are a drinking water provider under NIS 2.
Annex I sector 6 covers suppliers and distributors of water intended for human consumption as defined in Directive (EU) 2020/2184. That directive deals with public water supply, not packaged mineral water. Bottlers are food producers, not sector 6 drinking water providers. NIS 2 may still apply through another sector (food production sits in Annex II), but not through sector 6.
We are a small Wasserwerk owned by the municipality, so the directive cannot mean us.
Annex I applies to public or private entities. Municipal ownership does not exempt a Wasserwerk. The only carve-out for NIS 2 is national security and defence functions. A Wasserwerk with 60 staff in a Zweckverband is a besonders wichtige Einrichtung under §28 BSIG the same way a private utility is.
A typical small German water supplier with 80 staff, supplying 6 million cubic metres of drinking water per year to around 40,000 households, sits unambiguously inside NIS 2 scope through Annex I sector 6. The size test is comfortably passed. KRITIS does not apply, so the three-yearly audit under §65 BSIG is not in play. But §28, §30, §32 and §33 BSIG all apply in full: registration with the BSI, the Article 21 control catalogue, management body sign-off, significant-incident reporting within 24 and 72 hours.
The risk register needs to cover the OT and SCADA at the waterworks, the treatment plants, the network telemetry, the customer billing IT, and the cloud services used for monitoring. The supply chain measures under Article 21(2)(d) need to reach the chemicals supplier and the SCADA vendor. None of this is conditional on hitting 22 million cubic metres. The KRITIS bar is a separate, stricter layer that almost no German Wasserwerk reaches.
The applicability check asks one question at a time: do you supply or distribute drinking water under Directive (EU) 2020/2184, how many staff, what is the turnover, what is the annual volume in cubic metres. It returns a clean answer for §28 BSIG and a separate answer for the KRITIS-Verordnung threshold. No conflating the two layers.
The assets module captures the OT inventory across waterworks, network and telemetry in one place. The risk register sits on top of that inventory so SCADA at a treatment plant and the billing IT live in the same compliance picture. If the supplier later crosses the KRITIS threshold, the same evidence carries over and the three-yearly audit cycle slots in without a parallel system.
- Directive (EU) 2022/2555 (NIS 2), Annex I sector 6 — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Directive (EU) 2022/2555 (NIS 2), Article 2(1) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Directive (EU) 2020/2184 (Drinking Water Directive recast), Article 2(1) — eur-lex.europa.eu/eli/dir/2020/2184/oj
- Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises
- BSI Act (BSIG), §28 (Anwendungsbereich), §32 (Meldepflichten) and §33 (Registrierung) as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- KRITIS-Verordnung (BSI-Kritisverordnung), Anlage 1 — threshold of 22 million cubic metres per year for the Trinkwasser sector
- BSI branchenspezifischer Sicherheitsstandard Wasser/Abwasser
- Trinkwasserverordnung (German transposition of Directive (EU) 2020/2184)