Am I an energy provider under NIS 2?
NIS 2 lists energy in Annex I sector 1 with five sub-sectors (electricity, district heating and cooling, oil, gas, hydrogen) and several entity types per sub-sector. Article 2(1) NIS 2 then adds the size test. KRITIS thresholds under the BSI-KritisV sit separately on top and do not decide NIS 2 scope.
The short version
Energy is sector 1 of NIS 2 Annex I. The directive names five sub-sectors (electricity, district heating and cooling, oil, gas, hydrogen) and for each one lists the entity types in scope: producers, distribution system operators, transmission system operators, suppliers, nominated electricity market operators, electricity market participants, operators of refineries and treatment plants, operators of oil pipelines and storage, central stockholding entities, operators of natural gas LNG facilities, operators of hydrogen production and transmission. One sub-sector is enough to put a company in scope.
Article 2(1) NIS 2 adds the size test by reference to Recommendation 2003/361/EC: medium enterprise or larger, meaning at least 50 staff or more than 10 million euro annual turnover and balance sheet. Most energy companies sit comfortably above that bar. Below it, you are normally outside NIS 2 unless a 'regardless of size' override in Article 2(2) catches you.
Germany transposes this through §28 BSIG (Anwendungsbereich) and the related entity catalogue in Anlagen 1 and 2 BSIG. Separately, the BSI-KritisV (KRITIS-Verordnung) sets sector-specific thresholds for the stricter KRITIS regime (for example connected end customers in electricity distribution, or annual delivered volumes). Crossing a KRITIS threshold adds duties on top of NIS 2 (independent audit every three years under §65 BSIG). Failing to cross it does not remove NIS 2.
NIS 2 Directive (EU) 2022/2555, Annex I sector 1 (Energy)
Sector 1 Energy: (a) Electricity, including electricity undertakings, distribution system operators, transmission system operators, producers, nominated electricity market operators and market participants providing aggregation, demand response or energy storage services; (b) District heating and cooling, including operators of district heating or district cooling; (c) Oil, including operators of oil transmission pipelines, operators of oil production, refining and treatment facilities, storage and transmission, and central stockholding entities; (d) Gas, including supply undertakings, distribution system operators, transmission system operators, storage system operators, LNG system operators, natural gas undertakings, and operators of natural gas refining and treatment facilities; (e) Hydrogen, including operators of hydrogen production, storage and transmission.
Annex I sector 1 sets the perimeter. If you run any of these activities and you pass the Article 2(1) size test, you are inside NIS 2 by default. The list is non-exhaustive within each entity type definition, so a company that handles aggregation, demand response or storage on the electricity side is named explicitly even though it is not the classic utility shape.
Article 2(1) NIS 2 + Recommendation 2003/361/EC
This Directive applies to public or private entities of a type referred to in Annex I or Annex II which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article.
The size test is at least 50 staff, or more than 10 million euro annual turnover and balance sheet. It applies to the legal entity, not to each business unit. A 30-person hydrogen producer with 8 million euro turnover would normally fall below the bar. A 200-person municipal electricity distribution operator is comfortably above it. Article 2(2) lists 'regardless of size' overrides that can pull smaller entities in (for example sole providers of an essential service in a member state), but the standard route is the size test.
§28 BSIG plus BSI-KritisV (Germany)
Besonders wichtige Einrichtungen und wichtige Einrichtungen sind natürliche oder juristische Personen oder rechtlich unselbständige Organisationseinheiten einer Gebietskörperschaft, die einer der in den Anlagen 1 oder 2 genannten Einrichtungsarten zuzuordnen sind und die Schwellenwerte nach Artikel 2 der Empfehlung 2003/361/EG erreichen oder überschreiten.
§28 BSIG is the German entry door into NIS 2 scope. Anlage 1 BSIG lists the 'besonders wichtige' (essential) entity types, Anlage 2 lists the 'wichtige' (important) types. Energy sub-sectors largely land in Anlage 1. The BSI-KritisV (Verordnung zur Bestimmung Kritischer Anlagen) sets the separate KRITIS thresholds. An energy company that crosses a KRITIS threshold is also Betreiber einer Kritischen Anlage and lands in the stricter 'besonders wichtige' bucket on that basis, with the three-yearly audit duty under §65 BSIG.
Which Annex I energy activity do you run?
Walk the five sub-sectors: electricity, district heating and cooling, oil, gas, hydrogen. Inside each sub-sector the directive names the entity types (producers, distribution system operators, transmission system operators, suppliers, storage and LNG operators, refining and treatment operators, central stockholding entities, market operators and market participants). One match is enough. Renewables producers, biogas suppliers and hydrogen start-ups are not exempt by definition: they fit under producers or supply undertakings.
Are you at least a medium enterprise?
Apply the test to the legal entity: at least 50 staff, or more than 10 million euro annual turnover and balance sheet. Most established energy companies pass. New entrants in renewables or hydrogen often sit below the bar and stay outside NIS 2 unless an Article 2(2) override catches them. Group structures: the Recommendation 2003/361/EC rules on linked and partner enterprises apply, so a small operating GmbH inside a large group can still count as large.
Do you cross a BSI-KritisV threshold?
Sector-specific thresholds set in the BSI-KritisV decide the KRITIS regime, not NIS 2. The well-documented example for electricity distribution is 100,000 connected end customers or roughly 3,700 GWh annual delivered electricity. Comparable thresholds exist for gas, district heating and oil. Cross one of them and the stricter audit duties (independent audit every three years under §65 BSIG) apply on top of NIS 2. Sit below all of them and you still owe the full §28 BSIG and Article 21 NIS 2 catalogue.
NIS 2 sits on top of EnWG, not next to it
Energy companies in Germany already live under §11(1a) and §11(1b) EnWG, which require an IT security catalogue published by the Bundesnetzagentur in cooperation with the BSI. NIS 2 does not replace that. The two regimes overlap on Article 21 territory (risk management measures) but NIS 2 adds the §33 BSIG registration duty, the §32 BSIG significant-incident reporting cycle, the management training duty under Article 20, and the supply-chain duties under Article 21(2)(d). Running the EnWG catalogue is necessary, not sufficient.
KRITIS thresholds are per sub-sector, NIS 2 scope is per entity
The BSI-KritisV thresholds are written per activity (electricity distribution, electricity generation, gas storage, etc.) and apply to the operated Anlage. NIS 2 scope under §28 BSIG and Article 2(1) NIS 2 applies to the legal entity. A vertically integrated energy company can be below every individual KRITIS threshold and still be a full NIS 2 entity because the entity as a whole crosses the size bar.
BSI / §28 BSIG, §32 reporting, §33 registry
The BSI is the cyber authority under the BSIG. It runs the §33 registration portal where every energy entity in NIS 2 scope submits its company data and updates within two weeks under Article 27(2). It accepts significant-incident notifications under §32 BSIG on the NIS 2 timeline. If the entity is also Betreiber einer Kritischen Anlage, the BSI is the audit counterparty for the three-yearly audit evidence under §65 BSIG.
Bundesnetzagentur / EnWG §11 IT security catalogue
The Bundesnetzagentur is the sector regulator for electricity and gas. §11(1a) and §11(1b) EnWG require operators of energy networks and energy installations to implement the IT security catalogue the Bundesnetzagentur publishes in cooperation with the BSI. The catalogue and NIS 2 Article 21 measures overlap heavily but are supervised separately. The Bundesnetzagentur also handles audit certification for the catalogue.
ENISA Technical Implementation Guidance
ENISA's Technical Implementation Guidance explains how to put Article 21 measures in place across the energy sub-sectors. Other member states transpose Annex I sector 1 identically (the list is EU law). The implementing authority differs: ACER and national energy regulators take the sector role, national NIS competent authorities take the cyber role. Cross-border energy operators land under more than one regulator at once.
We already do the EnWG §11 IT security catalogue, so NIS 2 is covered.
The catalogue covers a large slice of Article 21 NIS 2, but not all of it. The §33 BSIG registration is separate. The §32 BSIG significant-incident reporting is separate. The Article 20 NIS 2 management training duty is separate. The Article 21(2)(d) supply-chain duty goes beyond the catalogue's scope. Running the catalogue is a strong head start, not a substitute.
We are below the BSI-KritisV threshold, so NIS 2 does not apply.
KRITIS thresholds gate the KRITIS regime, not NIS 2. An electricity distribution operator with 60,000 connected end customers is below the documented 100,000 threshold and is not Betreiber einer Kritischen Anlage. The same operator is still a NIS 2 entity under §28 BSIG and owes the full Article 21 catalogue, the §33 registration and the §32 incident reporting.
We are a renewables company (wind, solar, biogas, green hydrogen), so NIS 2 does not apply to us.
Annex I sector 1 lists electricity producers without distinguishing the generation technology. Wind, solar, hydro, biogas and hydrogen all count. A renewables operator that passes the Article 2(1) size test is in scope on exactly the same terms as a conventional generator. The only exit door is failing the size test, not the generation source.
A typical mid-sized German energy company with 150 staff, an electricity distribution arm serving roughly 40,000 end customers, a gas supply arm, and a small renewables generation portfolio sits inside NIS 2 scope through Annex I sector 1 (electricity and gas sub-sectors). The size test is passed at the entity level. The BSI-KritisV thresholds for the distribution arm are not crossed, so the §65 audit duty does not apply, but §28 BSIG does. The EnWG §11 catalogue is already in place for the grid, so most of Article 21 is in flight before the NIS 2 work starts.
The §30 risk register has to cover OT and SCADA across the distribution grid, the gas network control, and the generation portfolio in one place. The §32 reporting flows through the BSI on the NIS 2 timeline. The §33 registration is one submission for the whole legal entity. Article 20 NIS 2 management training is new for most boards in this segment and is not covered by the EnWG catalogue. Supply-chain controls under Article 21(2)(d) are the second big delta versus the EnWG world.
The applicability check walks you through the Annex I sector 1 sub-sectors, asks for entity-level staff and turnover, and tells you which §28 BSIG bucket you land in and whether any activity also pulls KRITIS in. The output is a paste-ready memo your management body and your Bundesnetzagentur counterpart can both read.
Where Article 21 NIS 2 and the EnWG §11 catalogue overlap, the platform maps the requirements once and lets the same evidence count for both. The assets module captures OT and IT inventory across all sub-sectors in one place. The §33 registration workflow stays on the platform, including the two-week update cycle under Article 27(2).
- Directive (EU) 2022/2555 (NIS 2), Annex I sector 1 — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Directive (EU) 2022/2555 (NIS 2), Article 2(1) and Article 2(2) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises
- BSI Act (BSIG), §28 (Anwendungsbereich), §32 (Meldepflichten), §33 (Registrierung), §65 (Audits) as amended by the NIS2 Implementation and Cybersecurity Strengthening Act — gesetze-im-internet.de
- Verordnung zur Bestimmung Kritischer Anlagen (BSI-KritisV) — sector-specific thresholds for Energie
- Energiewirtschaftsgesetz (EnWG), §11(1a) and §11(1b) — gesetze-im-internet.de
- Bundesnetzagentur IT security catalogue for energy network operators and energy installations