Are we a medical device manufacturer under NIS 2?
Manufacturers of devices on the EMA critical-devices list are essential entities under Annex I sub-cat 5. Every other medical device or IVD manufacturer is an important entity under Annex II sector 5, as long as the Article 2(1) size threshold is reached. MDR and IVDR run in parallel. No lex specialis carve-out.
The short version
Medical device makers appear in two NIS 2 annexes at the same time. Annex I sector 5 lists them under its fifth sub-category as makers of devices considered critical during a public-health emergency under Article 22 of Regulation (EU) 2022/123. That is the EMA critical-devices list. Companies on it are essential entities and sit in the higher penalty band.
Annex II sector 5 catches the rest of the industry. The sub-categories are manufacturers of medical devices under Article 2(1) of Regulation (EU) 2017/745 (MDR) and manufacturers of in vitro diagnostics under Article 2(2) of Regulation (EU) 2017/746 (IVDR). These are important entities. Same Article 2(1) size test as everyone else: 50 staff or 10 million euros turnover or balance-sheet total.
MDR and IVDR run in parallel, they do not replace NIS 2. MDR covers the device, NIS 2 covers the company. Cybersecurity duties under MDR Annex I 17.2 sit at product level. NIS 2 duties under Article 21 sit at entity level. Both apply. There is no DORA-style lex specialis carve-out for medical device manufacturers.
Annex I sector 5, fifth indent NIS 2 Directive (2022/2555)
Entities manufacturing medical devices considered as critical during a public-health emergency (public-health emergency critical-devices list) within the meaning of Article 22 of Regulation (EU) 2022/123.
Verbatim from OJ L 333/145, Annex I sector 5, fifth indent. The reference is the EMA critical-devices list under Regulation (EU) 2022/123. If your product is on that list, you are an essential entity. Penalty band: up to 10 million euros or 2 percent of worldwide turnover, whichever is higher.
Annex II sector 5 NIS 2 Directive (2022/2555)
Manufacturing of medical devices and in vitro diagnostic medical devices: entities manufacturing medical devices within the meaning of Article 2, point (1), of Regulation (EU) 2017/745 of the European Parliament and of the Council, with the exception of entities manufacturing medical devices referred to in Annex I, point 5, fifth indent, of this Directive; entities manufacturing in vitro diagnostic medical devices within the meaning of Article 2, point (2), of Regulation (EU) 2017/746 of the European Parliament and of the Council.
Verbatim from OJ L 333/146, Annex II sector 5. Two sub-categories: MDR manufacturers (minus the EMA critical-devices makers, who go to Annex I) and IVDR manufacturers. NACE C32.5 covers the manufacturing classification. Important entity, penalty band up to 7 million euros or 1.4 percent of worldwide turnover.
§28 BSIG and Article 2(1) NIS 2 (size test)
§28 BSIG transposes the Annex I and Annex II scope into German law. Article 2(1) NIS 2 plus Recommendation 2003/361/EC set the size threshold: 50 or more employees, or 10 million euros or more in annual turnover or balance-sheet total.
Two thresholds, either one is enough. The size rule is identical for Annex I and Annex II entities. The only thing that changes between the two is the penalty band and the supervision regime. BfArM remains the regulator for MDR and IVDR; BSI is the regulator for NIS 2. Two different authorities, one company.
EMA critical-devices list
Is your product on the EMA critical-devices list under Article 22 of Regulation (EU) 2022/123? That list names devices considered critical during a declared public-health emergency. Ventilators, oxygen concentrators, certain diagnostics, certain infusion devices. If yes, Annex I sub-cat 5 applies and you are an essential entity.
Generic device or IVD manufacturer
Are you a manufacturer under Article 2(1) MDR or Article 2(2) IVDR? That captures the whole industry: any party that develops, manufactures, refurbishes or places a medical device or IVD on the market under their own name. NACE classification C32.5. If yes and you fail Test 1, Annex II sector 5 applies and you are an important entity.
Size test (Article 2(1))
Do you have 50 or more employees, or 10 million euros or more in annual turnover or balance-sheet total? Either threshold puts you in scope. Below both, you stay out, with the narrow regardless-of-size overrides in Article 2(2) and (3) (sole providers, public administration, qualified trust services, a few others).
Annex I sub-cat 5 and Annex II sector 5 are mutually exclusive
Read Annex II sector 5 carefully: it covers MDR manufacturers with the exception of those already named in Annex I sub-cat 5. A single company is either essential (on the EMA critical-devices list) or important (everyone else). Same sector, two annexes, different penalty bands. You do not sit in both at once.
MDR and IVDR cover the device, NIS 2 covers the company
MDR Annex I requirement 17.2 already mandates IT security at product level: the device must be designed and manufactured to ensure repeatable, reliable and performant operation against reasonably foreseeable cybersecurity risks. NIS 2 Article 21 sits one layer up: governance, risk management, supply chain, incident handling at the company level. Both apply. Neither absorbs the other.
BSI / §28 BSIG (NIS 2 cybersecurity authority)
The BSI is the cybersecurity authority under NIS 2. §28 BSIG operationalises the Annex I and Annex II scope. §30 BSIG sets the risk management measures and §32 BSIG sets the reporting duties. The BSI does not regulate the device itself, only the company's cybersecurity posture.
BfArM / MPDG (medical devices and IVDs)
The BfArM is the German competent authority for MDR and IVDR under the Medizinprodukte-Durchführungsgesetz (MPDG). It oversees the device itself: conformity assessment, post-market surveillance, vigilance reporting. The MDR cybersecurity duty under Annex I 17.2 sits here, distinct from the NIS 2 duties at the BSI.
ENISA NIS 2 transposition tracker
ENISA publishes a NIS 2 transposition page listing national laws and competent authorities per member state. For medical device makers selling across the EU, that is the cleanest single source for the cybersecurity authority in each country. The MDR notified body landscape is separate and tracked through the EUDAMED database.
MDR Annex I 17.2 already covers cybersecurity, so NIS 2 does not apply on top.
MDR 17.2 covers product cybersecurity for the device. NIS 2 Article 21 covers company cybersecurity for the manufacturer: governance, risk management, supply chain, incident handling, business continuity. Two different layers. NIS 2 has no lex specialis carve-out for medical device makers. Both apply in full.
We only make Class I devices, so we are below the NIS 2 line.
MDR risk class is not the NIS 2 test. The NIS 2 test is Annex I or Annex II sector plus Article 2(1) size. A Class I bandage manufacturer with 80 staff is in Annex II sector 5 as an important entity. The clinical risk class of the product is irrelevant for NIS 2 scope.
We are a software-as-a-medical-device company, this is just MDR.
SaMD manufacturers are medical device manufacturers under Article 2(1) MDR. Annex II sector 5 catches them. If you cross the size threshold, NIS 2 applies. Software does not change the annex; the company still manufactures a medical device under MDR. The same sub-category catches you.
Typical case: a 90-staff orthopaedic implant manufacturer with 25 million euros annual turnover. Test 1 fails (not on the EMA critical-devices list). Test 2 passes (MDR manufacturer under Article 2(1)). Test 3 passes (well above the medium-enterprise threshold). Result: Annex II sector 5, important entity. §30 BSIG measures apply. §32 BSIG reporting applies. MDR conformity assessment continues at the notified body, unchanged.
What practitioners actually do: keep the NIS 2 file separate from the MDR technical documentation. Two regulators, two filings. The MDR Annex I 17.2 evidence (threat modelling, secure development lifecycle, post-market security) feeds the NIS 2 Article 21(2)(e) supply chain duties but does not replace them. Sign the Anwendbarkeitsprüfung at management body level and store both files under the same audit trail.
The applicability check walks all three tests in order: the EMA critical-devices list under Annex I sub-cat 5, the generic MDR or IVDR manufacturer test under Annex II sector 5, and the Article 2(1) size threshold. The output names the sub-category, the annex, the penalty band and the regulator. You hand it to your auditor.
The output is not a yes/no. It is a justification: which annex, which sub-category, which size test was cleared, and where the MDR and IVDR duties sit alongside. Signed by the management body, version-pinned to the EU text and the §28 BSIG transposition we cite. Re-runs cleanly if the EMA critical-devices list is updated under a future public-health emergency.
- Directive (EU) 2022/2555 (NIS 2), Annex I sector 5 fifth indent and Annex II sector 5 — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Regulation (EU) 2022/123 on a reinforced role for the EMA, Article 22 (critical medicines and medical devices list) — eur-lex.europa.eu/eli/reg/2022/123/oj
- Regulation (EU) 2017/745 (MDR), Article 2(1) (definition of manufacturer) and Annex I requirement 17.2 (cybersecurity) — eur-lex.europa.eu/eli/reg/2017/745/oj
- Regulation (EU) 2017/746 (IVDR), Article 2(2) (definition of manufacturer) — eur-lex.europa.eu/eli/reg/2017/746/oj
- Commission Recommendation 2003/361/EC, Annex Article 2 (medium-enterprise definition)
- BSI Act (BSIG), §28 as amended by the NIS2-Umsetzungsgesetz
- Medizinprodukte-Durchführungsgesetz (MPDG) — gesetze-im-internet.de/mpdg
- ENISA NIS 2 transposition tracker — enisa.europa.eu/topics/nis-directive