Is our Stadtwerk in NIS 2 scope?
Stadtwerke sit on top of several NIS 2 Annex I sectors at once: electricity, drinking water, waste water, sometimes a city telecoms arm. Each one pulls the entity into scope. The size test applies to the entity as a whole, not to each business unit.
The short version
A typical Stadtwerk runs four kinds of activity under one company: electricity distribution and supply, drinking water, waste water, and sometimes telecoms or district heating. Each one of those is its own sector under NIS 2 Annex I. One sector is enough to put you in scope. Four sectors do not put you in four times. One legal entity, one NIS 2 registration.
Article 2(1) NIS 2 adds the size test: medium enterprise or larger (at least 50 staff, or more than 10 million euro turnover and balance sheet). Stadtwerke almost always pass that bar. If you operate a critical activity above the sector-specific KRITIS threshold (for example 100,000 electricity connections, or more than 22 million cubic metres of drinking water per year), you also fall under the stricter KRITIS regime on top of NIS 2. Below the threshold you still owe NIS 2.
Germany puts this into national law through §28 BSIG. The KRITIS-Verordnung sets the size thresholds for the KRITIS regime specifically, which is a separate, stricter layer. NIS 2 does not depend on KRITIS thresholds.
NIS 2 Directive (2022/2555), Annex I sectors 1, 6, 7, 8
Sector 1 Energy includes (a) electricity, (b) district heating and cooling, (c) oil, (d) gas, (e) hydrogen, and covers distribution system operators, transmission system operators, producers and energy supply undertakings. Sector 6 Drinking water covers suppliers and distributors of water intended for human consumption. Sector 7 Waste water covers undertakings collecting, disposing of or treating urban, domestic or industrial waste water. Sector 8 Digital Infrastructure includes providers of public electronic communications networks and publicly available electronic communications services.
A single Stadtwerk that runs an electricity grid, supplies drinking water, treats waste water and operates a city fibre network is touching four different sectors in this list. Each activity independently triggers NIS 2.
Article 2(1) NIS 2 + Recommendation 2003/361/EC + KRITIS-Verordnung
This Directive applies to public or private entities of a type referred to in Annex I or Annex II which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article.
The size test is medium or larger (at least 50 staff, or more than 10 million euro turnover and balance sheet). The KRITIS-Verordnung sets separate sector-specific thresholds for the German KRITIS regime: for example 100,000 connections in electricity distribution, or more than 22 million cubic metres of drinking water supply per year. KRITIS thresholds do not gate NIS 2.
§28 BSIG (Germany)
Besonders wichtige Einrichtungen und wichtige Einrichtungen sind natürliche oder juristische Personen oder rechtlich unselbständige Organisationseinheiten einer Gebietskörperschaft, die einer der in den Anlagen 1 oder 2 genannten Einrichtungsarten zuzuordnen sind und die Schwellenwerte nach Artikel 2 der Empfehlung 2003/361/EG erreichen oder überschreiten.
§28 BSIG is the German entry door into NIS 2 scope. Annex 1 lists 'besonders wichtige' types (essential), Annex 2 lists 'wichtige' types (important). A Stadtwerk that crosses a KRITIS threshold on at least one activity is also 'Betreiber einer Kritischen Anlage' and lands in the stricter 'besonders wichtige' bucket on that basis.
Which Annex I activities do you run?
Walk the list. Electricity (production, distribution, supply). District heating or cooling. Gas. Drinking water. Waste water. Public electronic communications network or service. If you operate even one of these as a Stadtwerk, that sector is in. List them all, because each one needs the controls applied to the systems that run it.
Are you at least a medium enterprise?
At least 50 staff, or more than 10 million euro turnover and balance sheet. Apply the test to the legal entity, not to each business unit. Stadtwerke are almost always above this bar once you count grid operations, water and waste water together. Below the bar, narrow carve-outs exist for some sectors but not for energy or water.
Do you cross a KRITIS-Verordnung threshold?
Sector-specific. Electricity distribution: 100,000 connected end customers. Drinking water: 22 million cubic metres per year. Waste water: 500,000 population equivalents. Cross any threshold on any activity and KRITIS applies to that activity, on top of NIS 2. The KRITIS regime brings stricter audit duties (independent audit every three years, §65 BSIG) and additional reporting.
One legal entity is one NIS 2 entity
If your electricity, water, waste water and telecoms business units sit inside the same GmbH, the GmbH is the NIS 2 entity. One registration with the BSI. One risk register that covers all the OT and IT across all sectors. One management body that signs off. Splitting NIS 2 work across the operating units does not split the obligation. It just makes it harder to coordinate.
NIS 2 is not the same as KRITIS
Passing the KRITIS threshold adds a regime. It does not replace NIS 2. Failing to pass the KRITIS threshold removes the KRITIS regime, but does not remove NIS 2. The §28 BSIG scope sits below KRITIS and above 'too small to bother'. Stadtwerke almost always land inside that band even when their grid is under 100,000 connections.
BSI / §28 BSIG and KRITIS-Verordnung
The BSI is the authority for the cyber side of energy, water and waste water. It runs the §33 BSIG registration portal, accepts §32 BSIG significant-incident notifications, and publishes sector-specific guidance (Branchenspezifische Sicherheitsstandards) for Energie, Wasser and Abwasser. If your Stadtwerk is also KRITIS, the BSI is who you submit the three-yearly audit evidence to.
Bundesnetzagentur
If your Stadtwerk runs a public electronic communications network or service (a city fibre arm, for example), the Bundesnetzagentur is the sector regulator. The cyber duties under §28 BSIG still flow through the BSI, but the telecoms-specific overlay sits at the Bundesnetzagentur.
ENISA Technical Implementation Guidance
ENISA's TIG explains how to put Article 21 controls in place across sectors. Annex I sectors 1, 6 and 7 are covered explicitly. Existing ISO 27001 or NIST CSF 2.0 work maps across via the TIG mapping table, so a Stadtwerk that already runs an ISMS for one business unit has a head start on the others.
Municipal utilities elsewhere
Other member states transpose NIS 2 with broadly comparable scope for municipal utilities: Austria via NISG, Netherlands via Cyberbeveiligingswet, Belgium via NIS2-Wet. The sector list is identical (Annex I is EU law). What differs: which authority you talk to and how the audit cycle is timed.
We are a public-sector Stadtwerk owned by the city, so NIS 2 does not apply.
Annex I does not exempt public-sector entities. It explicitly applies to 'public or private entities'. Whether the GmbH is owned by the city, by a holding, or by private shareholders does not change the sector test. The only narrow public-sector carve-out in NIS 2 is for national security and defence functions, not for utility operations.
We are below the KRITIS threshold, so we are not in scope.
KRITIS thresholds gate the KRITIS regime, not NIS 2. A Stadtwerk with 60,000 electricity connections is below the KRITIS threshold of 100,000, so the stricter audit cycle does not apply. The same Stadtwerk is still a NIS 2 entity under §28 BSIG, with the full Article 21 control catalogue, registration, and incident reporting duties.
Each utility unit handles its own NIS 2 compliance.
Inside one legal entity there is one NIS 2 obligation. One registration. One management body sign-off. One risk register that has to cover the OT and IT across all sectors. Treating each business unit as a separate compliance silo produces overlapping work, gaps at the seams, and an audit story that does not hold together.
A typical Stadtwerk with 200 staff, a 60,000-customer electricity grid, a drinking-water supply at around 8 million cubic metres a year, and a small fibre arm sits unambiguously inside NIS 2 scope through Annex I sectors 1, 6, 7 and 8. The size test is comfortably passed. KRITIS thresholds are not reached, so the audit duties under §65 BSIG do not apply, but the §28 BSIG duties do.
The §30 risk register needs to cover the OT and SCADA on electricity, water and waste water in one place. The §32 incident reporting flows through the BSI. The §33 registration is one submission for the whole company. If you also cross a KRITIS threshold on any activity, your classification under §28 moves up to 'besonders wichtige Einrichtung' and the three-yearly KRITIS audit kicks in on top.
The applicability check walks you through the multi-sector single-entity case directly. You tick every Annex I activity your Stadtwerk runs, the platform aggregates them against the size test, and tells you which §28 BSIG bucket you land in and whether any activity also pulls KRITIS in.
The assets module captures OT and IT inventory across all sub-sectors in one place. The risk register sits on top of that single inventory, so a treatment plan applied to a SCADA control system at the water plant and to the grid control room sit side by side, not in two separate compliance binders.
- Directive (EU) 2022/2555 (NIS 2), Annex I sectors 1, 6, 7 and 8 — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Directive (EU) 2022/2555 (NIS 2), Article 2(1) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises
- BSI Act (BSIG), §28 (Anwendungsbereich) and §33 (Registrierung) as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- KRITIS-Verordnung (BSI-Kritisverordnung) — sector-specific thresholds for Energie, Wasser and Abwasser
- BSI sector guidance for Energie, Wasser and Abwasser (Branchenspezifische Sicherheitsstandards)