Are we a hospital under NIS 2?
NIS 2 binds you if you are a Gesundheitsdienstleister under Directive 2011/24/EU and you cross the medium-enterprise size threshold. The 30,000 vollstationäre Fälle KRITIS line is a separate, stricter German regime. Two tests, two answers.
The short version
Hospitals sit in NIS 2 Annex I sector 5 (Gesundheitswesen). The directive picks them up as 'Gesundheitsdienstleister' in the sense of Article 3(g) of Directive 2011/24/EU. The sector list is wider than hospitals on their own: EU reference laboratories, drug R&D, pharmaceutical manufacturers and makers of critical medical devices for public-health emergencies are in the same bucket.
Whether NIS 2 binds you turns on Article 2(1). You are in scope if you are a medium-sized enterprise under Commission Recommendation 2003/361/EC, or larger. The medium threshold is 50 employees or 10 million euros annual turnover or balance-sheet total. A 60-staff regional clinic is in. A 20-staff specialist practice is generally not.
Germany has a second regime running alongside: KRITIS. The KRITIS-Verordnung sets a hospital-specific threshold of 30,000 vollstationäre Krankenhausfälle per year. KRITIS-status hospitals are still NIS 2 entities, but they also carry stricter duties under the BSIG KRITIS sections. KRITIS is not the NIS 2 threshold. Two separate tests.
Annex I sector 5 NIS 2 Directive (2022/2555)
Gesundheitsdienstleister im Sinne des Artikels 3 Buchstabe g der Richtlinie 2011/24/EU; EU-Referenzlaboratorien im Sinne des Artikels 15 der Verordnung (EU) 2022/2371; Einrichtungen, die Forschungs- und Entwicklungstätigkeiten in Bezug auf Arzneimittel im Sinne des Artikels 1 Nummer 2 der Richtlinie 2001/83/EG ausüben; Einrichtungen, die pharmazeutische Erzeugnisse im Sinne des Abschnitts C Abteilung 21 der Statistischen Systematik der Wirtschaftszweige in der Europäischen Gemeinschaft (NACE Rev. 2) herstellen; Einrichtungen, die Medizinprodukte herstellen, die während einer Notlage im Bereich der öffentlichen Gesundheit als kritisch im Sinne des Artikels 22 der Verordnung (EU) 2022/123 eingestuft werden.
Verbatim from OJ L 333/145. Sector 5 captures five categories. A hospital is the first one. Labs, drug R&D, pharma manufacturing and critical-device manufacturers are the other four.
Article 2(1) NIS 2 + Recommendation 2003/361/EC
This Directive applies to public or private entities of a type referred to in Annex I or II which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or which exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article.
Article 2(1) is the scope rule. The 2003/361/EC size definition says medium-sized means 50 or more employees, or 10 million euros or more in annual turnover or balance-sheet total. Cross either threshold and you are in.
§28 BSIG plus KRITIS-Verordnung (Germany)
§28 BSIG transposes the Annex I scope into German law. The BSI-Kritisverordnung defines, for KRITIS purposes, the 30,000 vollstationäre Krankenhausfälle pro Jahr threshold for hospitals.
Two German rules sit on top of each other. §28 BSIG implements the NIS 2 scope test (sector plus size). The KRITIS-Verordnung adds a separate, stricter German layer for systemically important hospitals. NIS 2 scope first, KRITIS scope second.
Sector test
Are you a Gesundheitsdienstleister under Article 3(g) of Directive 2011/24/EU? That covers hospitals, clinics, outpatient providers, dental practices and any healthcare professional regulated by a member state. Labs, drug developers, pharma manufacturers and makers of critical medical devices are also in sector 5 under separate sub-categories.
Size test (Article 2(1))
Do you have 50 or more employees, or 10 million euros or more in annual turnover or balance-sheet total? Either threshold puts you in scope. Below both, you stay out, with narrow exceptions in Article 2(2) and (3) (regardless-of-size overrides for sole providers, public administration, qualified trust services and a few others).
KRITIS overlap (Germany only)
Do you reach 30,000 vollstationäre Krankenhausfälle per year? That is the threshold in the BSI-Kritisverordnung. Above it, you are KRITIS and you carry the stricter §31-32 BSIG duties on top of the regular NIS 2 duties. Below it, you are NIS 2 only. KRITIS is German-specific; NL, FR and AT use their own designation rules.
NIS 2 is not KRITIS
Two regimes, two laws, two thresholds. NIS 2 uses the EU medium-enterprise size definition (50 staff, 10 million euros). KRITIS uses sector-specific volumetric thresholds (for hospitals: 30,000 vollstationäre Fälle). Most hospitals that are in NIS 2 are not in KRITIS. The reverse is not possible: every KRITIS hospital is also a NIS 2 entity.
Sector 5 is broader than hospitals
Annex I sector 5 captures five categories in one bucket: healthcare providers, EU reference laboratories, drug R&D entities, pharmaceutical manufacturers and critical medical-device manufacturers. A 60-person diagnostic lab serving hospitals is in sector 5 in its own right, not as a supplier. Same size test, same duties.
BSI / §28 BSIG plus KRITIS-Verordnung
The BSI publishes sector-specific FAQ material for healthcare under the NIS2-Umsetzungsgesetz and runs the KRITIS designation process separately. §28 BSIG is the NIS 2 scope hook. The BSI-Kritisverordnung sets the 30,000-Fälle KRITIS threshold. Both can apply to the same hospital.
ENISA NIS 2 transposition tracker
ENISA publishes a NIS 2 transposition page that lists the national laws and competent authorities per member state. It is the cleanest single source for cross-border hospital groups working out which regulator they file with in each country.
National transposition laws
Annex I sector 5 binds healthcare providers across the EU. NL covers it through the Cyberbeveiligingswet; FR through Ordonnance n° 2024-1093; AT through the NISG. The sector test is the same. The size test is the same. Reporting channels and competent authorities differ.
We are under 30,000 cases a year, so we are out.
That is the KRITIS threshold, not the NIS 2 threshold. NIS 2 uses Article 2(1): 50 employees or 10 million euros turnover. A 60-staff regional clinic with 8,000 cases a year is in NIS 2 and out of KRITIS. Both can be true at once.
NIS 2 only applies to the IT systems, not the rest of the hospital.
Scope works at the entity level, not the system level. If your hospital is a NIS 2 entity, every system that supports the Annex I service (patient records, ward systems, medical devices on the network, supplier-facing systems) is inside the §30 BSIG duties. There is no clinical-systems-only carve-out.
The pharmacy on site is out of scope.
Depends on the legal entity and its size. If the pharmacy is a separate legal entity, it runs its own NIS 2 test. If it is part of the hospital, it inherits the hospital's NIS 2 scope. Pharmaceutical manufacturers (a separate sector 5 sub-category) run their own size test.
Typical case: a 50-bed regional clinic with 60 staff and 12 million euros annual turnover. Sector test passes (Gesundheitsdienstleister). Size test passes (above both medium-enterprise thresholds). KRITIS test fails (well under 30,000 vollstationäre Fälle). Result: in NIS 2, out of KRITIS. Full §30 BSIG measures apply, plus §32 BSIG incident reporting. No KRITIS audit cycle.
What practitioners actually do: run the sector test first, the size test second, document both in a written Anwendbarkeitsprüfung signed by the management body. The KRITIS question gets its own document because it triggers a different process at the BSI. Splitting them keeps the audit trail clean.
The applicability check walks all three tests in order: sector classification under Annex I, size threshold under Article 2(1), and the German KRITIS overlap under the BSI-Kritisverordnung. You answer six questions and get a written Anwendbarkeitsprüfung you can hand to your auditor.
The output is not a yes/no. It is a justification: which sector and which sub-category you fall under, which size test you cleared, and whether the KRITIS threshold is in play. Signed by the management body, stored with audit trail, version-pinned to the EU and BSIG text we cite.
- Directive (EU) 2022/2555 (NIS 2), Annex I sector 5 and Article 2(1) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Directive 2011/24/EU, Article 3(g) (definition of Gesundheitsdienstleister) — eur-lex.europa.eu/eli/dir/2011/24/oj
- Commission Recommendation 2003/361/EC, Annex Article 2 (medium-enterprise definition)
- BSI Act (BSIG), §28 as amended by the NIS2-Umsetzungsgesetz
- BSI-Kritisverordnung, sector hospitals threshold (30,000 vollstationäre Krankenhausfälle pro Jahr)
- ENISA NIS 2 transposition tracker — enisa.europa.eu/topics/nis-directive