Am I a telecoms provider under NIS 2?
NIS 2 lists telecoms in Annex I sector 8 (Digital Infrastructure). Article 2(2)(a) then strips out the size threshold, so the duties apply to every public-facing provider, big or small. The definitions come from the EU Electronic Communications Code, not from colloquial usage.
The short version
If you operate a public electronic communications network, or if you provide a publicly available electronic communications service, you are in NIS 2 scope. Annex I sector 8 names you directly under Digital Infrastructure.
Article 2(2)(a) of the Directive then removes the normal size threshold for telecoms. It does not matter whether you have 5 staff or 500. The public-service role is the trigger, not the headcount. A small regional ISP, a small VoIP reseller and a national mobile carrier are all in scope on the same basis.
Germany puts this into national law through §28 BSIG together with the Telekommunikationsgesetz (TKG). Some operational duties run through the Bundesnetzagentur (BNetzA), not the BSI directly. This page walks the Directive, the EU sector definitions, and the German transposition in that order.
NIS 2 Directive (2022/2555), Annex I Sector 8 and Art. 2(2)(a)
Sector 8 Digital Infrastructure: providers of public electronic communications networks; providers of publicly available electronic communications services. This Directive shall also apply to entities, regardless of their size, that fall under any of the following criteria: (a) providers of public electronic communications networks or providers of publicly available electronic communications services.
Two pieces have to be read together. Annex I sector 8 names telecoms as essential infrastructure. Article 2(2)(a) then makes a regardless-of-size carve-IN for the same telecoms providers. The normal medium-enterprise threshold (50 staff or EUR 10m turnover) does not apply here.
Directive (EU) 2018/1972 (European Electronic Communications Code), Art. 2
'Public electronic communications network' means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services. 'Publicly available electronic communications service' means a service normally provided for remuneration via electronic communications networks, which encompasses internet access service, interpersonal communications service, and services consisting wholly or mainly in the conveyance of signals.
NIS 2 does not redefine these terms. It borrows them from the EU Electronic Communications Code (EECC). 'Publicly available' is the key word: a service you sell to the general public counts, an internal corporate VoIP that you run only for your own staff does not.
§28 BSIG and the Telekommunikationsgesetz (TKG), Germany
Anbieter öffentlicher Telekommunikationsnetze und Anbieter öffentlich zugänglicher Telekommunikationsdienste gelten als besonders wichtige Einrichtungen im Sinne dieses Gesetzes.
Germany transposes the telecoms duties through §28 BSIG in combination with the TKG. The BSI is the central NIS 2 authority, but the Bundesnetzagentur (BNetzA) handles the operational sector regulation for telecoms providers (security measures under former §109 TKG, incident notifications, registration of services). Expect to deal with both.
Do you operate a public network?
A public electronic communications network is a network used wholly or mainly to provide services to the public: fibre, cable, mobile, satellite, fixed wireless. If you run the underlying transport for someone else's customers, you are in scope on the network-operator leg.
Do you provide a public service?
A publicly available electronic communications service is one you sell to the public: internet access (ISP), interpersonal communications (phone, SMS, email, VoIP, messaging) or pure signal conveyance. Reselling someone else's network under your own brand counts.
Size does not get you out
Art. 2(2)(a) removes the normal 50-staff / EUR 10m threshold for telecoms. A 5-person regional fibre ISP and a small IP-telephony reseller are in scope on the same legal basis as Deutsche Telekom. There is no small-business carve-out for this sector.
Regardless-of-size carve-IN (Art. 2(2)(a))
For most NIS 2 sectors, you only fall in scope if you cross the medium-enterprise threshold. Telecoms is one of the exceptions. The Directive explicitly applies regardless of size because the public-service role itself creates a societal dependency. Small does not mean out.
The definitions are the EECC ones
What counts as a 'publicly available' service is the legal test from the EU Electronic Communications Code, not the colloquial one. A service you sell to the public is in. A network or service you run only for your own organisation, or only as a closed user group, usually is not. When in doubt, the EECC definitions, recitals and national regulator guidance are the reference.
BSI / §28 BSIG
The BSI is the central NIS 2 authority. Registration, risk management framework, incident reporting under NIS 2 all run through the BSI. For telecoms, §28 BSIG names public network operators and public service providers as 'besonders wichtige Einrichtungen' directly, regardless of size.
Bundesnetzagentur (BNetzA) / TKG
The BNetzA is the sector regulator for telecoms. It runs the operational duties from the TKG (security of networks and services, incident notification on the telecoms track, registration of services). NIS 2 sits on top of the existing TKG regime, it does not replace it. Most telecoms providers report through both channels.
ENISA
ENISA, the EU cybersecurity agency, coordinates across member states and publishes Technical Implementation Guidance under CIR (EU) 2024/2690. Public network operators and public service providers are listed in the CIR Annex, which means parts of the CIR are directly binding on telecoms providers without needing further national transposition.
National telecoms regulators
Every member state has its own telecoms regulator running this layer: ACM in the Netherlands, ARCEP in France, RTR in Austria, AGCOM in Italy. The NIS 2 duty is the same EU-wide because the Directive sets one floor. What differs: who you register with, which incident form you use, and how the BSI-equivalent and the telecoms regulator split the job.
We have only 5 staff, so the size threshold takes us out.
Not for telecoms. Art. 2(2)(a) of NIS 2 lists public network operators and public service providers as a regardless-of-size category. The 50-staff / EUR 10m threshold that filters most other sectors does not apply here. A 5-person regional ISP is in NIS 2 scope on the same footing as a national carrier.
We are not an MSP, so sector 8 does not catch us.
Different sector, different test. Managed service providers sit in Annex I sector 8 under 'ICT service management (B2B)' and they do follow the size threshold. Public network operators and public service providers are a separate row in the same sector with their own definitions from the EECC, plus the regardless-of-size rule from Art. 2(2)(a). Read both rows.
We run a network for our corporate group, so we are in scope as a telecoms provider.
Usually not, on the telecoms leg. The EECC test turns on 'publicly available'. A private corporate network used only by your own organisation or a closed user group is generally outside the EECC definitions and therefore outside Annex I sector 8 for telecoms. You may still fall under NIS 2 on another sector or as an in-scope entity, but not as a telecoms provider.
A small regional fibre ISP with 8 staff is unambiguously in NIS 2 scope. Annex I sector 8 names public network operators and public service providers; Art. 2(2)(a) strips out the size threshold; the EECC test for 'publicly available' is met because the service is sold to the general public. The same logic catches a small IP-telephony reseller serving public customers. There is no honest reading of the text that gets either of them out.
What we see in practice: the operator drafts a §2.1 risk management framework around the public-facing services and the supporting infrastructure (transport network, core routing, access nodes, OSS/BSS, customer authentication). Art. 21(1) proportionality applies, so an 8-person ISP does not implement at the depth of a tier-one carrier. The phasing has to be written down, justified by the risk picture, and signed off by the management body. The BNetzA TKG duties run in parallel and feed the same risk register.
Our applicability check walks the EECC definitions step by step. It asks what you operate, who you sell to, and whether the service is 'publicly available' in the EECC sense. The output tells you which Annex row applies, whether Art. 2(2)(a) catches you regardless of size, and which national regulator (BSI vs BNetzA in Germany, BSI-equivalent vs telecoms regulator elsewhere) you talk to first.
The assets module covers the network side (transport, core, access, OSS/BSS) and the service-facing side (subscriber management, authentication, voice and messaging platforms) on one inventory. The §2 CIR risk management framework then runs against that inventory, so the same asset list feeds both the BSIG / NIS 2 track and the TKG track without double maintenance.
- Directive (EU) 2022/2555 (NIS 2), Annex I Sector 8 and Article 2(2)(a) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Directive (EU) 2018/1972 (European Electronic Communications Code), Article 2 definitions — eur-lex.europa.eu/eli/dir/2018/1972/oj
- BSI Act (BSIG), §28 as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- Telekommunikationsgesetz (TKG), §165 ff. (security of networks and services)
- Bundesnetzagentur, sector guidance on TKG security and reporting duties — bundesnetzagentur.de
- Commission Implementing Regulation (EU) 2024/2690 (CIR), Annex (covers DNS, TLD, cloud, data centres, MSPs and other sector 8 categories) — eur-lex.europa.eu/eli/reg_impl/2024/2690/oj