When is a bakery subject to NIS2?

A bakery falls under NIS2 Annex II No. 5 (food production) once it meets both an industrial production structure and medium-enterprise size. Industrial structure means: centralized production for multiple outlets, automated machinery, or B2B supply. The size threshold (SME Recommendation 2003/361/EC Art. 2) is 50 employees or 10 million Euro annual turnover. Traditional single-location artisanal bakeries remain outside the scope.

What is the difference between NIS2 and KRITIS for bakeries?

NIS2 (Annex II No. 5) covers bakeries with an industrial structure from medium enterprise size upwards. KRITIS under BSI-KritisV § 4 Annex 3 only applies above an annual production of 434,500 tonnes of baked goods, which in practice affects only the largest industrial bakers. NIS2 obligations include risk management, reporting chains, and BSI registration; KRITIS adds 24/7 contact points and stricter audit requirements. Most multi-outlet bakeries fall under NIS2 only, not KRITIS.

Which employee and turnover thresholds apply for NIS2 obligation?

The basis is SME Recommendation 2003/361/EC Art. 2: a medium enterprise has 50 to 249 employees and annual turnover of 10 to 50 million Euro. A large enterprise has 250 or more employees or turnover above 50 million Euro. Both categories fall under NIS2 as Important Entity (medium) or Essential Entity (large). The thresholds must be exceeded in two consecutive fiscal years.

What fines threaten bakeries for NIS2 violations?

Important Entities (medium bakeries) risk fines of up to 10 million Euro or 2 percent of global annual revenue under § 65 BSIG-neu. Essential Entities (large operations) face up to 10 million Euro or 2 percent of group turnover. Personal liability of management under § 38 BSIG-neu applies in cases of proven organizational negligence.

When must a bakery register with the BSI?

Under § 33 BSIG-neu, registration with the BSI is mandatory within three months of determining that you are subject to the law. For operations that are directly affected from the date BSIG-neu enters into force, a three-month transitional period applies from the effective date. Registration takes place via the BSI portal and includes contact details, sector designation, and a declaration of entity category.

What do the supply-chain obligations mean specifically for a bakery?

§ 30 Para. 2 No. 4 BSIG-neu requires supply-chain security: bakeries must impose cybersecurity requirements on suppliers, review contracts with flour and ingredient producers, and conduct risk assessments of critical suppliers. In practice this means: include written security requirements in purchase contracts and perform regular supplier audits for IT-linked sources (e.g. ERP providers, logistics software).

Are bakery managers personally liable for NIS2 violations?

Yes. § 38 BSIG-neu requires management to approve risk management measures, supervise their implementation, and actively undergo training. In cases of proven organizational negligence, personal liability may apply; exemption through D&O insurance is not automatic. Managing directors should document board resolutions and training participation.

Does NIS2 also apply to bakery franchise systems?

For franchise systems, the economic entity is decisive: if the franchisor operates central IT systems (POS software, ERP, ordering platform) that include all outlets, the total size of the system is relevant for the threshold calculation. Legally decisive is the SME group definition in 2003/361/EC Art. 3: affiliated companies add up their employee counts and revenues. For unclear classification, a legal review of the group structure is recommended.

Industry-specific Self-Check

Is my bakery affected by NIS2?

Standard checkers say 'craft = out'. For chain operators with central production, that isn't true.

Step 1 / 2

Production and distribution structure

NIS2 targets 'industrial production' — an EU term, not the craft registry. Check what applies to your operation.

Central bakery supplies multiple retail outletsOne production site supplies 2+ stores, food trucks, market stalls, etc.Mechanized / automated productionIndustrial ovens, automated dough dividers, proofing robots, tunnel ovens, line productionSupply to external B2B customersWholesale, supermarkets, restaurants, canteens, schools, hospitals, other bakeriesAnnual production above 1,000 tonnes of baked goodsIndicator of a production scale beyond a classic artisanal bakery

Step 2 / 2

Company size

Bakery: The Complete NIS2 Guide

NIS2 does not affect every bakery, but many multi-site operations with centralized production are in scope - and don't know it. This guide explains who falls under NIS2, what obligations apply, and what you need to do concretely. It is written for owners, managing directors, and IT managers at bakeries with more than one production site or significant B2B business.

Who is affected?

Bakeries fall under NIS2 Annex II No. 5 (Food) when they exceed the SME thresholds from EU Recommendation 2003/361/EC Art. 2: at least 50 employees or at least EUR 10 million in annual revenue. Craft registration alone does not provide blanket protection. If you operate as a "manufacturer of bakery products" under NACE classification C.10.7 and meet the threshold, you are an Important Entity under § 28 Para. 1 BSIG-new.

Special case: if you supply public institutions (schools, hospitals, canteens) as part of the food supply chain and reach the KRITIS threshold of 434,500 t/a in food production (grain equivalent), you qualify as Essential Entity.

A multi-site operation with 80 employees and EUR 15 million in revenue that produces centrally and delivers B2B to canteens is very likely an Important Entity.

Obligations under § 30 BSIG-new

§ 30 BSIG-new lists seven technical and organizational measures you must implement:

Risk analysis and management: You must systematically assess IT risks across your central production and branch network. This includes ERP systems, point-of-sale, ordering platforms, and oven control systems.
Incident handling: Security incidents must be detected, documented, and handled through a defined process. A failure of the central system must be classifiable as an incident.
Business continuity: A contingency plan must define how production continues during IT failure. Manual fallback processes for ordering and delivery planning must be documented.
Supply chain security: Your suppliers (flour, packaging, logistics software) must be assessed for their security standards. Contractual clauses on minimum requirements are required under § 30 Para. 2 No. 4 BSIG-new.
Access control and MFA: Access to business applications and networks must be secured by strong authentication. Branch access via password alone is no longer sufficient.
Encryption: Customer data, order data, and supplier communications must be encrypted in transit and at rest.
Training and awareness: Employees who operate IT systems must be regularly trained on cybersecurity. This applies to branch managers as well.

Deadlines and reporting obligations

Registration with the BSI must occur within three months of becoming aware of your own obligations (§ 33 BSIG-new). The BSI has announced an online portal; until it launches, manual notification applies.

For security incidents, the reporting chain under § 32 BSIG-new applies: an initial report ("early warning") within 24 hours, a full report within 72 hours, and a final report within 30 days. A ransomware attack that takes down the point-of-sale system and affects more than 10% of branch capacity must be reported within 24 hours.

NIS2 obligations under BSIG-new are binding once the German transposition law enters into force. The law is currently in the legislative process; entry into force is expected in 2025.

Fines and personal liability

NIS2 violations carry significant penalties. For Important Entities (Annex II): up to EUR 7 million or 1.4% of global annual turnover, whichever is higher. For Essential Entities (Annex I): up to EUR 10 million or 2% of turnover.

Critically: § 38 BSIG-new introduces personal liability for management. Managing directors are personally liable if they negligently fail to fulfill NIS2 obligations. Delegation only protects if documented in writing and if the delegated person is technically qualified.

KRITIS threshold for bakeries: who actually reaches 434,500 t/a?

The KRITIS threshold in food supply is set at 434,500 t/a of processed food in grain equivalents under BSI-KritisV Annex 6. This threshold is relevant for industrial bakery manufacturers, not craft businesses.

If you produce frozen raw doughs, bakery goods for retail chains, or large B2B volumes centrally, you should compare your production volume against this figure. A mid-sized industrial bakery with 300 employees and 2-3 production lines can reach this threshold.

B2B supply chains also count: if you supply schools, hospitals, or company canteens, you are part of the critical supply chain. The BSI evaluates the total volume across all buyers, not per customer.

First steps

Check your headcount and annual revenue against the SME thresholds. If you have more than 50 employees or EUR 10 million in revenue, you are likely in scope.
Clarify your NACE code: are you classified as a manufacturer (C.10.7) or as a craft business? Craft registration alone does not protect you if you operate centralized industrial production.
Calculate your annual production volume in tonnes. If it is near 434,500 t/a, seek legal advice on KRITIS classification.
Create an inventory of all IT systems: ERP, point-of-sale, oven controls, ordering portals, warehouse logistics.
Conduct an initial risk analysis. Which systems are business-critical? What happens if they fail?
Identify your most important IT supplier and review their security certifications.
Register with the BSI as soon as the online portal is available.

Common pitfalls

"Craft registration protects us from NIS2": This is only true for micro-businesses without centralized industrial production. If you operate one or more fully automated production lines, you are not a craft business in the NIS2 sense.

B2B delivery to schools and hospitals is overlooked: These buyers count toward the KRITIS threshold calculation. If 30% of your revenue comes from public institutions, you are potentially part of critical supply infrastructure.

IT security is reduced to office IT only: Oven controls, cold storage monitoring, and production line software are equally relevant. The OT/IT boundary must be addressed in your risk analysis.

Deadlines are underestimated: Many companies only start implementation once deadlines are already running. The 3-month BSI registration period starts from when you become aware of your obligations, not from when the law enters into force.

Use the industry-specific NIS2 calculator for bakeries to determine your individual obligations in a few minutes.

Authored by

Julian Köhn

Founder & CEO, Kopexa

Julian Köhn is Founder and CEO of Kopexa. He has been building security and compliance solutions for European mid-market companies for over 10 years. Focus areas: NIS2, ISO 27001, GDPR, TISAX. Kopexa was founded to make GRC transparent and self-service for SMEs.

LinkedIn View profile

Reviewed by

Kopexa GRC Team

Subject Matter Experts — NIS2, ISO 27001, KRITIS

The Kopexa GRC Team consists of security and compliance experts certified in ISO 27001, CISA, CRISC. The team develops framework mappings and validates content on NIS2, KRITIS, and industry-specific requirements.

Last updated: 2026-04-17

Frequently asked questions

Industry-specific answers on NIS2 obligations, thresholds, and sanctions.

Is my bakery affected by NIS2?

Bakery: The Complete NIS2 Guide

Who is affected?

Obligations under § 30 BSIG-new

Deadlines and reporting obligations

Fines and personal liability

KRITIS threshold for bakeries: who actually reaches 434,500 t/a?

First steps

Common pitfalls

Frequently asked questions

01When is a bakery subject to NIS2?

02What is the difference between NIS2 and KRITIS for bakeries?

03Which employee and turnover thresholds apply for NIS2 obligation?

04What fines threaten bakeries for NIS2 violations?

05When must a bakery register with the BSI?

06What do the supply-chain obligations mean specifically for a bakery?

07Are bakery managers personally liable for NIS2 violations?

08Does NIS2 also apply to bakery franchise systems?