When is a data center subject to NIS2?

Data centers fall under NIS2 Annex I No. 8 (digital infrastructure) as providers of data center services, irrespective of employee count or turnover, when they provide services to NIS2-obligated sectors. Above an average IT power draw of 3.5 MW, they may additionally become KRITIS-obligated under BSI-KritisV § 5 Annex 4. Exact classification depends on customer profile and capacity.

What is the difference between NIS2 and KRITIS for data centers?

NIS2 Annex I No. 8 applies to data centers as digital infrastructure from the point at which they provide critical services to NIS2-obligated operators. KRITIS under BSI-KritisV § 5 Annex 4 applies above an average IT power draw of 3.5 MW. KRITIS data centers have additional obligations: BSI attestation every two years, 24/7 contact point, and stricter audits. Both regimes can apply simultaneously.

What fines face data center operators for NIS2 violations?

As Essential Entities under Annex I, data center operators risk fines of up to 10 million Euro or 2 percent of global annual revenue under § 65 BSIG-neu. Personal liability of management is possible under § 38 BSIG-neu. KRITIS classification adds regulatory orders and coercive fines under § 53 BSIG-neu.

What physical and logical security obligations apply to data centers under NIS2?

§ 30 BSIG-neu requires technical and organizational measures for network security, physical access control, redundancy systems (power, cooling, connectivity), data encryption, and backup concepts. Particularly relevant for data centers: segmentation of customer networks, patch management for hypervisor platforms, and regular penetration tests of perimeter protection measures.

When must data center operators register with the BSI?

§ 33 BSIG-neu requires registration within three months of determining NIS2 applicability. As data centers are classified as Essential Entities under Annex I, the registration obligation generally arises immediately upon BSIG-neu entering into force. KRITIS data centers must additionally register with the BSI as critical infrastructure under § 8a BSIG.

What do NIS2 supply-chain obligations mean for data center operators?

§ 30 Para. 2 No. 4 BSIG-neu requires securing the entire supply chain. For data centers this affects hardware vendors (servers, switches, UPS), facility service providers (cooling, power), software vendors (hypervisors, monitoring), and network providers. Supplier contracts must include security requirements and regular audit rights.

Are data center managing directors personally liable for NIS2 compliance?

§ 38 BSIG-neu requires management to approve, supervise, and train on cybersecurity measures. Culpable neglect can create personal liability. Data center operators should establish an ISMS per ISO/IEC 27001 or DIN EN 50600 that explicitly covers NIS2 requirements and BSI Grundschutz modules for data centers.

Industry-specific Self-Check

Is my data center affected by NIS2?

Colo, enterprise DC, cloud node, hyperscale - digital infrastructure falls under Annex I, KRITIS from 3.5 MW average power draw.

Step 1 / 2

Operating structure and service portfolio

NIS2 Annex I No. 8 covers operators of digital infrastructure. Check what applies to your data center.

Operation of a centralized data centerDedicated server rooms with redundant power supply, air conditioning, access controlProvision of IT resources to external customersColo customers, hosting, dedicated servers, cloud instancesRedundant connectivity and geo-redundancyMulti-carrier internet connectivity, geo-redundant twin sites, SLA > 99.9%Average IT power above 1 MWIndicator of supra-regional relevance - KRITIS applies at 3.5 MW

Step 2 / 2

Company size

Data Center: The Complete NIS2 Guide

Data center operators are directly subject to NIS2 Annex II No. 6 lit. d as providers of digital infrastructure - regardless of revenue, once the technical threshold of 3.5 MW average IT power consumption is reached or general SME thresholds are exceeded. As operators of critical infrastructure for many NIS2-obligated customers, data centers occupy a key position in the digital supply chain. This guide is written for data center operators, technical directors, and compliance managers.

Who is affected?

Data center operators fall under NIS2 Annex II No. 6 lit. d (data center service providers) when they have at least 50 employees or at least EUR 10 million in annual revenue. They are then Important Entities.

Additionally: those who exceed the 3.5 MW average IT power consumption threshold may fall into KRITIS categories depending on their classification and become Essential Entities under Annex I.

Colocation providers, cloud infrastructure operators, and hyperscalers are generally directly in scope. Corporate data centers providing services to third parties also fall within scope.

Obligations under § 30 BSIG-new

§ 30 BSIG-new requires seven obligation areas that are especially significant for data center operators because of the criticality of hosting infrastructure:

Risk analysis and management: Power supply (UPS, grid connection), cooling, network infrastructure, physical access, and all managed services must be assessed.
Incident handling: Failures affecting customer systems are reportable incidents. Incident response must coordinate customer communication and BSI notification.
Business continuity: Redundancy concepts (N+1, 2N) must be documented and regularly tested. RTO and RPO must be defined for all critical services.
Supply chain security: Power suppliers, cooling technology manufacturers, and network carriers must be reviewed for security standards.
Access control and MFA: Physical access (biometric, card) and logical access (MFA) must be documented and enforced for all zones.
Encryption: Customer data on storage systems must be encrypted at rest. Transmissions between data center and customers must be encrypted.
Training and awareness: Data center technicians, NOC staff, and administrative personnel must receive regular cybersecurity training.

Deadlines and reporting obligations

BSI registration under § 33 BSIG-new within three months. For security incidents under § 32 BSIG-new: initial report within 24 hours, full report within 72 hours, final report within 30 days.

A power failure or cooling failure that impacts customer systems for more than one hour and affects NIS2-obligated entities is a reportable incident. Cyberattacks on data center management systems without proven data loss are also reportable.

Fines and personal liability

Important Entity (Annex II): up to EUR 7 million or 1.4% of turnover. Essential Entity (Annex I): up to EUR 10 million or 2% of turnover.

§ 38 BSIG-new: personal liability for management. Added to this is contractual liability to customers for SLA breaches caused by security incidents.

3.5 MW threshold: calculating average IT power consumption and EN 50600

The 3.5 MW threshold for direct KRITIS classification refers to the average IT load of the data center, not total power consumption. The calculation follows EN 50600-4-9 (energy performance indicators for data centers).

Calculation formula: Average IT power = Total power consumption / PUE (Power Usage Effectiveness). Example: a data center with a PUE of 1.5 and total power consumption of 6 MW has an IT load of 4 MW - exceeding the 3.5 MW threshold.

Relevant for classification: not individual racks or halls, but the entire data center at a location. Those operating multiple smaller sites must assess each site separately. EN 50600 also provides the documentation methodology required for BSI and regulatory proof.

First steps

Calculate your data center's average IT power consumption per EN 50600-4-9.
Check headcount and revenue against the SME thresholds.
Conduct a complete risk analysis covering power, cooling, connectivity, and physical security.
Inventory all customer systems and classify which are NIS2-obligated.
Create an incident response plan with a customer escalation matrix.
Review all maintenance contracts (cooling, UPS, network) for security clauses.
Register with the BSI.

Common pitfalls

PUE not factored into KRITIS calculation: The threshold refers to IT load, not total power. An incorrect calculation can lead to the wrong classification.

Physical security not treated as an IT security topic: Tailgating risks, insufficient zone separation, and missing CCTV logging are NIS2-relevant risks.

Customer security requirements not addressed contractually: NIS2-obligated customers will demand audit rights, incident notification, and security certifications. Those who are not contractually prepared will face pressure.

Redundancy tests only on paper: Planned redundancy that has not been tested is not reliable redundancy. Regular tests are a NIS2 obligation.

Use the industry-specific NIS2 calculator for data centers to determine your classification.

Authored by

Julian Köhn

Founder & CEO, Kopexa

Julian Köhn is Founder and CEO of Kopexa. He has been building security and compliance solutions for European mid-market companies for over 10 years. Focus areas: NIS2, ISO 27001, GDPR, TISAX. Kopexa was founded to make GRC transparent and self-service for SMEs.

LinkedIn View profile

Reviewed by

Kopexa GRC Team

Subject Matter Experts — NIS2, ISO 27001, KRITIS

The Kopexa GRC Team consists of security and compliance experts certified in ISO 27001, CISA, CRISC. The team develops framework mappings and validates content on NIS2, KRITIS, and industry-specific requirements.

Last updated: 2026-04-17

Frequently asked questions

Industry-specific answers on NIS2 obligations, thresholds, and sanctions.

Is my data center affected by NIS2?

Data Center: The Complete NIS2 Guide

Who is affected?

Obligations under § 30 BSIG-new

Deadlines and reporting obligations

Fines and personal liability

3.5 MW threshold: calculating average IT power consumption and EN 50600

First steps

Common pitfalls

Frequently asked questions

01When is a data center subject to NIS2?

02What is the difference between NIS2 and KRITIS for data centers?

03What fines face data center operators for NIS2 violations?

04What physical and logical security obligations apply to data centers under NIS2?

05When must data center operators register with the BSI?

06What do NIS2 supply-chain obligations mean for data center operators?

07Are data center managing directors personally liable for NIS2 compliance?