When does a SaaS provider qualify as a cloud computing service under NIS2?

NIS2 Annex I No. 8 covers cloud computing services as defined in Regulation (EU) 2018/1807: on-demand provision of scalable resources over a network to multiple tenants. Key criteria are on-demand self-service, multi-tenancy, and an own service stack. A provider that merely resells white-label software or operates no own infrastructure may only fall under Annex II as another digital service. Classification is case-specific and should be verified with legal counsel.

What is the difference between SaaS providers and IT service providers (MSP/MSSP) under NIS2?

Both categories fall under NIS2 Annex I No. 8, but with different focus. MSPs/MSSPs actively manage third-party IT infrastructure with privileged access to customer systems. SaaS providers operate their own multi-tenant services that customers use directly. For MSPs, supply chain risk through privileged access is central; for SaaS providers, service availability and data protection are primary. In practice, services may exhibit both characteristics - in that case both requirements apply cumulatively.

What changes when serving financial customers (DORA)?

Regulation (EU) 2022/2554 (DORA) has been in force since 17 January 2025. As an ICT third-party provider to financial entities, you are required to structure contracts under Art. 28 DORA: exit strategy, audit rights of the financial entity, disclosure of sub-outsourcing chains. Critical ICT third-party providers (CTPPs) are directly supervised by ESA authorities, which in practice only affects hyperscalers. For typical SaaS providers, a DORA-compliant contractual addendum to the main agreement is generally sufficient.

Am I a GDPR data processor as a SaaS provider?

Yes, as soon as you process personal data of your customers as part of the service, you are a data processor under Art. 4 No. 8 GDPR. A Data Processing Agreement (DPA) under Art. 28 GDPR is then required with each customer. It must cover the subject matter and duration of processing, nature and purpose, categories of data subjects, and your sub-processor list. The sub-processor list must be kept current - both under GDPR and under DORA Art. 28 if financial customers are involved.

Does NIS2 apply to US providers with German customers?

NIS2 applies to entities that provide their services in the EU or are established there. A US provider without an EU establishment that offers cloud services to German customers may fall under NIS2 if it has significant effects on EU supply. Under § 29 BSIG-new, entities without an EU seat must designate a representative in Germany. Practical enforcement is complex, but the legal obligation exists.

Which cloud provider dependencies must I map in the risk analysis?

§ 30 Para. 2 No. 4 BSIG-new requires supply chain security management. For SaaS providers this means: AWS, Azure, GCP, or other infrastructure providers are critical suppliers and must be documented in the risk analysis. Relevant aspects include failure scenarios (availability, regions), exit options, data localisation, and security certifications of providers (ISO 27001, SOC 2). Sub-contractors for payment processing, email delivery, or authentication are also part of the supply chain.

What reporting deadlines apply for data breaches (NIS2 vs GDPR)?

NIS2 and GDPR have separate reporting channels. Under § 32 BSIG-new: initial report within 24 hours, full report within 72 hours, final report within 30 days - to the BSI as NIS2 authority. Under Art. 33 GDPR: notification to the data protection authority within 72 hours of a personal data breach, plus notification to affected individuals under Art. 34 GDPR if high risk. Both obligations can apply in parallel. An internal incident response plan must coordinate both reporting channels.

Are managing directors personally liable for NIS2 violations?

§ 38 BSIG-new explicitly requires management of Essential and Important Entities to approve, supervise, and train on cybersecurity measures. Proven neglect can trigger personal liability - independently of the limited liability protection of a GmbH. SaaS providers with multiple managing directors should assign cybersecurity responsibilities in writing and document them in regular board resolutions.

Industry-specific Self-Check

Is my SaaS or cloud service affected by NIS2?

Cloud computing services fall under Annex I of the NIS2 Directive. From 50 employees or 10 million Euro turnover, the obligation applies - independent of financial customers, GDPR, or DORA layers.

Step 1 / 2

Cloud service criteria and operating model

NIS2 Annex I No. 8 covers cloud computing services under Regulation (EU) 2018/1807. Check what applies to your service.

On-demand self-service for business customersCustomers can independently create accounts and scale resources without a manual sales stepMulti-tenancy and elastic resource allocationMultiple tenants share a logical infrastructure and resources are automatically adjustedSLA-based operations with availability commitmentDocumented uptime targets (e.g. 99.9 percent), incident response obligations, support channelsOwn infrastructure or managed hosting for the serviceOperated on self-managed cloud (AWS, Azure, GCP, Hetzner, own data centre) with own service stack - not white-label resale

Step 2 / 2

Company size

SaaS Providers and B2B Cloud: The Complete NIS2 Guide

Cloud computing services carry particular responsibility under NIS2: they are classified as Essential Entities under Annex I No. 8 of the NIS2 Directive (EU) 2022/2555, subjecting them to the strictest requirements. This guide is written for founders, managing directors, and CTOs of SaaS companies and B2B cloud services who want to understand what obligations apply to them.

Who is affected?

NIS2 Annex I No. 8 covers cloud computing services as defined in Regulation (EU) 2018/1807. Three characteristics are decisive: on-demand provision of scalable shared resources for multiple tenants over a network. In practical terms: SaaS providers that offer independently provisionable services to business customers, operate multi-tenancy, and run their own infrastructure or managed hosting.

The size threshold follows SME Recommendation 2003/361/EC Art. 2: at least 50 employees (full-time equivalents) or at least EUR 10 million in annual revenue. Both thresholds must be exceeded in two consecutive fiscal years to trigger applicability. This means: a rapidly growing SaaS company should assess applicability prospectively.

A provider that merely resells white-label software from another vendor or operates no own service stack does not fall under Annex I No. 8, but may be classified under Annex II as another digital service.

Obligations under § 30 BSIG-new

§ 30 BSIG-new requires a comprehensive risk management system with technical and organisational measures (TOMs). Particularly relevant for SaaS providers:

Risk analysis and management: Regular assessment of your own security architecture - cloud infrastructure, authentication systems, database access, API security.
Incident handling: A documented incident response plan with clear escalation levels and communication channels to the BSI and affected customers.
Business continuity: Backup concepts, disaster recovery plans, and recovery objectives (RTO/RPO) must be documented and tested.
Supply chain security: AWS, Azure, GCP, Stripe, Auth0, and other critical suppliers must be documented in the risk analysis (§ 30 Para. 2 No. 4 BSIG-new).
Access control and MFA: Multi-factor authentication for all privileged access to production systems is mandatory.
Encryption: Customer data must be encrypted both at rest and in transit.
Training: Technical staff must receive regular cybersecurity training.

Deadlines and reporting obligations

BSI registration under § 33 BSIG-new within three months of determining applicability. For security incidents under § 32 BSIG-new, a three-stage reporting chain applies: initial report within 24 hours, full report within 72 hours, and a final report within 30 days of the incident.

For a security incident affecting customer data, two reporting channels run in parallel: the NIS2 reporting obligation to the BSI and the GDPR reporting obligation to the data protection authority under Art. 33 GDPR (also 72 hours). Affected customers must additionally be notified under Art. 34 GDPR if there is a high risk to their rights and freedoms. An internal incident response plan must coordinate both channels and should be finalised before the first incident occurs.

Fines and personal liability

Essential entities under Annex I: up to EUR 10 million or 2 percent of global annual revenue (§ 65 BSIG-new). Personal management liability under § 38 BSIG-new applies in addition: managing directors and board members must approve, supervise, and regularly train on cybersecurity measures. Proven neglect can lead to personal liability, irrespective of the limited liability protection of a GmbH.

For SaaS providers, contractual liability to customers is a further layer: if a provider breaches its NIS2 obligations and thereby causes damage to a customer, GDPR fines and damages claims may arise simultaneously.

DORA: What applies additionally for financial customers

Regulation (EU) 2022/2554 (Digital Operational Resilience Act, DORA) has been in force since 17 January 2025 and applies to all ICT third-party providers serving financial entities such as banks, insurance companies, or investment fund managers.

As an ICT third-party provider with financial customers, you are required under Art. 28 DORA to include certain contractual elements: a documented exit strategy enabling the financial entity to transition in an orderly manner; audit rights for the financial entity and its supervisory authorities; and full disclosure of the sub-outsourcing chain, including all sub-processors performing security-relevant functions.

Critical ICT Third-Party Providers (CTPPs) are directly supervised by European supervisory authorities (ESAs). In practice this only affects hyperscalers such as AWS, Azure, or Google Cloud, not typical SaaS providers. For SaaS providers with financial customers in their portfolio, a DORA-compliant contractual addendum to the existing main agreement is generally sufficient to fulfil the Art. 28 obligations.

Common pitfalls

"We are just software, not IT operations": This misconception is widespread. NIS2 Annex I No. 8 does not depend on how the company perceives itself, but on the characteristics of the service. A provider that operates multi-tenant software on its own infrastructure and offers customers on-demand access qualifies as a cloud computing service under NIS2 - regardless of whether the company calls itself a software house or platform provider.

Sub-processor list not maintained: Both DORA Art. 28 and GDPR Art. 28 require an up-to-date list of all sub-processors. Many SaaS providers have AWS or Stripe listed in their DPA, but forget CDN providers, email delivery services, or authentication services. An incomplete sub-processor list is a compliance risk vis-a-vis customers and regulators.

Incident reporting chain defined only internally: NIS2 requires an initial report to the BSI within 24 hours for significant incidents (§ 32 BSIG-new). A provider that has only an internal escalation process but no documented path to the BSI reporting portal will be too slow in an emergency. Additionally, affected customers must be notified - a step that must be explicitly included in the incident response plan.

First steps

Assess NIS2 applicability using the four cloud service criteria and size thresholds.
Start a gap analysis of your current security architecture against the TOMs of § 30 BSIG-new.
Document your supply chain: all cloud providers, sub-processors, and critical third-party services.
Create an incident response plan with an explicit BSI reporting path and customer notification step.
Review all customer DPAs for GDPR compliance and update the sub-processor list.
If financial customers are in your portfolio: create a DORA addendum to existing contracts.
Plan BSI registration within three months of determining applicability.

Use the industry-specific NIS2 calculator for SaaS providers to clarify your obligations.

Authored by

Julian Köhn

Founder & CEO, Kopexa

Julian Köhn is Founder and CEO of Kopexa. He has been building security and compliance solutions for European mid-market companies for over 10 years. Focus areas: NIS2, ISO 27001, GDPR, TISAX. Kopexa was founded to make GRC transparent and self-service for SMEs.

LinkedIn View profile

Reviewed by

Kopexa GRC Team

Subject Matter Experts — NIS2, ISO 27001, KRITIS

The Kopexa GRC Team consists of security and compliance experts certified in ISO 27001, CISA, CRISC. The team develops framework mappings and validates content on NIS2, KRITIS, and industry-specific requirements.

Last updated: 2026-04-17

Frequently asked questions

Industry-specific answers on NIS2 obligations, thresholds, and sanctions.

Is my SaaS or cloud service affected by NIS2?

SaaS Providers and B2B Cloud: The Complete NIS2 Guide

Who is affected?

Obligations under § 30 BSIG-new

Deadlines and reporting obligations

Fines and personal liability

DORA: What applies additionally for financial customers

Common pitfalls

First steps

Frequently asked questions

01When does a SaaS provider qualify as a cloud computing service under NIS2?

02What is the difference between SaaS providers and IT service providers (MSP/MSSP) under NIS2?

03What changes when serving financial customers (DORA)?

04Am I a GDPR data processor as a SaaS provider?

05Does NIS2 apply to US providers with German customers?

06Which cloud provider dependencies must I map in the risk analysis?

07What reporting deadlines apply for data breaches (NIS2 vs GDPR)?

08Are managing directors personally liable for NIS2 violations?