When is a water utility subject to NIS2?

Drinking water utilities fall under NIS2 Annex I No. 6 (drinking water supply) as Essential Entities, if they supply drinking water to at least 50,000 people or 3,000 cubic metres per day. These thresholds arise from the NIS2 transposition combined with the drinking water supply structure definition in BSIG-neu. Smaller municipal utilities may also be covered depending on national interpretation.

What is the difference between NIS2 and KRITIS for water utilities?

NIS2 (Annex I No. 6) applies to water utilities from the supply threshold of 50,000 persons or 3,000 m3/day. KRITIS under BSI-KritisV § 3 Annex 2 applies above an annual production of 22 million m³ (drinking water) or 500,000 population equivalents for wastewater. Both regimes can therefore apply simultaneously; KRITIS supplements NIS2 with stricter requirements such as 24/7 reachability and BSI certification every two years.

What protection obligations apply to control systems at water utilities under NIS2?

SCADA and ICS systems in waterworks and pumping stations are OT infrastructure under § 30 BSIG-neu. Mandatory measures include: OT/IT network segmentation, MFA access control for control computers, patch management for field devices, and backup/disaster recovery concepts. Technical protection requirements for water infrastructure are also found in DVGW-W 1060 (security in water supply).

What fines do water utilities face for NIS2 violations?

As Essential Entities under Annex I, water utilities risk fines of up to 10 million Euro or 2 percent of global annual revenue under § 65 BSIG-neu. Management is personally liable under § 38 BSIG-neu. KRITIS violations can additionally trigger regulatory orders and coercive fines.

What do NIS2 supply-chain obligations mean specifically for water utilities?

§ 30 Para. 2 No. 4 BSIG-neu requires cybersecurity requirements from suppliers. For water utilities this affects SCADA system providers, remote control and telemetry platforms, water quality monitoring software, and maintenance service providers. DVGW technical codes W 1060 and W 1065 provide supplementary requirements for service provider contracts.

When must water utilities register with the BSI?

Under § 33 BSIG-neu, registration is mandatory within three months of determining NIS2 applicability. For companies that already meet the criteria when BSIG-neu enters into force, a three-month transitional period applies. KRITIS operators must additionally register with the BSI as critical infrastructure under § 8a BSIG.

Does NIS2 also apply to municipal water supply associations?

Yes. Municipal associations providing drinking water are operators of essential services under NIS2, provided the supply threshold is exceeded. Legal form (association, GmbH, municipal utility) is irrelevant; the operative function is decisive. Associations should check whether their IT systems and control systems are operated jointly or by an external service provider, as this can affect entity classification.

Industry-specific Self-Check

Is my water utility affected by NIS2?

Municipal utilities, associations, private providers - NIS2 kicks in early, KRITIS at 22M m³ per year.

Step 1 / 2

Supply structure and operating mode

NIS2 Annex I No. 6 covers drinking water supply operators. Check what applies to your operation.

Public drinking water supply to end customersHouseholds, commercial, industrial - for payment or municipal ownershipCentral treatment and distribution networkWater works, elevated tanks, pump stations, pipeline network with remote controlProcess automation / SCADA system in useRemote monitoring, automatic control of pumps/valves/treatmentAnnual production above 5 million m³Indicator of supra-local significance - KRITIS applies at 22M m³

Step 2 / 2

Company size

Water Utility: The Complete NIS2 Guide

Water utilities and wastewater operators are classified as Essential Entities under NIS2 Annex I No. 8 (Drinking Water) and Annex I No. 9 (Wastewater) - without a revenue threshold. Even a municipal water utility serving more than 50,000 people is KRITIS and thus subject to the highest NIS2 obligation class. This guide is written for technical directors, managing directors, and IT managers at water utilities.

Who is affected?

Drinking water suppliers fall under NIS2 Annex I No. 8, wastewater operators under NIS2 Annex I No. 9. The threshold: utilities serving more than 50,000 people are KRITIS (BSI-KritisV § 2 No. 24). These entities are Essential Entities under § 28 Para. 1 BSIG-new.

Smaller utilities serving between 50 and 50,000 people fall under NIS2 Annex II - provided they have at least 50 employees or EUR 10 million in revenue. They are then Important Entities.

A municipal water utility serving 80,000 residents is an Essential Entity under NIS2 Annex I, subject to the strictest obligations and highest fines.

Obligations under § 30 BSIG-new

§ 30 BSIG-new lists seven obligation categories that are particularly relevant for water utilities because of 24/7 operations and direct impact on public health:

Risk analysis and management: Process control systems (SCADA/DCS), pump controls, chlorination systems, remote control technology, and laboratory information systems must all be assessed.
Incident handling: A cyberattack on chlorination controls is an immediate public health incident. The incident response process must include regulatory escalation (BSI, public health authority, regulators).
Business continuity: 24/7 water supply must be guaranteed even during IT failure. Manual control procedures and redundant communication paths must be documented.
Supply chain security: System integrators, remote control technology providers, and laboratory software vendors must be reviewed for security standards. Contractual clauses under § 30 Para. 2 No. 4 BSIG-new are mandatory.
Access control and MFA: Access to process control systems and remote control technology must be secured by MFA. Specifically: no unsecured remote access to pump controls.
Encryption: Control data, operational logs, and customer data must be encrypted in transit and at rest.
Training and awareness: Operations technicians, dispatchers, and administrative staff must receive regular cybersecurity training.

Deadlines and reporting obligations

BSI registration under § 33 BSIG-new within three months. For security incidents under § 32 BSIG-new: initial report within 24 hours, full report within 72 hours, final report within 30 days.

For Essential Entities in drinking water supply: any cyberattack on chlorination or treatment controls is a critical incident reportable within 24 hours. The responsible public health authority must also be notified in parallel.

Fines and personal liability

Essential Entity (Annex I): up to EUR 10 million or 2% of global annual turnover. For municipal utilities without international revenue: 2% of total revenue.

§ 38 BSIG-new: personal liability for management for negligently missed NIS2 obligations. Combined with water law liability (WHG, TrinkwV) and liability to the public for supply interruptions, the personal risk is significant.

DVGW W1060 and NIS2: understanding the overlap

The DVGW Technical Note W1060 "Information Security for the Water and Wastewater Sector" has been the industry standard for IT security in water supply since 2021. It describes requirements for information security management systems (ISMS) specifically for water utilities.

The overlap with NIS2 is substantial: both frameworks require risk analysis, emergency planning, supply chain assessment, and incident handling. A utility that is W1060-compliant already fulfills significant parts of the NIS2 requirements under § 30 BSIG-new.

Key differences: NIS2 adds reporting obligations to the BSI that are not specified in W1060. Additionally, NIS2 introduces personal management liability (§ 38 BSIG-new), which W1060 does not address. For water utilities that have already implemented W1060, a gap analysis between W1060 compliance and NIS2 requirements is recommended.

First steps

Determine your classification: Essential Entity (Annex I, >50,000 supply units) or Important Entity (Annex II, SME thresholds)?
Map all networked control systems: SCADA, remote control technology, chlorination controls, pump station remote access points.
Conduct a W1060/NIS2 gap analysis if W1060 implementation has already begun.
Review all remote access points to network control systems.
Create an incident response plan that includes BSI reporting, public health authority escalation, and media communication.
Review supplier contracts for security requirements.
Register with the BSI.

Common pitfalls

OT systems treated as non-IT: Pump controls and SCADA systems are IT in the NIS2 sense. Excluding them from the risk analysis creates a dangerous gap.

Remote control technology without VPN and MFA: Many older remote control systems use proprietary protocols without strong authentication. This is no longer acceptable under NIS2.

W1060 treated as sufficient: W1060 compliance fulfills many, but not all, NIS2 requirements. Reporting obligations and management liability are additional.

BSI registration underestimated as a formality: Registration triggers the obligation cycle. Late registration exposes you to the accusation of deliberately delaying compliance.

Use the industry-specific NIS2 calculator for water utilities to verify your classification.

Authored by

Julian Köhn

Founder & CEO, Kopexa

Julian Köhn is Founder and CEO of Kopexa. He has been building security and compliance solutions for European mid-market companies for over 10 years. Focus areas: NIS2, ISO 27001, GDPR, TISAX. Kopexa was founded to make GRC transparent and self-service for SMEs.

LinkedIn View profile

Reviewed by

Kopexa GRC Team

Subject Matter Experts — NIS2, ISO 27001, KRITIS

The Kopexa GRC Team consists of security and compliance experts certified in ISO 27001, CISA, CRISC. The team develops framework mappings and validates content on NIS2, KRITIS, and industry-specific requirements.

Last updated: 2026-04-17

Frequently asked questions

Industry-specific answers on NIS2 obligations, thresholds, and sanctions.

Is my water utility affected by NIS2?

Water Utility: The Complete NIS2 Guide

Who is affected?

Obligations under § 30 BSIG-new

Deadlines and reporting obligations

Fines and personal liability

DVGW W1060 and NIS2: understanding the overlap

First steps

Common pitfalls

Frequently asked questions

01When is a water utility subject to NIS2?

02What is the difference between NIS2 and KRITIS for water utilities?

03What protection obligations apply to control systems at water utilities under NIS2?

04What fines do water utilities face for NIS2 violations?

05What do NIS2 supply-chain obligations mean specifically for water utilities?

06When must water utilities register with the BSI?

07Does NIS2 also apply to municipal water supply associations?