NIS2 for Critical Infrastructure Operators

Why NIS2 Affects Utilities and Critical Infrastructure Providers

The NIS2 Directive (EU 2022/2555) represents the most significant expansion of European cybersecurity regulation in a decade. For operators of critical infrastructure in Germany and the DACH region, NIS2 changes the compliance landscape fundamentally. Where the original NIS Directive of 2016 only captured a narrow set of operators, NIS2 casts a far wider net. Utilities, energy providers, water works, waste management operators, and transport companies now fall squarely within scope, many of them for the first time.

The directive introduces two categories of regulated entities: essential entities and important entities. The distinction matters because it determines the level of supervisory scrutiny and the severity of sanctions. Essential entities, which include large energy suppliers, drinking water providers, and wastewater operators, face proactive supervision by national authorities. Important entities, typically medium-sized operators in the same sectors, are subject to reactive supervision, meaning authorities will investigate after an incident or on the basis of evidence suggesting non-compliance.

For municipal utilities (Stadtwerke) in Germany, this is particularly relevant. Many Stadtwerke operate across multiple critical sectors simultaneously: electricity distribution, gas supply, district heating, water supply, and sometimes waste management. Under NIS2, each of these activities can independently trigger obligations. A single Stadtwerk may therefore be classified as an essential entity for its energy operations and as an important entity for its water supply, resulting in overlapping compliance requirements that must be managed in a coordinated manner.

In Germany, NIS2 has been transposed into national law since December 6, 2025 through the NIS2 Implementation Act (NIS2UmsuCG). This act amends the BSI Act (BSIG) and creates a unified regulatory framework that integrates NIS2 requirements with existing KRITIS obligations. The result is a layered compliance landscape where NIS2, IT-SiG 2.0, and BSI IT-Grundschutz requirements intersect and, in many cases, reinforce each other.

NIS2 Requirements in Detail: What You Must Implement

Article 21 of the NIS2 Directive defines ten categories of risk management measures that affected entities must implement. These are not optional recommendations but legally binding obligations. For critical infrastructure operators, the requirements cover the full spectrum of cybersecurity, from governance and risk assessment to incident response and supply chain security.

Risk Management and Security Policies

Every entity must establish and maintain a comprehensive information security risk management framework. This includes documented security policies, a risk register covering all critical systems and processes, and regular risk assessments. For a water works, this means not only IT systems like SCADA and process control networks but also operational technology (OT) environments that control water treatment, distribution, and monitoring. The risk management framework must be approved by the management body and reviewed at least annually. Kopexa provides structured risk management capabilities that map directly to NIS2 Article 21 requirements, making it straightforward to build and maintain the required risk register.

Incident Reporting: The 24h/72h/1-Month Cascade

NIS2 introduces a strict, multi-stage incident reporting regime that is significantly more demanding than previous requirements. When a significant cybersecurity incident occurs, you must submit an early warning within 24 hours to the competent national authority (in Germany, the BSI). This initial notification must indicate whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have cross-border impact.

Within 72 hours, a more detailed incident notification must follow, including an initial assessment of the incident severity, its impact, and indicators of compromise. Finally, a comprehensive final report must be submitted within one month of the incident, containing a detailed description of the incident, the root cause analysis, mitigation measures taken, and any cross-border impact. For utilities operating 24/7 with lean IT teams, meeting these deadlines requires pre-built workflows and templates. Kopexa's incident management module includes NIS2-compliant reporting templates that guide you through each stage of the cascade.

Supply Chain Security

NIS2 places particular emphasis on supply chain and third-party risk management. Entities must assess the cybersecurity posture of their direct suppliers and service providers. For a municipal utility, this includes IT service providers, cloud vendors, SCADA system manufacturers, metering solution providers, and maintenance contractors. You must evaluate the security practices of each supplier, include cybersecurity clauses in contracts, and monitor supplier risks on an ongoing basis. The directive explicitly requires consideration of vulnerabilities specific to each direct supplier, the overall quality of products and cybersecurity practices of suppliers, and results of coordinated security risk assessments. Kopexa's vendor management feature provides a structured approach to supplier assessments, contract tracking, and ongoing risk monitoring aligned with NIS2 supply chain requirements.

Business Continuity and Crisis Management

For operators of critical infrastructure, business continuity is not a theoretical exercise but an operational necessity. A cyberattack on an energy distribution network or water treatment facility can have immediate consequences for public health and safety. NIS2 requires entities to implement business continuity plans, disaster recovery procedures, and crisis management frameworks. These must be tested regularly through drills and exercises. Backup management and redundancy measures must ensure that critical services can be restored within defined timeframes. For utilities, this means documented recovery time objectives (RTOs) and recovery point objectives (RPOs) for every critical system, from billing platforms to process control networks.

Additional Measures Under Article 21

Beyond the core areas above, NIS2 mandates several additional measures that critical infrastructure operators must address:

• Vulnerability handling and disclosure: Establish processes for identifying, documenting, and remediating vulnerabilities in your systems, including coordinated vulnerability disclosure procedures.
• Cryptography and encryption: Implement policies on the use of cryptographic controls and encryption to protect data in transit and at rest.
• Human resources security: Ensure access control policies, background checks for critical roles, and ongoing cybersecurity awareness training for all staff.
• Multi-factor authentication: Deploy MFA or continuous authentication solutions for access to critical systems and networks.
• Secure communications: Use secured voice, video, and text communication systems, especially for emergency and crisis scenarios.

Thresholds and Applicability: When Does NIS2 Apply to You?

NIS2 uses a combination of sector classification and size thresholds to determine which entities fall within scope. The directive defines 11 sectors of high criticality (Annex I) and 7 other critical sectors (Annex II). For critical infrastructure operators, the most relevant Annex I sectors are:

• Energy: Electricity (generation, transmission, distribution), oil, gas, hydrogen, and district heating/cooling. This captures virtually all energy utilities and Stadtwerke with energy operations.
• Drinking water: Suppliers and distributors of water intended for human consumption. Even smaller municipal water works may be captured if they exceed the size thresholds.
• Wastewater: Operators of wastewater collection, disposal, or treatment facilities. This is a new addition under NIS2, not previously covered by the original NIS Directive.
• Transport: Air, rail, water, and road transport operators, including traffic management systems and intelligent transport systems.
• Waste management: Covered under Annex II as an "other critical sector," capturing operators involved in waste collection, treatment, and disposal.

The size thresholds follow the EU SME definition. Generally, entities with at least 50 employees or annual turnover exceeding EUR 10 million in an NIS2 sector fall within scope. However, certain entities are captured regardless of size, including providers of DNS services, TLD name registries, and entities that are the sole provider of a critical service in a member state. For Stadtwerke and regional utilities, the 50-employee threshold is commonly exceeded, making NIS2 applicability almost certain. If you operate in multiple sectors, each activity is assessed independently, and you may hold different classifications (essential vs. important) for different parts of your operations.

NIS2 vs. KRITIS (IT-SiG 2.0): Overlaps and Differences

For operators in Germany, the relationship between NIS2 and the existing KRITIS regime under IT-SiG 2.0 is a central question. The two frameworks are not identical, and understanding their interplay is essential for efficient compliance management.

The German KRITIS regime under IT-SiG 2.0 uses specific, quantitative thresholds (defined in BSI-KritisV) to determine which operators are classified as KRITIS. For example, an electricity generator must supply at least 420 MW of installed capacity, and a water supplier must serve at least 500,000 people. These thresholds create a clear, binary classification: you are either KRITIS or you are not.

NIS2 takes a fundamentally different approach. Instead of facility-level thresholds, NIS2 uses entity-level size criteria (employees and turnover). This means many operators who fall below KRITIS thresholds but employ more than 50 people will now be regulated under NIS2 for the first time. A medium-sized Stadtwerk that distributes electricity to 100,000 households but does not generate 420 MW was not KRITIS, but it almost certainly falls under NIS2 as an important entity.

The practical implications are significant:

• Dual obligations: Operators who are both KRITIS and NIS2-regulated must comply with both frameworks simultaneously. KRITIS requirements (BSIG Section 8a, industry-specific security standards) continue to apply alongside NIS2 obligations.
• Expanded scope: NIS2 captures significantly more entities than KRITIS. Estimates suggest that the number of regulated entities in Germany will increase from approximately 2,000 (KRITIS) to 25,000 or more (NIS2).
• Reporting differences: KRITIS requires incident reports to the BSI without specific time-staged deadlines. NIS2 introduces the strict 24h/72h/1-month cascade, which is more demanding and requires structured reporting workflows.
• Management liability: NIS2 explicitly introduces personal liability for management bodies, which goes beyond the existing KRITIS framework.

The good news: if you already comply with BSI IT-Grundschutz or hold a KRITIS audit certificate under BSIG Section 8a, you have already covered a substantial portion of NIS2 requirements. The core risk management measures overlap significantly. What NIS2 adds are more prescriptive incident reporting deadlines, explicit supply chain security obligations, and the management liability dimension. Using Kopexa's cross-framework mapping, you can identify exactly which requirements are already satisfied by your existing KRITIS compliance and where additional measures are needed.

Implementation Roadmap for Utilities

Implementing NIS2 compliance does not happen overnight, but a structured approach can make the process manageable even for organizations with limited cybersecurity resources. The following roadmap outlines pragmatic steps, prioritized by regulatory urgency and operational impact.

Phase 1: Scoping and Gap Assessment (Months 1 to 2)

Begin by determining your exact NIS2 classification. Identify which sectors and sub-sectors your operations fall into, assess your entity size against the thresholds, and determine whether you are classified as essential or important. If you are already a KRITIS operator, document the overlap between your existing obligations and NIS2 requirements. Conduct a formal gap assessment comparing your current security posture against all ten Article 21 measures. This assessment should cover policies, technical controls, incident response capabilities, supply chain management, and governance structures. The output is a prioritized action plan with clear ownership and deadlines.

Phase 2: Governance and Risk Framework (Months 2 to 4)

Establish or update your information security governance structure. NIS2 requires the management body to approve and oversee the cybersecurity risk management framework. This means your executive board or managing directors must be formally involved. Document your risk management methodology, build or update your risk register to cover all critical IT and OT systems, and define risk acceptance criteria. Create or update your core security policies: information security policy, acceptable use policy, access control policy, and incident response policy. All policies must be formally approved by management, communicated to staff, and accessible at all times.

Phase 3: Technical Controls and Incident Response (Months 3 to 6)

Implement the technical measures identified in your gap assessment. Priority areas for utilities typically include network segmentation between IT and OT environments, multi-factor authentication for remote access and privileged accounts, vulnerability management processes with regular scanning, backup and recovery testing, and encryption for data in transit. In parallel, build your incident response capability to meet the NIS2 reporting cascade. Define escalation paths, create reporting templates aligned with BSI requirements, conduct tabletop exercises simulating NIS2-reportable incidents, and test your ability to submit the early warning within 24 hours.

Phase 4: Supply Chain and Continuous Improvement (Months 5 to 8)

Address supply chain security by inventorying all critical suppliers, conducting supplier risk assessments, and updating contracts to include cybersecurity clauses. Establish a process for ongoing supplier monitoring. Finally, implement a continuous improvement cycle: regular management reviews, internal audits, corrective actions tracking, and annual risk reassessments. NIS2 compliance is not a one-time project but an ongoing operational obligation.

Fines and Management Liability

NIS2 introduces a sanctions regime that is designed to ensure compliance through significant financial consequences. The fines are differentiated by entity classification:

• Essential entities: Administrative fines of up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. For a large energy utility with EUR 500 million in annual revenue, this translates to a maximum fine of EUR 10 million.
• Important entities: Administrative fines of up to EUR 7 million or 1.4% of total worldwide annual turnover, whichever is higher. Even for medium-sized operators, these amounts can represent existential risks.

Beyond financial penalties, NIS2 introduces a dimension that is entirely new for many operators: personal liability of the management body. Article 20 requires that management bodies of essential and important entities approve the cybersecurity risk management measures and oversee their implementation. Member states must ensure that management bodies can be held liable for infringements. In Germany, this means managing directors, executive board members, and in some cases supervisory board members can face personal consequences for failures in cybersecurity governance.

The directive also requires that members of the management body undergo regular cybersecurity training to acquire sufficient knowledge and skills to identify risks and assess cybersecurity practices. For utilities where board members often come from engineering, finance, or public administration backgrounds, this represents a tangible new obligation. Documented training records become part of the compliance evidence that must be available during audits.

Additionally, national authorities gain enforcement powers that go beyond fines. These include binding instructions, implementation orders, and in severe cases the temporary suspension of certifications or authorizations. For regulated utilities that depend on operating licenses, these non-financial sanctions can be even more impactful than monetary penalties.

Kopexa for NIS2 Compliance in Critical Infrastructure

Kopexa was built specifically for organizations that must navigate multiple, overlapping regulatory frameworks. For critical infrastructure operators facing NIS2, KRITIS, and BSI IT-Grundschutz simultaneously, Kopexa provides a unified compliance platform with a ready-to-use NIS2 framework that eliminates redundancy and accelerates implementation.

The NIS2 framework catalog in Kopexa maps every Article 21 requirement to concrete control objectives. Where these controls overlap with KRITIS requirements under BSIG Section 8a or BSI IT-Grundschutz modules, Kopexa's cross-framework mapping makes the overlap visible. This means you implement a control once and satisfy requirements across multiple frameworks simultaneously, reducing effort by 40 to 60 percent compared to managing each framework in isolation.

Key capabilities for critical infrastructure operators include:

• Cross-framework mapping: Visualize how NIS2 Article 21 measures map to KRITIS requirements, BSI IT-Grundschutz building blocks, and ISO 27001 controls. Identify gaps and overlaps instantly.
• Incident reporting workflows: Pre-built workflows guide your team through the 24h/72h/1-month reporting cascade with templates aligned to BSI notification requirements.
• Supplier risk management: Manage supplier assessments, track contract clauses, and monitor third-party risks in a structured, auditable process.
• Risk register and treatment plans: Maintain a comprehensive risk register covering IT, OT, and organizational risks with linked treatment plans and mitigation tracking.
• Audit-ready evidence: Generate compliance reports and evidence packages for BSI audits, KRITIS Section 8a reviews, and NIS2 supervisory inspections from a single source of truth.
• Management dashboard: Provide executive-level visibility into compliance status across all applicable frameworks, supporting the management body's oversight obligations under NIS2 Article 20.

For Stadtwerke and regional utilities that must comply with NIS2 and KRITIS in parallel, Kopexa eliminates the need to maintain separate compliance silos. Instead of duplicating documentation, risk assessments, and audit evidence across frameworks, you manage everything in one platform with automated cross-referencing. Starting at EUR 249 per month, Kopexa provides a cost-effective foundation for NIS2 compliance, whether you work independently or with an implementation partner.

Next Steps

Dive deeper into the topics that matter most for your critical infrastructure compliance journey:

• NIS2 Content Hub with the complete NIS2 requirements catalog, implementation guides, and checklists
• KRITIS Requirements under IT-SiG 2.0 covering thresholds, reporting obligations, and audit requirements under BSI-KritisV
• BSI IT-Grundschutz as Implementation Framework explaining how IT-Grundschutz structures your ISMS and simplifies evidence for both KRITIS and NIS2
• Risk Management Feature in Kopexa for building and maintaining your NIS2-compliant risk register
• Incident Management Feature with NIS2 reporting cascade templates and BSI notification workflows
• Vendor Management Feature for NIS2 supply chain security assessments and ongoing supplier monitoring