Drinking water supply and wastewater management sit in NIS2 Annex I No. 6 and 7. Unlike the old German KritisV thresholds, NIS2 bites lower, so not only large utilities but also many mid-sized municipal utilities and special-purpose associations fall into scope. That is exactly the group least prepared in headcount and budget. Here is a pragmatic obligations list for 2026, calibrated for the reality of municipal water operators.

Applicability: many more utilities than before

Annex I No. 6 NIS2: suppliers and distributors of water intended for human consumption. Annex I No. 7: undertakings carrying out collection, disposal or treatment of urban or industrial wastewater, where this is an essential activity.

Size classes as usual: 250 employees or EUR 50m revenue means essential entity, 50 employees or EUR 10m revenue means important entity.

In practice: almost every municipal utility with a water arm, every supra-regional special-purpose association and most municipal water and wastewater associations fall into at least one NIS2 category.

The old KritisV threshold of 500,000 inhabitants supplied no longer filters effectively. Supplying a mid-sized district town is enough to be in scope from 2026.

Why small utilities are under particular pressure

Staffing: many municipal water utilities have fewer than 50 employees and no dedicated information security officer. NIS2 however requires a formal information security responsibility at management body level.

Budget: water prices in Germany are cost-based and regulated. Cybersecurity investments must be refinanced through tariff calculations, which requires multi-year lead time.

OT reality: PLCs, pumping station tele-control and process control systems are often 15-25 years old, based on unsupported operating systems and reachable through maintenance VPN. Exactly the constellation that ransomware groups exploited in US water plants in 2024 and 2025.

Ten concrete obligations

1. Define responsibility: management body resolution on the cyber risk strategy, a designated ISB (in-house or external mandate).

2. Risk analysis for OT (process control, PLC, tele-control) and office IT separately.

3. Network segmentation: physical or logical separation of control room/SCADA and office IT. Remote maintenance only via bastion host with MFA and session logging.

4. Backup and recovery: control-system configurations, control logic and historian databases must be backed up offline and immutable.

5. OT vulnerability management: vendor patches when possible, documented compensation otherwise (segmentation, IDS, application allowlisting).

6. Cryptography: TLS for every remote maintenance connection, encryption of configuration backups.

7. Access control: MFA for all administrative access to control systems and remote maintenance interfaces. Privileged access management where budget allows.

8. Incident handling with notification cascade to BSI (24h/72h/one month).

9. Supply chain: maintenance contracts with PLC vendors, control system integrators and cloud providers need NIS2 clauses (incident notification, vulnerability disclosure, audit right).

10. Training and awareness for staff, annually for management.

Pragmatic implementation patterns for small utilities

ISB on mandate: a shared external ISB for multiple municipal utilities is substantially cheaper than a dedicated role. Sector associations (BDEW, VKU) refer accredited providers.

SOC-as-a-Service: a dedicated SOC is unrealistic for small utilities. MDR providers with OT expertise (BSI-certified) are a valid option.

Sector cooperation: BDEW B3S Water/Wastewater and VKU working groups offer joint audits and training.

There is no KHZG equivalent for the water sector. Refinancing runs through normal tariff calculation and occasionally through state-level subsidy programmes.

Management body liability and fines

Managing directors of municipal utilities, technical and commercial works managers, board members of special-purpose associations qualify as management body under Art. 20 depending on legal form.

Essential entities: fines up to EUR 10m or 2 percent of worldwide group turnover. Important entities: up to EUR 7m or 1.4 percent.

Municipal twist: fines hit the in-house enterprise or the wholly-owned subsidiary. Personal liability of management runs along the general rules (civil code, limited liability law, relevant municipal law).

What DecisionOS does

For small municipal utilities, NIS2 compliance is a marathon, not a sprint. DecisionOS makes every investment-relevant decision (SCADA modernisation, MDR provider, IAM rollout, backup solution) audit-recordable: decision memo with Art. 21 mapping, stakeholder sign-off (works management, executive board, ISB, supervisory board where applicable) and readiness score. The same dossier serves the BSI audit and the political justification of tariff impact.

NIS2 obligations for water utilities 2026