NIS2 for Waste Management Companies
Your sector is newly in scope under NIS2 Annex II. If your waste management company has 50+ employees or €10M+ revenue, this is your practical guide to what the law requires and where to start.
Why Does NIS2 Apply to Waste Companies?
Waste management was added to NIS2 because modern waste operations depend heavily on IT systems. Fleet management, route optimization, weighbridge systems, sorting plant controls, billing, and regulatory reporting all run on networked software. A ransomware attack that takes down a waste company's fleet management system does not just stop trucks – it creates a public health risk. Uncollected waste in a city of 200,000 people becomes a crisis within days.
The EU classified waste management under Annex II of the NIS2 Directive, which means waste companies meeting the size threshold (50+ employees or €10M+ annual revenue) are categorized as 'important entities' (wichtige Einrichtungen) under §28(2) BSIG. This means the full range of NIS2 obligations applies: BSI registration, cybersecurity risk management measures, incident reporting, supply chain security, and management liability.
Most waste companies have never dealt with cybersecurity regulation before. This is not a criticism – until NIS2, there was no legal reason to. But it does mean there is a steeper learning curve compared to sectors that were already under KRITIS. The good news: waste company IT environments are typically less complex than those in banking or energy, which means the compliance effort is proportionately smaller.
Fleet management and GPS
The software and systems that manage vehicle routing, GPS tracking, driver scheduling, and real-time route optimization. This is usually a cloud-hosted SaaS platform or on-premises server. If this goes down, trucks cannot be dispatched efficiently. Group all fleet management components as one asset entry.
Weighbridge and weighing systems
Electronic weighing systems at sites that record incoming and outgoing material weights for billing and regulatory compliance. Often connected to ERP systems. May include older industrial controllers. Group the weighbridge system (hardware + software) as one asset.
ERP and billing system
The core business system handling customer management, contracts, billing, material tracking, and regulatory reporting. Commonly SAP Business One, DATEV, or sector-specific solutions like RECY or Wastebox. Compromise of this system affects revenue, customer data, and regulatory reporting. One asset entry.
Sorting and processing plant controls
If your company operates sorting plants, composting facilities, or waste-to-energy plants, you likely have SCADA or industrial control systems managing the physical processes. These are often older systems with limited security features. They represent a distinct risk category because they control physical equipment. Group per facility.
Endpoints and office IT
Laptops, desktops, and mobile devices used by office staff, dispatchers, and management. Standard office applications (Microsoft 365, email, document management). Grundschutz allows grouping identical devices: '45 standard Windows laptops' is one asset entry, not 45.
Network infrastructure
Routers, switches, firewalls, and VPN connections linking offices, depots, and plant sites. Include internet connections and any site-to-site links. If your company has multiple locations, each site's network can be a grouped entry. The network is what connects everything else – its compromise affects all other assets.
1. Register with the BSI
Complete your §33 BSIG registration via the BSI portal. This is the most visible obligation and has its own penalty provision (up to €500,000). It takes about 30 minutes and immediately puts you on record as an entity that is engaging with its obligations. Do this before anything else.
2. Build your asset inventory
List the systems that support your waste collection, processing, and disposal services. Use the six categories above as a starting point. For each asset, note what it does, who manages it (internal or supplier), and what happens if it is unavailable for 24 hours. This inventory becomes the foundation for everything that follows.
3. Set up incident reporting
Define what counts as a significant incident for your company and establish the process for reporting to the BSI within the required timelines (24h/72h/1 month). Designate who makes the reporting decision, who files the report, and how you reach them outside business hours. You do not need a security operations center – you need a clear phone tree and a documented process.
4. Review access controls
Audit who has access to your critical systems – especially fleet management, ERP, and any plant control systems. Implement multi-factor authentication on remote access and administrative accounts. Remove access for former employees. This is often the area with the most low-hanging fruit: many waste companies have shared passwords, no MFA, and former employee accounts still active.
5. Document supplier relationships
Most waste companies outsource significant IT functions – cloud hosting, ERP maintenance, fleet management software. Document who these suppliers are, what access they have to your systems, and what security commitments they make. This is the beginning of your supply chain security process under §30(2)(4) BSIG. If your IT provider gets breached, your data and your services are at risk.
Waste companies have a unique risk profile. Unlike a software company where almost everything is digital, waste operations involve physical processes: trucks on roads, materials in motion, equipment at sites. A cyberattack on fleet management has immediate physical-world consequences. This operational technology dimension means your risk assessment should consider both IT systems and any industrial controls.
Most waste companies outsource heavily. Many operate with a small internal IT team (or no dedicated IT staff at all) and rely on external providers for everything from email to ERP to fleet management. Under NIS2, you can outsource operations but not accountability – §30 BSIG holds your company responsible for security measures even when a supplier delivers them. This makes supplier management your most important compliance lever.
The positive side: waste company IT environments are typically straightforward. A 100-person waste company has perhaps 6 to 10 distinct system groups, compared to 30 or more for a bank or hospital of similar size. This means the compliance effort is proportionate – you are looking at weeks of focused work, not a multi-year program. The BSI's 'appropriate and proportionate' standard works in your favor here.
Frequently Asked Questions
Is our waste company actually in scope for NIS2?
If your company operates in waste collection, treatment, or disposal and has 50 or more employees or €10M or more in annual revenue, you are almost certainly in scope as an important entity under NIS2 Annex II. The sector definition covers the full waste management chain. If you are close to the threshold, check whether connected group companies push you over the limit – NIS2 uses the EU SME definition which considers linked enterprises.
We outsource all IT – does NIS2 still apply to us?
Yes, fully. NIS2 applies to the entity that provides the waste management service, regardless of who manages the IT. You can outsource the work but not the legal responsibility (§30 BSIG). In practice, this means your IT provider becomes your most critical supplier: document the relationship, include cybersecurity requirements in the contract, and verify they have adequate security measures. If they get breached, your reporting obligation triggers – not theirs.
What does an asset inventory look like for a waste company?
Simpler than you think. A typical 100-person waste company has about 10 to 15 grouped asset entries: fleet management system, weighbridge system, ERP/billing, network infrastructure per site, standard endpoints (grouped – e.g., '45 Windows laptops'), email/collaboration (Microsoft 365), and possibly SCADA or sorting plant controls. Grundschutz explicitly allows grouping identical assets, so you do not need a line item for every laptop.
How long does NIS2 compliance take for a company our size?
For a 100-person waste company starting from scratch, expect 3 to 6 months to reach a solid baseline: BSI registration (week 1), asset inventory and risk assessment (weeks 2 to 6), incident reporting process (weeks 4 to 8), access control improvements (weeks 6 to 12), policy documentation (ongoing). You do not need to be perfect by day one – the BSI evaluates trajectory and good faith. After the initial setup, ongoing effort is mainly annual reviews and responding to incidents.
- NIS2 Directive (EU) 2022/2555 – Annex II, Sector 4: Waste water and waste management
- BSIG – §28 (Scope), §30 (Cybersecurity measures), §33 (Registration), §38 (Management liability)
- BSI – Sector-specific NIS2 guidance and registration portal documentation (2025)
- IT-Grundschutz Kompendium – OPS.1.2.5 (Fernwartung), IND.1 (Prozessleit- und Automatisierungstechnik)
- BDE Bundesverband der Deutschen Entsorgungs-, Wasser- und Kreislaufwirtschaft – NIS2 position papers