Important vs Essential vs KRITIS: The Same Work, Different Consequences
NIS2 defines three tiers of regulated entities. The security measures are identical across all three. What changes is how closely BSI watches you and how hard they hit if you fail.
Three Tiers, One Set of Rules
The German NIS2 transposition (BSIG) classifies regulated entities into three categories: wichtige Einrichtungen (important entities), besonders wichtige Einrichtungen (essential entities), and Betreiber kritischer Anlagen (KRITIS operators). Many companies spend weeks trying to figure out which category they fall into before starting their compliance work.
Here is the key insight: it does not matter for the work itself. All three categories must implement the same 10 security measure categories defined in §30(2) BSIG. The same risk management. The same incident reporting. The same supply chain security. The same access controls. The same encryption policies. The same business continuity planning.
The differences are in supervision (how BSI monitors you), penalties (how much you pay if caught non-compliant), and three extra obligations that only apply to KRITIS operators. The compliance process you go through on NISD2 covers all three categories identically.
| Criterion | Important (Wichtig) | Essential (Besonders Wichtig) | KRITIS |
|---|---|---|---|
| Company Size | 50+ employees OR >10M EUR revenue and >10M EUR balance sheet | 250+ employees OR >50M EUR revenue and >43M EUR balance sheet | Any size — determined by infrastructure thresholds (e.g. 500,000 people served) |
| Sectors | Annex I (energy, transport, finance, health, water, digital infra, space) + Annex II (postal, waste, chemicals, food, manufacturing, digital services, research) | Annex I sectors only (medium-sized entities in Annex I are classified as important, not essential) | Subset of essential — only entities operating infrastructure whose failure would disrupt public supply |
| Size-Independent Inclusions | Non-qualified trust service providers, small telecom providers | Qualified trust services, TLD registries, DNS providers, large telecom providers | Operators of critical installations as defined in BSI-KritisV (power grids, water treatment, hospitals, etc.) |
The EU medium enterprise threshold is: 50+ employees OR (>€10M turnover AND >€10M balance sheet). Both financial criteria must be met simultaneously — high revenue alone is not enough. For essential entities, the large enterprise threshold is: 250+ employees OR (>€50M turnover AND >€43M balance sheet). These examples show how the rules apply in practice.
| Scenario | Employees | Turnover | Balance Sheet | Sector | Classification |
|---|---|---|---|---|---|
| High-revenue trading firm, small team | 12 | €25M | €18M | Annex I — Banking | Important — both financial thresholds exceeded (>€10M), employee count irrelevant |
| Large manufacturer, low margin | 200 | €5M | €3M | Annex II — Manufacturing | Important — employee count ≥50 is sufficient, revenue does not matter |
| SaaS startup, high revenue, tiny team | 8 | €15M | €4M | Annex I — Digital infrastructure | Not in scope — revenue exceeds €10M but balance sheet is below €10M. Need BOTH |
| Regional hospital | 400 | €60M | €45M | Annex I — Health | Essential — 250+ employees in Annex I sector. If >30,000 inpatient cases/year: KRITIS |
| Energy trader, asset-light | 15 | €120M | €55M | Annex I — Energy | Essential — both large financial thresholds exceeded (>€50M turnover AND >€43M balance sheet) |
| Waste management company | 80 | €8M | €6M | Annex II — Waste | Important — 80 employees ≥50 threshold, despite low revenue. NACE E.38 only (not remediation E.39) |
| Managed service provider (MSP) | 45 | €12M | €11M | Annex I — ICT service management | Important — below 50 employees but both financial thresholds exceeded. Also subject to CIR 2024/2690 |
| Food processor, seasonal workforce | 55 (annual average) | €9M | €7M | Annex II — Food | Important — headcount uses annual work units (Rec. 2003/361/EC Art. 5). Seasonal peaks count proportionally |
| Qualified trust service provider (qTSP) | 3 | €500K | €200K | Annex I — Digital infrastructure | Essential — size-independent under §28(1) BSIG. qTSPs are always essential regardless of size |
| Chemical distributor, large subsidiary | 180 | €70M | €50M | Annex II — Chemicals | Important — despite large financials, Annex II sectors max out at important. Only Annex I + large = essential |
Size thresholds per EU Recommendation 2003/361/EC Art. 2, referenced by NIS2 Directive Art. 2(1). Employee count uses annual work units (Art. 5). Linked/partner enterprise rules (Annex Art. 3) may aggregate parent company headcount and financials. Sector classification per NIS2 Directive Annex I/II, transposed in BSIG §28 Anlage 1/2. Size-independent cases per §28(1) BSIG.
What Is Identical Across All Three Categories
The compliance obligations defined in §30(2) BSIG are the same for wichtig, besonders wichtig, and KRITIS. There is no lighter version for important entities and no heavier version for essential entities. The 10 security measure categories apply equally:
- Risk management policies and procedures (§30(2) Nr. 1)
- Incident handling and reporting — 24h initial, 72h detailed, 1 month final report (§32)
- Business continuity and disaster recovery (§30(2) Nr. 3)
- Supply chain security (§30(2) Nr. 4)
- Security in procurement, development, and maintenance (§30(2) Nr. 5)
- Policies for evaluating the effectiveness of security measures (§30(2) Nr. 6)
- Cybersecurity hygiene and training (§30(2) Nr. 7)
- Cryptography and encryption policies (§30(2) Nr. 8)
- Human resources security and access control (§30(2) Nr. 9)
- Multi-factor authentication and secure communications (§30(2) Nr. 10)
- Registration with BSI within 3 months (§33)
- Management liability — personal responsibility for approving and monitoring security measures (§38)
This means the NISD2 platform covers all entity types with the same set of requirements. Whether you are an important food company or an essential energy provider, the compliance process is identical. You complete the same requirements, produce the same evidence, and meet the same standards.
| Obligation | Important | Essential | KRITIS |
|---|---|---|---|
| 10 Security Measures (§30) | Required | Required | Required |
| Incident Reporting (§32) | 24h / 72h / 1 month | 24h / 72h / 1 month | 24h / 72h / 1 month |
| BSI Registration (§33) | Basic | Basic | Enhanced — critical service, supply metrics, facility location, 24/7 contact |
| Management Liability (§38) | Personal liability | Personal liability | Personal liability |
| BSI Supervision | Reactive only (§62) — BSI acts only when evidence of non-compliance exists | Proactive (§61) — BSI can audit at any time without cause | Proactive + mandatory 3-year proof cycle (§39) |
| Maximum Fine (Base) | 7,000,000 EUR | 10,000,000 EUR | 10,000,000 EUR |
| Maximum Fine (Revenue) | 1.4% of global turnover | 2% of global turnover | 2% of global turnover |
| Attack Detection Systems (§31) | Not required | Not required | Required — continuous SIEM/SOC capability |
| Mandatory Compliance Proof (§39) | Not required | Not required | Required — every 3 years, submitted to BSI |
KRITIS: Three Additional Obligations
KRITIS operators — entities running infrastructure whose failure would disrupt public supply (power grids, water treatment, hospitals) — must meet three additional requirements beyond what important and essential entities must do.
§31 — Attack Detection Systems (Angriffserkennungssysteme)
You need a system watching your network around the clock that can spot attacks in progress or detect that someone has already broken in. In practice, this means deploying a SIEM (Security Information and Event Management) — software that collects logs from every server, firewall, and endpoint, correlates them, and alerts on anomalies. It must use pattern matching AND anomaly detection, not just signatures. Most companies outsource this to a managed SOC (Security Operations Center) provider, which typically costs 5,000-15,000 EUR per month. Normal NIS2 entities can get by with basic monitoring — KRITIS operators explicitly cannot.
§33(2) — Enhanced Registration with BSI
On top of the standard registration (name, sector, contact), KRITIS operators must tell BSI exactly what critical service they provide (e.g. 'drinking water supply for 200,000 people'), what critical components they use, the physical facility location, and a 24/7 contact person reachable at any hour. Supply metrics must be reported annually — BSI uses these to verify you still exceed the KRITIS threshold (defined in BSI-KritisV, e.g. 500,000 people served for water, 104 MW for power).
§39 — Mandatory Compliance Proof Every 3 Years (Nachweispflicht)
Every 3 years, you must proactively submit audit results, security reports, or certifications to BSI proving compliance with all §30 measures and §31 attack detection. BSI does not have to come find you — you come to them. If BSI finds deficiencies, they issue binding remediation orders with deadlines and demand proof that you fixed the issues. Think of it as a mandatory ISO certification cycle, except the auditor is the government. First deadline: December 2028 (5 years for hospitals: December 2030).
What This Means for Your Company
If you are a 50-250 employee company in Germany — the typical NISD2 user — you are almost certainly classified as a wichtige Einrichtung (important entity). Your manufacturing company, food processing business, or IT service provider falls into this category. The compliance work you need to do is exactly the same as what a large essential entity or even a KRITIS operator does. The only practical difference: BSI will not proactively audit you unless they have a reason to (an incident, a complaint, or a tip-off).
That is not a reason to do less. If BSI does audit you — reactively, after an incident — and finds you non-compliant, fines up to 7 million EUR or 1.4% of global turnover apply. And your management is personally liable under §38. The safest position is full compliance regardless of category. NISD2 gives you the same compliance process used by essential and KRITIS entities, because the requirements are identical.
Frequently Asked Questions
Can my company be both important and essential?
No. The categories are mutually exclusive under §28 BSIG. If you meet the essential threshold (250+ employees or >50M revenue in an Annex I sector), you are essential. If you meet the important threshold but not the essential one, you are important. KRITIS is a subset of essential — KRITIS operators are automatically classified as essential with additional obligations on top.
I am an important entity. Do I need to do less compliance work?
No. The 10 security measure categories in §30(2) BSIG apply identically to both important and essential entities. The only difference is enforcement: BSI supervises essential entities proactively (random audits) and important entities reactively (only after evidence of non-compliance). But the measures themselves, the incident reporting timelines, and management liability are all the same.
How do I know if I am KRITIS?
KRITIS classification is defined in the BSI-KritisV regulation, based on specific supply thresholds: 500,000 people served for water, 104 MW installed capacity for power, 30,000 inpatient cases per year for hospitals, etc. If your infrastructure failure would not directly disrupt public supply at these scales, you are not KRITIS. Most mid-market companies are not KRITIS — they are important or essential entities.
What happens if I get my entity classification wrong?
Classification determines supervision intensity and penalty caps, not what you need to implement. If you implement all 10 measure categories (which NISD2 guides you through), you are compliant regardless of classification. The risk of misclassification is underestimating your supervision exposure — thinking BSI will not audit you when they actually can.
Does the CIR 2024/2690 distinguish between important and essential entities?
No. The CIR applies to specific entity types (cloud providers, DNS providers, managed service providers, etc.) regardless of whether they are classified as important or essential. The technical requirements in the CIR are identical for both categories.
- §28 BSIG — Entity classification (besonders wichtige and wichtige Einrichtungen)
- §30 BSIG — Risk management measures (10 categories, identical for all entity types)
- §31 BSIG — Attack detection systems (KRITIS only)
- §32 BSIG — Incident reporting obligations (identical timelines for all entity types)
- §33 BSIG — Registration obligations (enhanced for KRITIS)
- §38 BSIG — Management liability (identical for all entity types)
- §39 BSIG — Compliance proof (KRITIS only, every 3 years)
- §61 BSIG — Supervision of essential entities (proactive)
- §62 BSIG — Supervision of important entities (reactive)
- §65 BSIG — Penalties and fines
- CIR 2024/2690 — EU implementing regulation (no entity type distinction)
- BSI-KritisV — KRITIS threshold regulation