Affected entities and current demarcation issues
The German BSI Act (BSIG), which implements the NIS2 Directive (Directive (EU) 2022/2555) in Germany, requires affected entities to register by March 6, 2026. As of April 2026, however, according to the Federal Office for Information Security (BSI), only about 15,500 entities have registered so far – significantly fewer than the number of entities expected to be affected. The reason for the delay is often that entities encounter uncertainties and demarcation issues when assessing their compliance. This is particularly the case in the health sector.
Assessment is often difficult in practice
Despite the types of entities listed in Annexes 1 and 2 of the BSIG, uncertainty often arises in practice. This is primarily due to vague wording, a lack of definitions for key terms and numerous references to other European and national legal acts. In the health sector, entities often must consider several sets of regulations to determine whether they are subject to the BSIG.
Healthcare providers
Annex 1 No. 4 BSIG in the sector “Health” covers healthcare providers. The law refers to the Patient Mobility Directive (Directive 2011/24/EU). According to Article 3(g) of this Directive, a healthcare provider is any natural or legal person or any other entity legally providing healthcare […]. Healthcare means health services provided by health professionals to patients to assess, maintain or restore their state of health, including the prescription, dispensation and provision of medicinal products and medical devices (Art. 3(a)).
The term is broadly defined, covering much more than just hospitals and doctors’ offices. It is precisely this broad wording, together with the BSIG’s reference to the Patient Mobility Directive, that gives rise to questions of demarcation in practice. For example, this is the case with emergency services and care services.
Emergency services
There has recently been intense debate as to whether emergency services qualify as healthcare providers. This debate was sparked by a BSI guidance document that initially did not classify emergency services as such. The BSI has since revised this assessment and now classifies emergency services as healthcare providers within the meaning of the BSIG.
The outcome may seem reasonable considering the purpose of the BSIG and the broad definition of healthcare services. However, the legal reasoning behind it remains unclear. The Court of Justice of the European Union (CJEU) ruled in 2019 that emergency services and qualified patient transport fall under hazard prevention and thus public safety (CJEU, judgment of June 27, 2019 – C‑465/17). However, Article 2(7) of the NIS2 Directive contains an explicit exemption from the scope of application for activities in the field of public security. Against this background, it remains unclear why the BSI now classifies emergency services as part of the healthcare sector and thus includes them within the scope of the BSIG.
Care services
In the context of care services, long-term care is expressly excluded from the scope of the BSIG. The Patient Mobility Directive contains a corresponding exemption for services that assist individuals in carrying out routine, everyday tasks. Consequently, the explanatory memorandum to the BSIG expressly states that long-term care facilities are not considered healthcare providers under the law.
This exception has been the subject of some debate, as the NIS2 Directive itself does not include an exception for long-term care and does not refer to the exception in the Patient Mobility Directive. However, the current proposal by the European Commission to amend the NIS2 Directive, which is intended to explicitly exclude long-term care from the scope of the directive, supports this interpretation.
Originally, the BSI had only noted the explicit exception for long-term care on its website. This is why it was necessary to distinguish between long-term care and day and short-term care. However, the BSI has since moved away from this distinction, stating that, depending on the individual case, outpatient care services, nursing homes, and day and short-term care facilities shall also not fall within the scope of the BSIG, and registration is usually not required.
The key point here is that it is the specific activity, rather than the type of care, that determines whether it falls under the scope of NIS2 or the BSIG. Accordingly, the decisive factor is that, in accordance with Recital 14 of the Patient Mobility Directive, the care service is primarily aimed at supporting people who require assistance with routine, everyday tasks. This definition is used to determine whether an activity falls within the scope of the BSIG and is therefore subject to a registration requirement. The BSI justifies this change in policy on the basis that a failure in the provision of such services does not pose a significant threat to public safety as defined in the BSIG.
In practice, it can be challenging to make a clear distinction based on this definition in individual cases, particularly when the care service is supplemented by other medical services. In such cases, a careful assessment of each individual case is necessary to determine whether the provisions of the BSIG apply.
Manufacturers of medical devices and IVD
In the sector “Manufacturing”, particularly among manufacturers of medical devices and in vitro diagnostic medical devices (IVD) (Annex 2 No. 5 BSIG), questions of demarcation arise in practice. This particularly applies to companies that do not manufacture products themselves but instead have them manufactured and then repackage and distribute them under their own name.
Neither the BSIG nor the NIS2 Directive contains its own definition of “manufacturer”. Like the Directive, the BSIG refers to the Medical Devices Regulation (MDR) and the In Vitro Diagnostic Medical Devices Regulation (IVDR). According to these product laws, a manufacturer is defined as a natural or legal person who manufactures or fully refurbishes a device or has a device designed, manufactured or fully refurbished, and markets that device under its name or trademark. The focus is therefore on market responsibility for the product rather than on the operational production process itself. This definition is consistent with the principles of product (safety) law.
However, the NIS2 regulation aims to ensure cybersecurity of critical entities. Therefore, the criticality of the entity and its operational processes is particularly important. Additionally, NIS2 refers to various European regulations that employ different definitions of “manufacturer”. For instance, the REACH Regulation and the NACE classification system are linked to the manufacturing process itself. Therefore, the literature (including Hessel/Schneider, MMR 2025, 243) emphasizes that the European legislator did not intend to use an inconsistent definition of “manufacturer”. Instead, a definition of “manufacturer” related to cybersecurity should be used. According to this definition, the manufacturer under NIS2 as well as the BSIG is the party that carries out the operational manufacturing process.
Conclusion
The impact assessment under NIS2 / BSIG remains complex, particularly in the health sector. Vague terminology, numerous references to other EU regulations and conflicting regulatory objectives mean that it is often impossible to classify individual institutions at first glance.
In practice, this means that entities should not solely base their level of involvement on formal categories, but also on their specific activities and functional role in the health sector. Differentiated classification is especially important in borderline areas.
Check now if your company is affected by NIS2 with our free NIS2 Quick-Check.
back