NIS2 in Water and Waste Management: Municipal Utilities

1. Who is in scope?

Water suppliers and waste-management operators are in scope from 50 employees and EUR 10M turnover. KRITIS-Water thresholds (KRITIS Ordinance Section 5) trigger above 22 million citizens served. Many small municipal utilities remain below threshold; mid-size municipal utilities are typically in scope.

2. SCADA security for water plants

Pump control, chlorine dosing, and network monitoring are SCADA-driven. A cyber incident can affect public water supply directly. Reference standards: ISA / IEC 62443 for industrial control systems, BSI ICS-Compendium, and AWWA water-sector guidance.

3. Supply-chain audit

Prioritize SCADA vendors (Siemens Water, Schneider Electric, Endress+Hauser), IT service providers, and on-site maintenance contractors. Patch SLAs and remote-access controls are the must-haves; many incidents start through unmonitored maintenance VPNs.

4. Reference incidents

• Florida water plant, 2021: attempted lye-level manipulation via remote access
• DACH region, 2024: three phishing-driven incidents at municipal utilities (BSI annual report)

5. Dual supervision

Water and waste utilities answer to BSI under NIS2 and to the state water authority under sector law. On a significant incident, both must be notified, often within different timeframes. A unified incident-response form keeps the two notifications consistent.

Summary

Water and waste management combine high public-impact stakes with legacy SCADA estates. The defensible NIS2 program centers on IEC 62443 for OT, segmentation of remote-access paths, and a tested dual-notification playbook for BSI plus the state water authority.

View NIS2 Kit →