NIS2 for Waste Management: Which Operators Are in Scope, What Article 21(2) Requires, and Why Weighbridges Are Now Regulated Assets
Waste management companies are newly in NIS2 scope — and the compliance question comes with a twist that most NIS2 guides skip. The directive’s Annex II entry explicitly excludes a significant slice of the sector. Whether your facility is in scope, and which of your operational systems qualify as regulated assets, depends on two questions the generic NIS2 guides never answer.
This guide answers both. It uses the verbatim Annex II text to establish the scope boundary — including the principal-activity exclusion that takes many waste generators and producers out of scope entirely — and maps the specific systems that fall under Article 21(2)(i) asset management requirements, from weighbridge platforms to WEEE tracking databases. If your waste management company has 50 or more employees or generates more than €10 million in annual revenue, this is where you start.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Is Your Waste Operation in NIS2 Scope? The Principal Activity Test
The scope question is where most waste management compliance projects go wrong. Companies search for NIS2 obligations and find lists of measures — but never the one sentence that determines whether those obligations apply to them at all.
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
Annex II, Sector 2 of the NIS2 Directive (EU) 2022/2555 sets the boundary in precise terms: it covers “undertakings carrying out waste management as defined in Article 3, point (9), of Directive 2008/98/EC of the European Parliament and of the Council, excluding undertakings for whom waste management is not their principal economic activity.” [1]
That exclusion does significant work. “Waste management” under Directive 2008/98/EC Article 3(9) covers collection, transport, recovery, and disposal of waste — including supervision of those operations, aftercare of disposal sites, and actions taken as a dealer or broker. What it does not cover: companies that generate waste as a byproduct of a primary manufacturing, food production, or other activity, even if they arrange the collection and disposal of that waste themselves.
A car manufacturer that contracts a waste hauler to remove process scrap is not a waste management operator under NIS2 Annex II — waste handling is incidental to its principal activity. The recycling facility that receives and processes that scrap is an operator, and if it meets the size threshold, it is in scope.
A second gate applies on top of sector classification: the directive applies to entities meeting the medium-sized enterprise threshold — 50 or more employees or annual turnover exceeding €10 million [2]. Both tests must be satisfied: sector classification and size.
| Operator type | Waste management as principal activity? | NIS2 Annex II scope (if 50+ staff or €10M+ revenue) |
|---|---|---|
| Municipal solid waste (MSW) collection company | Yes | IN scope — Important Entity |
| Mixed waste and material recovery facility (MRF) | Yes | IN scope — Important Entity |
| WEEE treatment and recycling plant | Yes | IN scope — Important Entity |
| Hazardous waste treatment facility | Yes | IN scope — Important Entity |
| Waste broker or dealer (no physical facilities) | Yes — Article 3(9) includes dealers and brokers | IN scope — Important Entity |
| Chemical manufacturer disposing its own process waste | No — principal activity is manufacturing | OUT of Annex II waste management entry |
| Food producer sending food waste to treatment | No — principal activity is food production | OUT of Annex II waste management entry |
| Waste transport subcontractor | No — principal activity is transport | OUT of Annex II waste entry; may be in scope via transport sector |
One override applies regardless of size. Article 2(2) of the directive grants member states discretion to designate smaller entities as important entities where the services they provide are essential at national or regional level [2]. A recycling facility that is the sole operator in a national WEEE processing scheme, for example, may fall in scope below the standard threshold. Check your national competent authority’s implementing guidance to confirm whether any small-entity designation applies in your jurisdiction.
Important entities — the classification waste management operators receive — are subject to “ex-post” supervision: national authorities act when evidence of non-compliance surfaces or when an incident triggers a review. That supervision model can feel less immediate than the proactive inspections essential entities face, but the penalty exposure under Article 34 is the same scale: up to €7,000,000 or 1.4% of total worldwide annual turnover, whichever is higher, for important entities who fail to implement required measures. The supervision trigger is different; the consequence is not.
The Art.21(2)(i) Asset Inventory: Which Systems Count for Waste Operators
Once scope is confirmed, Article 21(2)(i) of the NIS2 Directive requires “human resources security, access control policies and asset management” [2] — which means, in practice, a documented inventory of every network and information system that supports your waste management service. For a generic enterprise, that inventory is straightforward: servers, workstations, cloud services, email. For a waste processor or recycler, the asset inventory is significantly more complex, because critical operational systems are routinely overlooked as “operational” rather than “IT.”
Weighbridge systems. Electronic weighbridge platforms are the transaction backbone for most waste operators: every load in, every load out, every compliance-driven weight record for regulatory reporting. When that system is networked — typically connected to your ERP, your invoicing engine, and sometimes directly to regulatory reporting portals — it qualifies as a network and information system under Article 4 of the directive. It must be in your Art.21(2)(i) inventory.
The practical questions the asset register needs to answer: who has administrator access to the weighbridge controller? How is the weighbridge-to-ERP data connection authenticated? When did the system last receive a firmware or software update? A weighbridge that cannot answer these questions is undocumented infrastructure — the kind an auditor finds first.
WEEE and RoHS digital tracking databases. Facilities processing waste electrical and electronic equipment (WEEE) or materials subject to RoHS restrictions maintain digital tracking platforms — producer responsibility organisation (PRO) portals, compliance software, or custom databases — that record quantities received, processed, and reported to national WEEE registries. These systems process regulated data, connect to external reporting networks, and in some cases integrate directly with government databases.
Under Art.21(2)(i), these are regulated assets. The reasoning is straightforward: the system supports the delivery of your waste management service, it processes data that determines your regulatory compliance status, and a breach or data-integrity failure creates both operational disruption and potential enforcement exposure. It belongs in the asset register. Most waste sector IT teams do not include PRO portals or WEEE tracking software in their asset inventories — that is the gap NIS2 closes.
| System | Typical connectivity | Art.21(2)(i) documentation required | Priority |
|---|---|---|---|
| Weighbridge platform | ERP, invoicing system, regulatory reporting portal | Asset register entry; access control list; software update schedule | High |
| WEEE / RoHS tracking database | PRO portal, national WEEE registry, ERP | Asset register entry; data classification; external access controls | High |
| Fleet GPS management system | Route optimisation, driver scheduling, customer portal | Asset register entry; vendor security assessment; data retention policy | Medium |
| Sorting or processing SCADA | Site OT network; sometimes cloud historian | Asset register entry; network segmentation review; remote access controls | High |
| ERP and billing system | All of the above, plus email and external portals | Asset register entry; privileged access review; backup verification | High |
| Environmental permit reporting software | Competent authority reporting portals | Asset register entry; authentication review; account offboarding procedure | Medium |
The asset register is the foundation from which every other Art.21 measure is built. Risk analysis under Art.21(2)(a) cannot be meaningful without knowing which systems exist. Network security under Art.21(2)(e) cannot be scoped without an architecture map. Access control under Art.21(2)(i) cannot be enforced for systems that are not in the inventory. Start here.
Priority Art.21 Measures for Waste Processors and Recyclers
Article 21(2) establishes ten measures. All ten apply to waste management operators in scope. Four, however, deserve priority attention because they map directly to the operational risks and system environment that waste processing and recycling facilities face.
Art.21(2)(a) — Risk analysis and information system security policies. The NIS2 Directive requires “policies on risk analysis and information system security” [2]. For a waste operator, risk analysis must account for the interdependency between IT systems and physical operations. A ransomware attack on a weighbridge system does not just stop billing — it disrupts the entire inbound and outbound material flow, potentially triggering environmental permit violations if loads cannot be accurately recorded. An attack on a WEEE tracking database that corrupts quantity records may create regulatory exposure across the entire reporting period. Your risk assessment needs to map these cascading consequences. A generic IT risk assessment that treats the weighbridge as billing infrastructure, rather than as an operational control point with environmental compliance implications, will not satisfy an auditor reviewing a waste sector entity.
For practical guidance on structuring a NIS2-compliant risk assessment, see our risk assessment guide.
Art.21(2)(d) — Supply chain security. The directive covers “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers” [2]. Waste processors and recyclers typically occupy the middle of a multi-party chain: waste producers hand material to your facility; you pass processed material to downstream markets, logistics companies, or disposal operators. Both flows have NIS2 implications.
Upstream: if a waste producer’s IT compromise results in falsified load declarations or incorrect material categorisation, it creates compliance exposure for your facility. Downstream: if you share data with material markets, commodity brokers, or logistics networks, those relationships require security assessment and appropriate contractual clauses. For WEEE operators specifically, relationships with PROs, national WEEE registries, and collection scheme administrators are supply chain relationships from an NIS2 perspective — they have access to data your NIS2 obligations depend on.
See our supply chain security guide for a practical approach to supplier classification and contractual requirements under Art.21(2)(d).
Art.21(2)(e) — Network and information system security. This covers “security in network and information systems acquisition, development and maintenance” [2] — in practice, the security architecture of the networks that connect your weighbridge, SCADA, process control systems, and corporate IT. Segmentation is the core operational requirement: OT networks running sorting machinery, conveyor controls, or dosing systems should not share authentication or routing with internet-facing business systems. For a facility with automated plant controls, that means a documented network architecture showing which systems sit behind which security boundaries, and why.
For a deeper treatment of OT network security and IEC 62443 framework application for waste facilities, see our waste management compliance guide, which covers SCADA segmentation in detail.
Art.21(2)(i) — Human resources security, access control, and asset management. As established in the previous section, this is the structural foundation. The asset register is the starting point for applying every other measure intelligently. Beyond the inventory, Art.21(2)(i) requires access control policies: who can access which system, at what privilege level, under what authorisation process. For waste operators, that extends to the weighbridge administrator accounts, WEEE database administrator roles, and any remote access paths into OT systems.
| Art.21 measure | Primary owner | Secondary owner | Effort level |
|---|---|---|---|
| Art.21(2)(a) Risk analysis | CISO / IT Manager | Operations Manager | High (for OT scope extension) |
| Art.21(2)(d) Supply chain security | Procurement / Legal | CISO | Medium |
| Art.21(2)(e) Network security | IT Manager / IT service provider | CISO | High (if OT segmentation needed) |
| Art.21(2)(i) Asset management and access control | IT Manager | Each department head for their systems | Medium (foundation task) |
Art.23 Incident Reporting: Deadlines, Penalties, and What “Significant” Means for Waste Operators
A waste company in NIS2 scope that experiences a cybersecurity incident affecting its waste management services must report that incident to its national competent authority. The reporting timeline is structured across three stages:
- 24 hours: Early warning — notification that an incident has occurred or is suspected, even before full impact is known
- 72 hours: Incident notification — impact assessment and description of initial containment actions
- 1 month: Final report — root cause analysis, full impact assessment, and any cross-border dimensions
The threshold question is what qualifies as a “significant incident.” Under Article 23 of the NIS2 Directive, an incident is significant if it has caused or is capable of causing severe operational disruption or financial loss for the entity, or has affected — or is capable of affecting — other natural or legal persons by causing considerable material or non-material damage. For waste operators, this translates to incidents that materially disrupt the waste management service: ransomware that takes weighbridge or fleet management systems offline, data-integrity failures that compromise compliance reporting records, or network breaches that reach process control environments.
Duration and geographic spread matter to the significance assessment. An attack that disrupts waste collection for a district for 48 hours has a different profile than a brief email server outage that recovers without operational impact. The key question is whether the incident affected the delivery of the waste management service itself — not merely internal IT functions.
Failure to report a significant incident carries material exposure. Article 34 of the NIS2 Directive requires member states to provide for maximum administrative fines for important entities — the category waste management operators fall under — of at least €7,000,000 or at least 1.4% of total worldwide annual turnover, whichever is higher. National implementing laws may set higher ceilings; the directive prescribes the minimum, not the maximum. The non-reporting violation is typically treated separately from the underlying security failure.
A note on management liability: Article 20 of the directive places management bodies directly responsible for approving and overseeing cybersecurity risk management measures. “The board was not informed” is not a defence under NIS2 — management accountability is explicit. Your incident handling procedure, required under Art.21(2)(b), should specify the internal escalation path that reaches board level when a significant incident is suspected, before the 24-hour early warning deadline triggers.
For a complete treatment of significance thresholds, cross-border notification mechanics, and the interaction between NIS2 reporting and environmental incident reporting obligations, see our Article 23 incident notification guide.
Building an Audit-Ready Documentation Set
For waste processors and recyclers entering NIS2 compliance for the first time, the documentation requirement can feel disproportionate to the size of the organisation. In practice, an important entity in the waste sector can build a defensible audit evidence set around six core deliverables — the same six that national competent authority inspectors will request first when they review a waste management entity.
| Document | Art.21 requirement | Starting point for waste operators | Effort |
|---|---|---|---|
| Asset register (IT + OT) | Art.21(2)(i) | Spreadsheet covering systems, owners, connectivity, update status — include weighbridge, WEEE tracker, SCADA as separate entries | Low-Medium |
| Information security risk assessment | Art.21(2)(a) | Risk methodology document + table mapping threat scenarios to each asset, with environmental-cascading consequences noted for OT assets | Medium-High |
| Incident handling procedure | Art.21(2)(b) | Roles, internal escalation path, 24h/72h/1-month reporting workflow, significance classification criteria for waste service disruption | Medium |
| Supply chain security policy | Art.21(2)(d) | Supplier list, security questionnaire template, contractual security requirements — include PRO partners and WEEE registry integrations | Medium |
| Network security documentation | Art.21(2)(e) | Network diagram showing IT/OT segmentation, firewall policy summary, remote access controls for plant systems | High (if OT changes needed) |
| Access control policy | Art.21(2)(i) | User list by system, privilege levels, MFA status, offboarding procedure — cover weighbridge admins and WEEE database access separately | Low-Medium |
One structural point specific to waste operators: the asset register needs to treat IT and OT as a single inventory, not two separate registers. The practice of maintaining a corporate IT asset list in one place and OT equipment lists in another — usually in the operations department, with no cybersecurity ownership — is the most common compliance gap in waste sector NIS2 readiness assessments. A single integrated register, with clear ownership for each entry, is the foundation the rest of the documentation set requires.
The Complete Toolkit at /product/complete-toolkit/ provides 76 pre-structured templates covering all Art.21(2) measures, mapped to both CIR 2024/2690 and ISO 27001:2022 — including the IT Asset Register (Doc category 3) and the full risk assessment, supply chain, and incident management document sets.
Frequently Asked Questions
Is a manufacturer that operates its own on-site hazardous waste facility in NIS2 scope as a waste management entity?
No — not under the Annex II waste management entry. That entry explicitly excludes “undertakings for whom waste management is not their principal economic activity” [1]. A manufacturer’s principal activity is production. The on-site waste facility is an ancillary operation. That said, the manufacturer may independently fall in scope under Annex II, Sector 5 (manufacturing), depending on which NACE division its production activity falls under.
Does NIS2 apply to a WEEE collection point operated by a retailer?
The same principal-activity test applies. A retailer operating a WEEE take-back point as a regulatory obligation — not as its primary business — is not in scope under the waste management entry. The take-back obligation is incidental to retail. However, if the take-back operation is run by a third-party WEEE compliance service provider whose primary business is collection and processing of waste electrical equipment, that provider is in scope as a waste management operator.
What if our waste company is below the 50-employee threshold?
If your waste management company has fewer than 50 employees and annual turnover below €10 million, you are outside the standard NIS2 size threshold and are not in scope as an important entity. The exception is Article 2(2) of the directive, which permits member states to designate smaller entities as important entities where they provide services critical at national or regional level [2]. Check your national competent authority’s implementing guidance — some member states with limited waste treatment infrastructure have used this provision for specialised operators.
How do waste transport subcontractors affect our NIS2 compliance obligations?
Waste transport subcontractors are typically not waste management operators under Directive 2008/98/EC Article 3(9) — their principal activity is transport. If they fall in NIS2 scope at all, it is likely under the transport sector in Annex I. From your perspective as a waste processor or recycler, however, they are supply chain participants who require assessment under Art.21(2)(d). Your contracts with transport subcontractors should document their cybersecurity obligations, and your risk assessment should account for the operational disruption that a compromise of their fleet management or scheduling systems could cause to your inbound material flows.
Can a waste broker be in NIS2 scope even without a processing facility?
Yes. Article 3(9) of Directive 2008/98/EC includes “actions taken as a dealer or broker” within the definition of waste management. A waste broker whose principal economic activity is facilitating the transfer and disposal of waste — without operating physical facilities — may qualify as a waste management operator under Annex II if it meets the size threshold. The principal-activity test applies: if brokering waste is what the business does, the NIS2 scope question turns on size, not on physical presence.
Sources
[1] Annex II — Directive (EU) 2022/2555 (NIS2) — NIS2 Directive Legal Text. Verbatim text of Annex II, Sector 2: Waste Management.
[2] Article 21 — Cybersecurity Risk-Management Measures — nis-2-directive.com. Article text confirmed for all sub-paragraphs (a)–(j); Article 2 scope and Article 34 penalty provisions also verified via Article 2.
[3] Directive (EU) 2022/2555 — Official Journal — EUR-Lex. Canonical primary source for all provisions cited.
[4] NIS2 for Waste Management — nisd2.eu. Sector-specific asset categories for waste operators (Germany/BSI context).
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
