NIS2 Waste Management: Annex II Section 2 Obligations and the Dual SCADA Risk Waste Operators Often Miss
Waste management rarely appears in discussions about NIS2 cybersecurity compliance. Most sector-specific guidance focuses on energy, transport, and banking — the Annex I essential entities. Yet waste management is explicitly listed in Annex II, Section 2 of Directive (EU) 2022/2555, making operators of collection, treatment, and disposal services important entities subject to the full suite of Article 21 obligations the moment they cross the medium-enterprise size threshold.
What separates waste management from most other Annex II sectors is the physical-consequence dimension. A cyberattack on a waste-to-energy plant’s SCADA system is not merely a cybersecurity event — it can simultaneously trigger environmental liability under EU environmental law. Two regulatory authorities, two incident files, two separate reporting timelines: from a single attack. This guide explains who is in scope, what Article 21 requires for waste-specific systems, and how to build a defensible compliance posture before an incident forces the issue.
Is Your Waste Company In Scope Under NIS2 Annex II, Section 2?
NIS2 Annex II lists seven “other critical sectors.” Waste management is Section 2, defined by cross-reference to the EU Waste Framework Directive (2008/98/EC). The entity definition reads:
“Undertakings carrying out waste management as defined in Article 3, point (9), of Directive 2008/98/EC, excluding undertakings for whom waste management is not their principal economic activity.”
Free DownloadGet the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
This cross-reference matters. It captures the full waste management chain — collection, transport, treatment, recovery, and disposal — while excluding industrial companies that manage their own waste as a side activity. A chemical manufacturer handling its own hazardous waste internally is not in scope under Section 2. A specialist hazardous waste contractor is.
The size threshold mirrors the EU SME definition. A waste company meets the Important entity threshold if it has:
- 50 or more employees, OR
- €10 million or more in annual revenue
Both conditions are independent — meeting either threshold is sufficient. Group company structures also matter: where a waste collection subsidiary is part of a larger group, the combined size is assessed under EU SME criteria.
| Operation Type | In Scope Under Annex II Section 2? | Notes |
|---|---|---|
| Municipal waste collection | Yes, if 50+ employees or €10M+ revenue | OR thresholds — either is sufficient |
| Waste-to-energy (WtE) plant operator | Yes | Thermal treatment = waste management |
| Material Recovery Facility (MRF) | Yes | Sorting and processing = waste treatment |
| Composting / anaerobic digestion plant | Yes | Biological treatment = waste management |
| Hazardous waste disposal specialist | Yes | Principal economic activity is waste management |
| Industrial company managing own waste | No (typically) | Waste management not principal activity — verify per sector |
All in-scope waste operators are classified as Important entities, not Essential entities. Annex I’s essential sector that sounds similar — wastewater management — is a distinct classification for a different type of operation. Important entities face identical Article 21 obligations but reactive ex-post supervision: enforcement is triggered by incidents or complaints, not scheduled proactive inspections. That difference in supervision does not reduce your compliance obligations — it only affects when regulators are likely to knock on your door.
The October 2024 NIS2 transposition deadline has passed, and member states with implemented national law are applying enforcement powers now. Late registration and undocumented risk management frameworks are real enforcement risks, not theoretical ones.
The Dual-Risk Scenario: When One SCADA Attack Triggers Two Regulatory Cascades
In most sectors, a cyberattack produces cybersecurity consequences: data exposed, services interrupted, ransomware deployed. Waste management operators face a materially different risk profile because their most critical assets are operational technology systems controlling physical industrial processes with real-world environmental consequences.
How the dual cascade works at a waste-to-energy plant:
A waste-to-energy facility burns municipal solid waste to generate electricity and heat. The combustion process is controlled by SCADA — temperature set-points, feed rates, combustion air management, and flue gas treatment are all PLC-managed. Research published in Data in Brief (2025) documented eight realistic attack types against a Siemens S7-1500-based waste incinerator SCADA system, including data spoofing — sensors reporting false temperature readings while actual combustion falls outside permit limits — and stealthy command injection, where subtle set-point changes blend into normal traffic and go undetected until downstream emissions show an anomaly. [3]
Either attack type can cause incomplete combustion. The Industrial Emissions Directive (2010/75/EU) sets emission limit values for WtE facilities covering dioxins, furans, particulate matter, and heavy metals. A combustion process running outside permitted parameters produces emissions that may breach the operating licence. The result is a single event with two simultaneous regulatory consequences:
- NIS2 Article 23 incident — the SCADA compromise constitutes a significant incident requiring a 24-hour early warning to the national competent authority. A WtE plant running outside control parameters constitutes “severe operational disruption” under Article 23(3) — the significance threshold is met before any physical release occurs.
- Environmental incident under the Industrial Emissions Directive — uncontrolled emissions above permit thresholds trigger reporting to the national environmental authority and may require immediate permit suspension notification.
Two authorities, two incident files, two sets of reporting obligations on separate timelines — from a single attack vector, often a phishing email that pivoted from corporate IT to the process network.
Other waste-sector SCADA risk vectors:
Recycling stream contamination via sorting SCADA. Material Recovery Facilities rely on near-infrared (NIR) optical sorters to classify waste streams in real time. These systems are increasingly networked and remotely monitored. A data-spoofing attack manipulating sorting thresholds can systematically misclassify contaminated material as clean recyclate — creating both a potential Article 23 incident and falsified quality records under the EU Waste Shipment Regulation (Regulation (EU) 2024/1157).
Fleet management system compromise. GPS dispatch and route-optimisation platforms used by waste collectors are typically internet-facing SaaS services, often managed outside the IT security team’s direct scope. For a municipal contractor running 150 vehicles across a city, a dispatch outage of 24 hours or more almost certainly constitutes “severe operational disruption” under Article 23(3) — triggering the notification obligation regardless of whether any SCADA system was involved. [2]
Article 21(2) Obligations for Waste Operators — All 10 Measures Applied
Article 21(2) of NIS2 lists 10 cybersecurity risk management measures. Important entities are not exempt from any of them. The table below maps each measure to the waste sector’s operational context. For a complete breakdown of the documentation requirements each measure carries for audit purposes, see the NIS2 requirements guide.
| Article 21(2) | Waste-Sector Application | Effort |
|---|---|---|
| (a) Risk analysis and ISMS policies | Asset inventory must include SCADA, fleet management, weighbridge, ERP, and regulatory reporting systems — not only corporate IT | Medium |
| (b) Incident handling | Must define “significant incident” thresholds for both IT events and OT/physical-consequence events; document who notifies and on what timeline | Medium |
| (c) Business continuity and disaster recovery | WtE plants require process-level BCPs covering PLC failure, manual override procedures, and maximum offline duration before permit conditions are breached | High |
| (d) Supply chain security | Hauling subcontractors with dispatch system access; SCADA OEM vendors with remote maintenance capability; IT managed service providers | Medium |
| (e) Network and information system security | IT/OT network segmentation is required — SCADA networks must not share infrastructure with corporate email or internet-connected systems | High |
| (f) Effectiveness of measures | Periodic testing of OT security controls including SCADA-specific scenarios; documented test results required for supervisory review | Medium |
| (g) Cybersecurity hygiene and training | Driver and plant operator awareness: phishing recognition, abnormal HMI behaviour reporting, secure access procedures for operational staff | Low |
| (h) Cryptography policies | Encrypted channels for all remote SCADA access; encrypted communication with regulatory reporting portals (e-PRTR, WEEE, Basel reporting systems) | Medium |
| (i) HR security and access control | MFA on all remote access to plant control systems; immediate revocation of access for departing contractors with SCADA or dispatch system credentials | Medium |
| (j) Multi-factor authentication | Remote HMI access, VPNs to plant networks, SCADA operator stations with remote admin capability — MFA is non-optional under Article 21(2)(j) | Medium |
Two measures typically require the most effort for waste operators starting from a low baseline: (c) business continuity, because WtE and MRF operations have industrial process dimensions not captured by standard IT BCPs, and (e) network security, because IT/OT separation often requires infrastructure investment rather than a configuration change.
The role-responsibility picture for a mid-size waste company (50–500 employees):
| Responsibility | CISO / IT Manager | Operations Manager | Legal / Compliance | Board |
|---|---|---|---|---|
| SCADA and OT asset inventory | Lead | Support (process knowledge) | — | Approve scope |
| Incident response plan (OT-specific) | Lead | Co-lead | Review NCA notification requirements | Approve |
| Supplier security clauses | Input (technical requirements) | — | Lead (contract drafting) | — |
| NCA registration | Support | — | Lead | Approve |
| Board cybersecurity briefing | Prepare | — | Review | Receive (Article 20 accountability) |
OT Security for Waste Facilities Under Article 21(2)(e)
The network security measure in Article 21(2)(e) is the one waste operators are least prepared to meet. Pure IT organisations implement it through firewall rules and segmentation policies. Waste facilities with industrial processes face a different reality: their most critical assets are SCADA systems, PLCs, and HMI terminals that predate modern security architectures, often running operating systems no longer supported by the vendor.
IEC 62443 as the Article 21(2)(e) implementation framework
NIS2 does not prescribe specific OT security standards by name. IEC 62443 (Security for Industrial Automation and Control Systems) fills that gap in practice. Its zone-and-conduit model provides a structured, risk-based approach to segmenting industrial control environments that maps directly onto Article 21(2)(e)’s network security obligation. Implementing IEC 62443 zone documentation also generates the auditable evidence that regulators expect from Important entities undergoing reactive supervisory review. [4]
The practical minimum for a waste facility with industrial processes:
IT/OT network separation. The corporate network — email, ERP, internet access, fleet management SaaS — and the process network — SCADA, PLCs, HMI terminals — must not share the same network segment. A demilitarised zone (DMZ) with monitored data transfer is the minimum acceptable architecture. Air-gapping is stronger but often impractical where SCADA systems require remote monitoring by the OEM vendor or data exports to regulatory reporting systems.
Remote access documentation and control. Every point of remote access to plant control systems must be documented, formally approved, and protected with MFA per Article 21(2)(j). Maintenance vendor VPNs left open between annual service visits are a documented OT attack vector. Active remote sessions to SCADA systems that are not currently in use should be terminated rather than left idle.
Legacy system risk acceptance. Where OT systems cannot be patched — SCADA software on end-of-life operating systems, PLCs with firmware no longer supported by the manufacturer — formal risk acceptance documentation is required. This does not close the compliance gap, but it demonstrates proportionate treatment under the “appropriate and proportionate measures” standard in Article 21(1). Signed risk acceptance records are auditable evidence of due diligence.
SCADA-specific BCP scenarios. Your Business Continuity Plan (Article 21(2)(c)) must include scenarios specific to plant control system failure, not only IT outage. What is the manual override procedure if the WtE combustion control PLC goes offline? How long can operations continue without SCADA visibility before permit conditions are breached? Document this before an incident forces an improvised answer under time pressure.
A structured approach to asset-level threat modelling across both IT and OT environments is covered in the NIS2 risk assessment guide.
Article 23 Incident Reporting: Deadlines, Penalties, and What “Significant” Means for Waste Operators
Under Article 23, Important entities must report significant incidents to their national competent authority on a three-stage schedule. The reporting clock starts the moment the entity “becomes aware” — not when an internal investigation confirms the root cause or full extent of the incident.
| Stage | Deadline | Required Content |
|---|---|---|
| Early warning | Within 24 hours of becoming aware | Indicate whether suspected malicious cause; whether incident has potential cross-border impact |
| Incident notification | Within 72 hours of becoming aware | Initial severity assessment, impact scope, compromise indicators; update on early warning content |
| Final report | Within 1 month of incident notification | Detailed description, threat type and root cause, mitigation measures applied, cross-border impact assessment |
What “significant” means for waste operations
Article 23(3) defines a significant incident as one that has caused or is capable of causing severe operational disruption or financial loss, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. [2] For waste operators, this translates concretely:
- Waste collection services interrupted across a municipal contract area for more than 24–48 hours
- WtE plant forced offline, creating emergency waste diversion obligations under the operating permit
- Sorting facility data corruption causing misclassified material to enter recycling streams and reach downstream processors
- Fleet management system outage disrupting operations across an entire city or region
- Regulatory reporting system compromised, resulting in falsified or delayed statutory returns under EU waste law
The “capable of causing” language is important: if an attack on your SCADA system could have caused severe disruption but was stopped before it did, the incident may still meet the significance threshold and require reporting. The test is capability, not only actual harm.
Penalties for non-compliance
Important entities face fines of up to €7 million or 1.4% of global annual turnover (whichever is higher) for violations of Article 21 obligations. Failure to file Article 23 notifications on time is a separate infringement — not absorbed into the underlying security failure. National supervisory authorities in member states with implemented law are applying enforcement powers now.
Article 20 of NIS2 establishes management-level accountability: the board is required to approve the organisation’s cybersecurity risk management measures and must be kept informed of significant incidents. Directors who cannot demonstrate that cybersecurity received board-level attention may face personal liability in addition to the corporate fine. [5]
Six Priority Steps for Waste Management NIS2 Compliance
Most waste operators starting from a low baseline can reach a defensible compliance posture within three to six months. The following sequence prioritises legal exposure first, then technical risk reduction, then documentation maturity. The full framework behind the NIS2 Directive and its Important entity supervision model is covered in the directive overview.
Step 1 — Register with your national competent authority | Effort: Low
Registration is mandatory regardless of current security posture. In Germany this is the BSI portal under §33 BSIG; in France, ANSSI; in the Netherlands, NCSC-NL. Most member states have online registration processes taking under one hour. Registration before an incident is significantly better than after: late registration is itself an enforcement trigger in several jurisdictions, independent of any security failure.
Step 2 — Build a complete asset inventory covering IT and OT | Effort: Medium
A NIS2-compliant risk assessment cannot be completed without an inventory covering the full operational landscape: SCADA systems, PLCs and HMIs, fleet management and GPS dispatch platforms, weighbridge and intake recording systems, ERP and billing platforms, and regulatory reporting tools. Group assets by criticality — document what happens if each group is offline for 24 hours.
Step 3 — Define “significant incident” in writing before you need it | Effort: Low
Write a one-page document answering: how long must collection be interrupted before triggering Article 23? What SCADA events constitute reportable incidents? Who decides and who files? Having this defined before an incident prevents the worst outcome: discovering you had a significant incident after the 24-hour early warning window has already closed.
Step 4 — Segment your IT and OT networks | Effort: High
For facilities with industrial process equipment, this is the highest-impact step. A firewall between the corporate network and the SCADA network breaks the most common lateral movement pathway: phishing email on an employee device, credential theft, pivot to process network. Full IEC 62443 zone documentation is the target state; starting with basic boundary separation delivers the most risk reduction per unit of effort.
Step 5 — Apply MFA to all remote access points | Effort: Medium
Audit every point of remote access to plant systems: SCADA vendor VPNs, fleet management SaaS, ERP remote access, regulatory reporting portals. Article 21(2)(j) makes MFA non-optional for sensitive system remote access. Close unused sessions, revoke departed contractor access, and document what remains active and why.
Step 6 — Add NIS2 security clauses to supplier contracts | Effort: Medium
Article 21(2)(d) requires documented supplier security requirements. Hauling subcontractors with access to dispatch systems, SCADA OEM vendors with remote maintenance capability, and IT service providers all need standard security clauses. A template addendum covering NIS2-minimum requirements — vulnerability disclosure obligations, incident notification timelines, access revocation on contract termination — is sufficient for audit purposes.
Frequently Asked Questions
Does NIS2 apply to a small waste company with fewer than 50 employees?
Not directly under Annex II, Section 2. The thresholds are 50 or more employees or €10M or more annual revenue — both are independent conditions. Companies below both thresholds are generally out of scope unless their member state has adopted a broader national definition. Where a company is part of a larger group, the combined group size applies under EU SME rules.
We only collect waste — we do not treat or dispose of it. Are we covered?
Yes, if you meet the size threshold. Waste collection is included in “waste management” as defined in Article 3(9) of Directive 2008/98/EC. The Annex II, Section 2 cross-reference captures the full chain including collection-only operators. [1]
What is the practical difference between Important and Essential entities for waste companies?
All waste management operators are Important entities (Annex II). The Annex I essential sector that sounds similar — wastewater management — is a distinct classification for a different type of operation. Both entity types carry identical Article 21 obligations. The differences are supervision model (reactive for Important, proactive for Essential) and penalty ceiling (€7M/1.4% of global turnover for Important versus €10M/2% for Essential). [5]
After a SCADA incident, do we have to file with both the NIS2 authority and the environmental authority?
Yes — these are separate, independent regimes with different reporting channels and different timelines. An Article 23 incident notification goes to the NIS2 national competent authority. An environmental incident report goes to the national environmental regulator under the applicable permit conditions and the Industrial Emissions Directive. There is currently no unified reporting mechanism that satisfies both obligations simultaneously.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- Directive (EU) 2022/2555 — Annex II: Other Critical Sectors, Section 2 (Waste Management)
- NIS2 Directive — Article 23: Reporting obligations
- Tran et al. (2025) — Dataset of SCADA traffic captures from a medical waste incinerator with injected cyberattacks. PMC, National Library of Medicine
- nisd2.eu — NIS2 Waste Management: Compliance Essentials
- Glocert International — NIS2 Applicability: Essential vs Important Entities
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
