NIS2 for Waste Management and Disposal Companies

Why Waste Management Falls Under NIS2

Waste disposal is one of those services whose importance only becomes apparent when it stops working. If garbage collection and recyclable material collection fail for several days, the consequences quickly become visible: overflowing containers, hygiene problems, blocked businesses that cannot dispose of their waste. And behind the visible waste collection stands a complex infrastructure of sorting facilities, transfer stations, landfills, incineration plants, and recycling operations that all must function in coordination.

The European legislator has therefore included waste management in Annex II of the NIS2 Directive as a separate sector. This is a notable decision, as waste management was not covered under the predecessor directive NIS1. NIS2 recognizes that waste disposal is a critical service whose failure endangers public health and the environment.

Specifically affected are:

• Disposal companies: Collection, transport, and disposal of municipal and commercial waste
• Sorting and recycling facilities: Operators of sorting plants, recycling operations, and recycling centers
• Waste incineration plants: Thermal recovery and waste-to-energy facilities
• Landfill operators: Operation and aftercare of landfills
• Hazardous waste disposal companies: Disposal of hazardous waste
• Municipal waste management utilities: Municipal enterprises and public companies

The thresholds apply as for all NIS2 sectors: at least 50 employees or at least 10 million EUR in annual revenue. In the waste management industry, there are many companies that fall exactly in this range. Municipal disposal utilities serving a county town and surrounding area typically have 60 to 200 employees. Private-sector disposal companies specializing in commercial waste or hazardous waste frequently have 50 to 150 employees.

Since waste management is listed in Annex II, affected companies are classified as important entities. This means: reactive supervision by the BSI (audits only when there is specific cause), fines up to 7 million EUR or 1.4 percent of global annual revenue, and the same reporting obligations as for essential entities (24h/72h/1 month).

The Digital Process Chain of Waste Management

Many people associate waste management with garbage trucks and containers. In reality, the industry is now highly digitalized. From the moment a waste bin is emptied to the final recovery or landfilling, the waste passes through a digital process chain in which IT systems play a central role.

Route Planning and Tour Optimization

Route planning is the logistical heart of a disposal company. Specialized software (such as AMCS, Recrion, BDE|mobile, or Awido) plans daily tours taking into account container locations, emptying frequencies, vehicle capacities, traffic conditions, and legal driving and rest times.

For a company that runs 30 to 50 tours daily, thousands of individual stops are planned and coordinated each day. Each tour is optimized down to the minute because vehicles and drivers are the most expensive resources. A route planning outage means: dispatchers must compile tours manually, which is hardly realistic at this complexity. At best, drivers follow the previous day's tours, which quickly leads to problems with varying emptying rhythms.

GPS Tracking and Telematics

Modern disposal vehicles are equipped with GPS trackers, onboard computers, and telematics systems. These systems serve multiple functions:

• Real-time tracking: Dispatch knows at all times where each vehicle is located and can reschedule during breakdowns or traffic jams
• Emptying confirmation: Each container emptying is documented with GPS coordinates and timestamps. This is important for billing and for verification to municipal clients
• Weighing data capture: Vehicles with integrated weighing technology record the weight of each emptying or container pickup
• Driver behavior: Acceleration, braking, and idle times are captured to optimize diesel consumption

Weighbridge Systems: The Bridge Between Logistics and Billing

At the entrances to sorting facilities, transfer stations, and landfills, there are weighbridges that weigh every incoming and outgoing vehicle. The difference yields the net weight of the delivered waste. This weighing data is the basis for all billing and for regulatory documentation.

A typical weighbridge system includes:

• Weighbridge with load cells: Physical scale that captures the vehicle weight
• Weighing software: Records gross/tare/net weight, assigns the weighing to an order and waste type
• Camera system: Photographs the vehicle and license plate at each entry and exit
• Barrier control: Opens the barrier after successful weighing
• ERP interface: Weighing data flows automatically into the ERP system for billing and disposal documentation

A manipulated weighbridge system can cause significant financial damage. If recorded weights are systematically reduced, the company loses revenue. If weights are increased, customers are overbilled. In both cases, the regulatory quantity records are incorrect, which can result in administrative offenses.

Electronic Waste Documentation (eANV)

For the disposal of hazardous waste, the electronic waste documentation (eANV) via the Central Coordination Office of the Federal States (ZKS-Abfall) has been mandatory since 2010. The eANV documents the disposal path of hazardous waste from the producer through the transporter to the disposer. All three parties must sign the documentation electronically.

For disposal companies, this means: the eANV software and the connection to the ZKS portal are business-critical. If a disposal company cannot create electronic disposal documentation, it may not accept or transport hazardous waste. An IT outage that interrupts the eANV process therefore has immediate legal and operational consequences.

Operational Logbook and Environmental Monitoring

Landfill operators and operators of waste treatment facilities maintain an operational logbook that the responsible authority can inspect at any time. In modern facilities, this logbook is digital and contains:

• Quantities and types of accepted waste
• Operating parameters of the facility (temperatures, emissions, throughput)
• Documentation of disruptions and corrective measures
• Results of self-monitoring activities

The integrity and availability of this operational logbook is not only a NIS2 requirement but also an environmental law obligation.

Industry-Specific Risks

The waste management industry has a risk profile that differs from other sectors in several respects.

Decentralized Structure and Mobile Devices

Disposal companies are decentrally organized. Value creation does not take place in a factory hall but across hundreds of tours, at dozens of locations, and throughout the entire municipal area. Drivers are equipped with mobile devices (tablets, onboard computers) that communicate with headquarters via cellular networks.

This decentralized structure creates a broad attack surface:

• Mobile devices can be stolen or physically compromised
• Cellular connections can be intercepted if not encrypted
• Onboard computers in vehicles often have limited security features
• Drivers typically do not have a high level of IT security awareness

Municipal Dependencies

Many disposal companies work on behalf of municipal clients. The disposal obligation lies with the districts and independent cities, which outsource operational execution to third parties. This means: an IT outage at a disposal company affects not just the company itself but the public services of an entire municipality.

Municipal clients are increasingly paying attention to the IT security of their service providers. In tenders, requirements for an ISMS or at least basic IT security measures appear with growing frequency. NIS2 reinforces this trend.

Seasonal and Weather-Dependent Peak Loads

The waste management industry is subject to seasonal fluctuations (garden waste in autumn, bulky waste campaigns, Christmas packaging) and weather-related challenges (winter road service that ties up vehicles and personnel). A cyberattack during a peak load period causes disproportionately high damage because capacities are already at their limits and no reserves are available for manual processes.

Environmental Law Consequences

A cyberattack on a disposal company has potentially environmental law consequences that go beyond NIS2 fines. If an attacker manipulates a landfill's operational data (such as emission values or leachate analyses), this can lead to environmental liability. If electronic disposal documentation is unavailable and hazardous waste is transported anyway, this constitutes an administrative offense under the Circular Economy Act (Kreislaufwirtschaftsgesetz).

Special NIS2 Requirements for Waste Management

Risk Analysis: Logistics and Environmental Compliance as Dimensions

The risk analysis must consider, in addition to classic IT risks, the specific impacts on disposal logistics and environmental compliance — in ISMS Lite, these industry-specific assessment dimensions can be set up as dedicated risk criteria:

• Which IT systems are essential for daily route planning and execution?
• What happens if the weighbridge systems fail for a day? Can vehicles still be accepted?
• How long can the company dispose of hazardous waste without the eANV system? (Answer: not at all — at least not legally.)
• Which environmental monitoring systems are IT-supported and what happens during their outage?

Securing Weighbridge Systems

Weighbridge systems are business-critical and simultaneously vulnerable because they sit at the interface between physical infrastructure and IT. The weighbridge is a physical device, but the weighing software, camera integration, and ERP interface are IT systems.

Recommended measures:

• Network segmentation: Place weighbridge systems in a separate network segment, separated from the office network
• Integrity protection: Provide weighing data with a hash value or digital signature to detect subsequent manipulation
• Offline capability: The weighing software must function even when the connection to the ERP is temporarily interrupted. Weighing data is cached locally and synchronized when the connection is restored.
• Access control: Only authorized personnel may make configuration changes to the weighing software. Every change is logged.

Securing Mobile Devices and Onboard Computers

The large number of mobile devices in the field requires a Mobile Device Management (MDM) system that centrally manages and secures the devices:

• Device encryption: All mobile devices must be encrypted so that no data leaks if lost or stolen
• Remote wipe: The ability to remotely lock and wipe a lost device
• App management: Only approved apps may be installed
• VPN mandatory: Communication between mobile devices and headquarters runs through an encrypted VPN tunnel

Securing the eANV Process

The electronic waste documentation is a business-critical process with legal implications. Securing it includes:

• Ensure availability: Redundant internet connection for access to the ZKS portal
• Protect certificates: The electronic signatures for the eANV are based on certificates that must be securely stored and managed
• Define emergency procedures: What happens if the eANV process is unavailable for a day? The documentation regulation allows a temporary return to paper-based procedures in exceptional cases, but this must be documented and reported to the authority.

Practical Example: Disposal Company with 95 Employees

Starting point:

EntsorgPro GmbH (fictitious example) is a private-sector disposal company based in Lower Saxony. 95 employees, 18 million EUR annual revenue. The company operates a sorting facility, a transfer station, and conducts municipal waste collection for two districts. Additionally, it offers commercial waste disposal and container services. The company is certified as a specialized waste management company (Entsorgungsfachbetrieb / Efb) under Section 56 of the Circular Economy Act.

The IT infrastructure:

• ERP system: Industry solution (Recom/Recrion), on-premise, manages orders, billing, weighing data, disposal documentation
• Route planning: Integrated module of the industry solution, plans 35 tours daily
• Telematics: GPS trackers and onboard computers in 40 vehicles (garbage trucks, container vehicles, special vehicles)
• Weighbridge systems: Two weighbridges (sorting facility and transfer station) with weighing software, camera system, and barrier control
• eANV software: For the disposal of hazardous waste (hazardous waste transports)
• Operational logbook: Digitally maintained for the sorting facility (facility requiring a permit under BImSchG)
• Server infrastructure: 4 physical servers (ERP, file server/AD, backup, weighbridge system server)
• Mobile devices: 40 onboard computers in vehicles, 15 tablets for drivers and field service
• Workstations: 20 PCs (dispatch, administration, weighhouse)

IT is managed by an IT responsible person (who also supports commercial management) and an external IT services company. An ISMS does not exist. The Efb certification covers organizational requirements for expertise and operational organization but no explicit IT security requirements.

Phase 1: Inventory and Regulatory Classification (Months 1-2)

Applicability analysis: EntsorgPro, with 95 employees and 18 million EUR revenue, falls under NIS2. Waste management is listed in Annex II. Classification: important entity.

Regulatory inventory: In addition to NIS2, EntsorgPro is subject to the following regulations: Circular Economy Act (KrWG), Documentation Regulation (NachwV) for hazardous waste, Specialized Waste Management Company Regulation (EfbV), Federal Immission Control Act (BImSchG, for the sorting facility), Commercial Waste Regulation, GDPR.

Appoint ISB: Since no dedicated IT manager is available, the ISB role is assigned externally. An external ISB with industry knowledge (waste management/logistics) is engaged with a time budget of 2 days per month.

Create asset inventory:

Notable finding: The weighbridge systems are connected directly to the ERP server through a flat network. The onboard computers in vehicles communicate unencrypted with the ERP. Three tablets have no PIN protection. The ERP backup is stored on a NAS in the same server room — an offsite backup does not exist.

Phase 2: Risk Analysis (Months 3-4)

Identified as especially critical: The missing offsite backup and the missing network segmentation. A ransomware attack would encrypt both the production systems and the backup on the local NAS, leaving the company without a viable recovery option.

Phase 3: Technical Measures (Months 5-8)

Offsite backup (Month 5, highest priority): A cloud-based backup is established. Daily backup of the ERP database, weighing data, and eANV data to an encrypted cloud backup. Weekly full backup to an offline medium (external hard drive) stored in a bank safe deposit box. Monthly restore test.

Network segmentation (Months 5-6):

• Office zone: Administration, dispatch, email, internet
• Weighbridge system zone: Weighbridges, weighing software, camera systems. Only defined connections to the ERP
• Server zone: ERP, file server, Active Directory. Access only from defined zones
• WLAN zone: Separate networks for employees (with ERP access) and visitors (internet only)

Mobile Device Management (Months 6-7): Introduction of an MDM system (Microsoft Intune, since M365 is already licensed) for all tablets and, where possible, for the onboard computers. Device encryption, PIN requirement, remote wipe, app whitelisting.

Encryption of vehicle communication (Month 7): Communication between onboard computers and the ERP is switched to VPN tunnels. GPS data is transmitted encrypted.

MFA (Months 7-8): Multi-factor authentication for all access points: VPN, Microsoft 365, ERP web access, eANV portal administration.

Phase 4: Organizational Measures (Months 8-10)

Training program:

• All employees: 30-minute online module on cyber hygiene
• Drivers: Short training (15 minutes, during the driver briefing) on secure handling of onboard computers and tablets, reporting loss
• Dispatch: Deeper training on phishing recognition and secure use of the ERP system
• Executive management: NIS2 obligations, personal liability, budget approval
• External ISB: Regular report to executive management (quarterly)

Supplier assessment:

Business continuity plan:

Tabletop exercise: Scenario: Ransomware attack on Monday morning at 5:00 AM, ERP and file server encrypted, backup NAS also affected. Cloud backup is intact. 35 drivers arrive at the yard at 6:00 AM waiting for their tour data. Result: Drivers can retrace Friday's tours (tour lists will henceforth be printed on Fridays and kept in the vehicle). The weighing stations switch to paper logs. The ERP is restored from cloud backup within 22 hours. Room for improvement: RTO of 22 hours is too long. Investment in a hot-standby server or a cloud ERP instance is being evaluated.

Phase 5: Audit and Continuous Improvement (Months 10-12)

Internal audit by external ISB:

Findings:

1. The onboard computers in eight older vehicles (built before 2020) do not support VPN or encryption. Compensating measure: these vehicles will be replaced at the next vehicle renewal. Until then: no sensitive data on these devices, tour information is transmitted as read-only.
2. The weighing software at the transfer station has not received an update for 14 months. Corrective action: agree on a patch cycle with the weighbridge system manufacturer.
3. The emergency paper supply for manual weighing is not stored at the weighhouse but in the administration building. Corrective action: place emergency materials directly at the weighhouse.

Management review: Executive management approves the residual risk catalog, the budget for the following year, and commissions the evaluation of a cloud ERP solution to improve recovery time.

Budget Overview

The budget is realistic for a company of this size and sits at the lower end of NIS2 implementation costs because EntsorgPro, as an important entity, is not subject to proactive BSI supervision, and the OT complexity (sorting facility, weighbridge systems) is manageable. To keep tool costs in check: ISMS Lite offers the full feature set ab 500 Euro pro Jahr oder als Einmalkauf für 2.500 Euro, ohne Seat-Lizenzen oder versteckte Kosten.

What You Should Do Now

If you are in the waste management industry and need to implement NIS2, the following first steps make sense:

1. Check your backup strategy immediately. Do you have an offsite backup that remains intact during a ransomware attack? If not, that is the first measure. A disposal company without a functioning ERP can no longer run tours within one to two days.

2. Treat weighbridge systems and eANV as critical assets. These systems are not only operationally important but have legal implications. Their integrity and availability must be protected as a priority.

3. Get mobile devices under control. If onboard computers and tablets are deployed without PIN protection and without encryption, that is an easily fixable but significant risk. An MDM system is the foundation.

4. Think Efb certification and NIS2 together. The Efb certification already requires a documented operational organization. Use this structure as a foundation for the ISMS rather than building a parallel system.

Waste management may not seem like a typical NIS2 candidate at first glance. But the digitalization of the industry has ensured that route planning, weighing data, disposal documentation, and operational logbooks today depend entirely on functioning IT systems. Anyone who does not protect these systems risks not only fines but the standstill of a service on which every municipality and every commercial business depends.

Further Reading

• NIS2 für den Mittelstand: Was du wissen musst und was jetzt zu tun ist
• NIS2 für Logistik und Transportunternehmen
• Risikobewertung im ISMS: Methoden, Kriterien und Praxisbeispiele
• IT-Asset-Management im ISMS: Warum du wissen musst, was du hast
• Mobile-Device-Richtlinie und BYOD: Smartphones und Tablets im ISMS