Territorial scope combined with an extensive list of in-scope sectors makes the initial question of NIS 2 applicability the most important (and complex) for businesses. Determining applicability of the new directive is important as the obligations are much stricter than under the old NIS Directive, including compliance with enhanced cybersecurity standards and stricter reporting obligations. However, we are finding that there is still a lot of uncertainty around who is caught by NIS 2.
We take a closer look at the applicability of NIS 2 for managed service providers (“MSPs”). This is a new subcategory under NIS 2 and is defined as entities ‘providing services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration, carried out either on customers’ premises or remotely.’[1]
Navigating applicability
The test for applicability is three-pronged and depends on: (a) industry (b) size and (c) location of the entity in question. This assessment can be particularly challenging for MSPs due to the cross-sectoral, cross-border nature of their activities. It could mean that only certain parts of a business are caught, resulting in the need for fractional compliance efforts.
We consider each criterion at a high level below and explain key considerations for MSPs when assessing applicability.
Material scope
(a) industry
The starting point for whether a business falls within scope is the sector within which it operates/ to which it provides services. These are categorised and listed in Annex 1 (sectors of high criticality) and Annex 2 (other critical sectors).
NIS 2 adds 10 new sectors into scope, in addition to those under the NIS Directive. Annex 1 includes a new ‘ICT service management (B2B)’ category, within which MSPs fall.
Note that in addition to MSPs, there are also subsectors (and accompanying definitions[2]) such as ‘cloud computing service providers’, ‘data centre service providers’ and ‘managed security service providers’. A careful assessment should be conducted to determine an accurate classification of the nature of the business as this could impact the nature and extent of obligations.
(b) size
In addition to sectoral classification, the size of a business is also important and is measured as: (1) large (more than 250 employees and more than €50 million annual revenue) (2) medium (50-250 employees and €10-50 million annual revenue) or (3) small/micro (less than 50 employees and less than €10 million annual revenue).
Size will determine the label of ‘important’ or ‘essential’ (note the previous labels of ‘operators of essential services’ or ‘digital service providers’ are no longer used), which varies between sectors and subsectors. Within the subsector of MSPs, a ‘mid-size’ entity will be ‘important’ and a ‘large’ entity will be ‘essential’.
The size classification has practical implications as ‘essential’ entities are subject to enhanced supervision and stricter enforcement than ‘important’ – the maximum fines for ‘essential’ entities are €10 million or 2% of annual global turnover, whichever is higher, whilst for ‘important’ entities they are €7 million and 1.4%. It is therefore important that businesses conduct this analysis carefully to identify the correct classification.
Territorial scope
The general rule is that entities who are established in the EU will be in scope and will be subject to that Member State’s (“MS”) laws. However, MSPs who are not established in the EU may be caught if they offer their services to the EU, in which case they will be subject to the jurisdiction of the MS) in which they have their ‘main establishment’[3]. This is often a complex assessment and so the following guidance is provided:
- the MS in which the decisions related to cybersecurity risk-management measures are predominantly taken in the EU and will typically be the place of the entity’s central administration in the EU;
- where such a MS cannot be determined, or if such decisions are not taken in the EU, the main establishment is where cybersecurity operations are carried out;
- where such a MS cannot be determined, the main establishment is the MS where the entity has the establishment with highest number of employees in the EU;
- where services are carried out by a group, the main establishment of the controlling undertaking is the group’s main establishment; and
- where a MSP which is not established in the EU offers services within the EU, it is required to designate a representative.
The rules are complex and should be carefully assessed to determine the applicable MS. This could have implications for the interpretation of the Directive based on the precise wording in the relevant transposed version.
Key takeaways and dates
NIS 2 came into force on 16 January 2024 and member states have until 17 October 2024 to implement it into their local laws. With just over 2 months left to go, now is the time to conduct an applicability analysis in order to get ahead on compliance, especially as most MSs are already set to implement NIS 2 into their local laws before the October deadline.
Organisations have an obligation to ‘self-register’ if they consider themselves within scope. They must do so by contacting the competent authority in the MS where their main establishment is by 17 January 2025.
The NIS 2 text can be accessed here.
For more information on NIS 2 Directive please visit our insights page at kempitlaw.com.
[1] Article 6(49) NIS 2.
[2] All definitions are set out in Article 6 NIS 2.
[3] Article 26(1)(b) NIS 2.