Key takeaways
The EU NIS2 Directive defines cybersecurity obligations also for entities providing IT services only within their own corporate group of companies. To assess the applicability of these obligations, the necessary thresholds need to be calculated in a complex process. This process takes into account partner and linked enterprises, but subject to potential limitations under national NIS2 implementation laws. The applicability may influence decisions on group-wide insourcing or outsourcing of IT services. We present several scenarios and the respective applicability of the NIS Directive.
While the NIS2 Directive remains to be implemented in several EU Member States, including Germany, companies should use the time to assess whether they fall within the scope of the Directive and prepare for its implementation. When making this assessment, particular attention should be paid to entities providing IT services within the corporate group. Where a corporate group considers out-sourcing or in-sourcing the IT services within the same group, it is also worthwhile considering the impact of NIS2. The NIS2 Directive applies in principle only to companies that exceed certain thresholds for employed persons and annual turnover. However, these thresholds are calculated in accordance with the Annex to Recommendation 2003/361/EC, which requires that data from the entire group, including partner and linked enterprises, be taken into account. Since intra-group IT service entities are often of limited headcount and annual turnover, they are easily overlooked as neither essential nor important entities. However, a careful threshold calculation should be made to determine whether this entity qualifies as important or even essential entity under the NIS2 Directive. Taking into account the data of partner or linked enterprises may then result in the thresholds being exceeded and thus the respective entity being within the scope of the NIS2 Directive. Different scenarios can be distinguished. We conclude this analysis with a comparison of similar provisions under the Digital Operational Resilience Act (Regulation (EU) 2022/2554 - DORA) for intra-group IT services within groups of financial entities.
The NIS2 Directive imposes cybersecurity obligations on so-called “essential entities” and “important entities”. These are primarily entities that fall under one of the sectors of Annex I and Annex II of the NIS2 Directive, which the EU considers to be particularly relevant, and additionally exceed a certain threshold of persons employed and annual turnover.
The sectors mentioned in Annex I and include in particular:
- Digital infrastructure, and
- ICT service management.
Since essential and important entities have numerous obligations under the existing and forthcoming NIS2 implementation laws, including the duty to register with the national authority within 3 months, it is critical to determine the applicability of the laws for intra-group IT service providers.
1. No “group privilege” for providers of IT data centre services
These sectors cover in particular data centre providers or managed (security) service providers. If an entity provides such services to another entity, the providing entity is likely within the scope of the NIS2 Directive regardless of whether the services are provided to third parties or only to other entities within the group. The NIS2 Directive does not provide for a “group privilege”.
2. Exclusion of “in-house” data centres
By contrast, Recital 35 of the NIS2 Directive explicitly excludes only “in house” data centres owned and operated by the entity for its own purposes (“The term ‘data centre service’ should not apply to in-house corporate data centres owned and operated by the entity concerned, for its own purposes.”) This exclusion in the Recitals is not picked up in the respective definition in Article 6(31) NIS2 Directive, but should be taken into account by the national implementation legislator or authorities enforcing the implementing law.
3. Coverage of ancillary and non-essential activities outside the main business activity
In addition, the NIS2 Directive does generally not contain a provision according to which the activity falling within one of the sectors must be the “main” activity of an entity, even “non-essential” activities can lead to the applicability of the NIS2 Directive. Exceptions to this are explicitly stated only for the sectors drinking water, waste water, or waste management. Thus, if an entity provides IT services to its subsidiaries, alongside its core business, this may also result in the applicability of the NIS2 Directive to the providing entity, since there is no exception stated for these sectors.
This applicability to entities where the IT services are only an ancillary part of the main business has been reflected for instance in the Belgian NIS2 implementing law.
In contrast, the German draft implementation law of July 2025 in its draft section 28 para. 3 explicitly excludes the applicability of NIS2 to entities where the activity under Annex I or Annex II is only a “negligible” part of the business activity. It remains to be seen whether this will be adopted into law, and whether it will be considered compliant with the NIS2 Directive.
Thus, many entities providing IT services within their corporate group likely fall under one of these sectors, even if this is outside of their main business activity.
4. Consequences for intra-group insourcing or outsourcing of IT functions
Thus, if all IT services are fully insourced and provided only as an internal function within the legal entity (for instance, as part of the parent company in the area of manufacturing or providing financial services), such internal service does not qualify as data centre service provider, and would therefore fall outside the scope of the sector “digital infrastructure” in Annex I (Sectors of High Criticality). However, if the same service is outsourced to a separate group company providing such IT services to other companies in the group, this legal entity would be qualified as “data centre service provider” and fall within the scope of NIS2.
Therefore, the decision to insource or outsource IT services within the group should also be taken against the background of the NIS2 Directive applying to the separate IT services group company, but not to the IT service function insourced as an integral part of the manufacturing or financial services company.
If the insourced IT services function, however, provides IT services to other group companies, NIS2 Directive would be applicable, even if this service is only a non-essential part of the parent company's business.
5. Quantitative thresholds
A key element in determining the NIS2 applicability is the respective quantitative threshold:
- An essential entity is an entity that exceeds the ceilings for medium-sized enterprises provided for in Art. 2(1) of the Annex to Recommendation 2003/361/EC. This is any enterprise that employs more than 250 persons or which has an annual turnover exceeding EUR 50 million and an annual balance sheet exceeding EUR 43 million.
- An important entity is an entity that qualifies as medium-sized enterprise i.e., the enterprise does not exceed the thresholds mentioned above, but still exceeds the ceilings provided for in Art. 2(2) of the Annex to Recommendation 2003/361/EC. This is any enterprise that employs more than 50 persons or which has an annual turnover and annual balance sheet each exceeding EUR 10 million.
If the IT services group company falls short of these thresholds, the NIS2 Directive could still apply, since the thresholds need to be calculated considering “partner” and “linked” enterprises, as discussed in the following.
6. Calculating the thresholds with partner or linked enterprises
For calculating these thresholds, the methods set out in the Annex to Recommendation 2003/361/EC apply: This means that not only the number of persons employed and the turnover of the entity falling under one of the sectors of the NIS2 Directive are relevant, but also the data of partner or linked enterprises must be taken into account for the calculation. This is not even limited to partner or linked enterprises within the EU, but includes partner or linked enterprises outside the EU.
Recital 16 still provides for the possibility for the EU Member States to take into account the degree of independence of an entity, where the addition of the data of partner or linked enterprises may be “disproportionate” (“In particular, Member States are able to take into account the fact that an entity is independent from its partner or linked enterprises in terms of the network and information systems that that entity uses in the provision of its services and in terms of the services that the entity provides.”). In the German July 2025 draft implementation law (draft section 28 para. 4), this independence is for instance specified as being “independent with regard to the nature and the operation of information technology systems, components and processes”. The German legislator points out, though, that this is probably not the case for any service provider as group subsidiary with agreements in place that determine the afore-mentioned aspects. Such agreement would also determine the services by an intra-group IT service company, and therefore exclude any “independence” of such entity. Such independence could be found, however, for a parent company offering such services to subsidiaries with the parent company’s free discretion in providing the services.
7. No infection of other group companies
In addition, it also should be noted that under the NIS2 Directive there is generally no “infection” of other entities of the group: This means that the NIS2 Directive only applies to the entity falling under one of the sectors of the NIS2 Directive. As a consequence, the IT services entity may be subject to the NIS2 Directive, but the other group entities not involved in the provision of the IT service are not subject to the NIS2 Directive.
8. Practical results for different scenarios of intra-group IT services
Summarizing the current status of the NIS2 Directive and always subject to its implementing laws, the following scenarios can be distinguished for a group of companies with its core business outside the sectors of Annex I and Annex II of NIS2, but using intra-group IT services:
NO applicability of NIS2 Directive:
- Each group company has its own in-house IT service function (see Recital 35 NIS2 Directive).
- The parent company provides IT services to other group companies, but does not meet the necessary thresholds, and due to the parent company’s independence, the headcount and annual turnover of the subsidiaries are not taken into account as partner and linked enterprises (where such rules on independence are provided for in the national implementing law).
Doubtful non-applicability under certain implementation laws:
- The parent company provides IT services to other group companies, but this service is “negligible” compared to the parent company’s core business (see German draft implementation law, in contrast to Belgian implementation law).
Applicability of NIS2 Directive:
- The parent company provides IT services to other group companies, and such services are at least not “negligible” (see previous point), and the thresholds of headcount and annual turnover are met.
- A separate group company provides IT services as an outsourced function to other group companies, and this company together with the serviced group companies as partner and linked enterprises meet the thresholds of headcount and annual turnover.
9. Consequences of not complying with obligations of the NIS Directive
Since non-compliance with the obligations of the NIS2 Directive can be subject to significant administrative fines of EUR 10 million or 2 % of the total worldwide annual turnover in the preceding financial year of the undertaking to which the entity belongs, whichever is higher, it should be thoroughly assessed as to whether an entity is within the scope of the NIS2 Directive. In addition, when planning and managing IT-outsourcing projects careful attention should be paid as to whether this may lead to the applicability of the NIS2 Directive.
Nonetheless, even if the NIS2 Directive does not apply, it is essential to implement robust cybersecurity measures to safeguard valuable data and company know-how from external threats. Additionally, when the GDPR is applicable, Art. 32 GDPR requires the implementation of appropriate technical and organizational measures to protect personal data.
10. Comparison to DORA
The provision of IT services within the same group of companies is also addressed by DORA, theDigital Operational Resilience Act (Regulation (EU) 2022/2554), which generally applies to financial entities, regardless of their size. However, the applicability of DORA is different than of NIS2 Directive:
- DORA’s applicability is entity-based: It generally applies to any organization that qualifies as a financial entity under Art. 2(a)-(t) DORA, irrespective of whether it provides IT services.
- In contrast, the NIS2 Directive is “activity-based”, meaning its scope is triggered by the nature of the services provided, e.g., the provision of certain IT services.
As DORA does consequently not provide an exemption for “in-house” IT services, each group company that qualifies as a financial entity is subject to DORA’s requirements, regardless of whether it operates its own internal IT services.
11. Intra-group ICT services under DORA:
With regard to intra-group IT services, Article 3(20) DORA defines the “ICT intra-group service provider” as “an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control”.
As such, an ICT intra-group provider is an “undertaking providing ICT services”, and is therefore also an ICT third-party service provider. This is expressly confirmed by Recital 63 DORA which states that ICT intra-group providers should be considered as ICT third-party service providers, meaning that the same risk management, and contractual obligations apply as they would for external ICT third-party service providers. Nevertheless, Recital 31 allows for the fact that the intra-group nature of the relationship may be considered as part of the overall risk assessment, since there may be a higher level of control. Therefore, there is only a limited benefit for financial entities when relying on ICT intra-group service providers in terms of compliance requirements.
Such ICT intra-group service providers are only insofar privileged as they are exempt under Article 31(8) DORA from the classification as “critical ICT third-party service providers” pursuant to Article 31(1) – for which DORA stipulates EU-wide supervision powers.
12. Interplay between DORA and NIS2 Directive
In cases where an ICT intra-group service provider is not itself a financial entity, the ICT risk management requirements under Chapter II of DORA do not apply to that entity. However, depending on the nature of its services and whether the thresholds are reached, the NIS2 Directive may apply instead.
Where DORA applies for financial entities identified as essential or important entities under NIS2 and its implementing laws, DORA is a “sector-specific Union legal act” under Article 4 NIS2 Directive (see Recital 28 NIS Directive, Article 1(2) DORA). For this reason, the “relevant provisions” of NIS2 will not apply where the obligations under DORA are “at least equivalent”. Further clarification on the interpretation of this was provided by the European Commission pursuant to Article 4(3) NIS2 Directive through Communication 2023/C 328/02.
[View source.]
