The EU NIS2 Directive and intragroup IT services
p
Panoramic Automotive and Mobility 2025
pp
ppThe EU NIS2 Directive defines cybersecurity obligations also for entities providing IT services only within their own corporate group of companies To assess the applicability of these obligations the necessary thresholds need to be calculated in a complex process This process takes into account partner and linked enterprises but subject to potential limitations under national NIS2 implementation laws The applicability may influence decisions on groupwide insourcing or outsourcing of IT services We present several scenarios and the respective applicability of the NIS DirectiveppWhile the NIS2 Directive remains to be implemented in several EU Member States including Germany companies should use the time to assess whether they fall within the scope of the Directive and prepare for its implementation When making this assessment particular attention should be paid to entities providing IT services within the corporate group Where a corporate group considers outsourcing or insourcing the IT services within the same group it is also worthwhile considering the impact of NIS2 The NIS2 Directive applies in principle only to companies that exceed certain thresholds for employed persons and annual turnover However these thresholds are calculated in accordance with the Annex to Recommendation 2003361EC which requires that data from the entire group including partner and linked enterprises be taken into account Since intragroup IT service entities are often of limited headcount and annual turnover they are easily overlooked as neither essential nor important entities However a careful threshold calculation should be made to determine whether this entity qualifies as important or even essential entity under the NIS2 Directive Taking into account the data of partner or linked enterprises may then result in the thresholds being exceeded and thus the respective entity being within the scope of the NIS2 Directive Different scenarios can be distinguished We conclude this analysis with a comparison of similar provisions under the Digital Operational Resilience Act Regulation EU 20222554 DORA for intragroup IT services within groups of financial entitiesppThe NIS2 Directive imposes cybersecurity obligations on socalled essential entities and important entities These are primarily entities that fall under one of the sectors of Annex I and Annex II of the NIS2 Directive which the EU considers to be particularly relevant and additionally exceed a certain threshold of persons employed and annual turnoverppThe sectors mentioned in Annex I and include in particularppSince essential and important entities have numerous obligations under the existing and forthcoming NIS2 implementation laws including the duty to register with the national authority within 3 months it is critical to determine the applicability of the laws for intragroup IT service providersppThese sectors cover in particular data centre providers or managed security service providers If an entity provides such services to another entity the providing entity is likely within the scope of the NIS2 Directive regardless of whether the services are provided to third parties or only to other entities within the group The NIS2 Directive does not provide for a group privilege ppBy contrast Recital 35 of the NIS2 Directive explicitly excludes only in house data centres owned and operated by the entity for its own purposes The term data centre service should not apply to inhouse corporate data centres owned and operated by the entity concerned for its own purposes This exclusion in the Recitals is not picked up in the respective definition in Article 631 NIS2 Directive but should be taken into account by the national implementation legislator or authorities enforcing the implementing lawppIn addition the NIS2 Directive does generally not contain a provision according to which the activity falling within one of the sectors must be the main activity of an entity even nonessential activities can lead to the applicability of the NIS2 Directive Exceptions to this are explicitly stated only for the sectors drinking water waste water or waste management Thus if an entity provides IT services to its subsidiaries alongside its core business this may also result in the applicability of the NIS2 Directive to the providing entity since there is no exception stated for these sectorsppThis applicability to entities where the IT services are only an ancillary part of the main business has been reflected for instance in the Belgian NIS2 implementing lawppIn contrast the German draft implementation law of July 2025 in its draft section 28 para 3 explicitly excludes the applicability of NIS2 to entities where the activity under Annex I or Annex II is only a negligible part of the business activity It remains to be seen whether this will be adopted into law and whether it will be considered compliant with the NIS2 DirectiveppThus many entities providing IT services within their corporate group likely fall under one of these sectors even if this is outside of their main business activityppThus if all IT services are fully insourced and provided
only as an internal function within the legal entity for instance as part of
the parent company in the area of manufacturing or providing financial
services such internal service does not qualify as data centre service
provider and would therefore fall outside the scope of the sector digital
infrastructure in Annex I Sectors of High Criticality However if the
same service is outsourced to a separate group company providing such IT
services to other companies in the group this legal entity would be qualified
as data centre service provider and fall within the scope of NIS2ppTherefore the decision to insource or outsource IT services within the group should also be taken against the background of the NIS2 Directive applying to the separate IT services group company but not to the IT service function insourced as an integral part of the manufacturing or financial services companyppIf the insourced IT services function however provides IT
services to other group companies NIS2 Directive would be applicable even if
this service is only a nonessential part of the parent companys businessppA key element in determining the NIS2 applicability is the respective quantitative thresholdppIf the IT services group company falls short of these thresholds the NIS2 Directive could still apply since the thresholds need to be calculated considering partner and linked enterprises as discussed in the followingppFor calculating these thresholds the methods set out in the Annex to Recommendation 2003361EC apply This means that not only the number of persons employed and the turnover of the entity falling under one of the sectors of the NIS2 Directive are relevant but also the data of partner or linked enterprises must be taken into account for the calculation This is not even limited to partner or linked enterprises within the EU but includes partner or linked enterprises outside the EUppRecital 16 still provides for the possibility for the EU Member States to take into account the degree of independence of an entity where the addition of the data of partner or linked enterprises may be disproportionate In particular Member States are able to take into account the fact that an entity is independent from its partner or linked enterprises in terms of the network and information systems that that entity uses in the provision of its services and in terms of the services that the entity provides In the German July 2025 draft implementation law draft section 28 para 4 this independence is for instance specified as being independent with regard to the nature and the operation of information technology systems components and processes The German legislator points out though that this is probably not the case for any service provider as group subsidiary with agreements in place that determine the aforementioned aspects Such agreement would also determine the services by an intragroup IT service company and therefore exclude any independence of such entity Such independence could be found however for a parent company offering such services to subsidiaries with the parent companys free discretion in providing the servicesppIn addition it also should be noted that under the NIS2 Directive there is generally no infection of other entities of the group This means that the NIS2 Directive only applies to the entity falling under one of the sectors of the NIS2 Directive As a consequence the IT services entity may be subject to the NIS2 Directive but the other group entities not involved in the provision of the IT service are not subject to the NIS2 DirectiveppSummarizing the current status of the NIS2 Directive and always subject to its implementing laws the following scenarios can be distinguished for a group of companies with its core business outside the sectors of Annex I and Annex II of NIS2 but using intragroup IT servicesppNO applicability of NIS2 DirectiveppDoubtful nonapplicability under certain implementation lawsppApplicability of NIS2 DirectiveppSince noncompliance with the obligations of the NIS2 Directive can be subject to significant administrative fines of EUR 10 million or 2 of the total worldwide annual turnover in the preceding financial year of the undertaking to which the entity belongs whichever is higher it should be thoroughly assessed as to whether an entity is within the scope of the NIS2 Directive In addition when planning and managing IToutsourcing projects careful attention should be paid as to whether this may lead to the applicability of the NIS2 DirectiveppNonetheless even if the NIS2 Directive does not apply it is essential to implement robust cybersecurity measures to safeguard valuable data and company knowhow from external threats Additionally when the GDPR is applicable Art 32 GDPR requires the implementation of appropriate technical and organizational measures to protect personal datappThe provision of IT services within the same group of companies is also addressed by DORA theDigital Operational Resilience Act Regulation EU 20222554 which generally applies to financial entities regardless of their size However the applicability of DORA is different than of NIS2 Directive ppAs DORA does consequently not provide an exemption for inhouse IT services each group company that qualifies as a financial entity is subject to DORAs requirements regardless of whether it operates its own internal IT servicesppWith regard to intragroup IT services Article 320 DORA defines the ICT intragroup service provider as an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme including to their parent undertakings subsidiaries branches or other entities that are under common ownership or controlppAs such an ICT intragroup provider is an undertaking providing ICT services and is therefore also an ICT thirdparty service provider This is expressly confirmed by Recital 63 DORA which states that ICT intragroup providers should be considered as ICT thirdparty service providers meaning that the same risk management and contractual obligations apply as they would for external ICT thirdparty service providers Nevertheless Recital 31 allows for the fact that the intragroup nature of the relationship may be considered as part of the overall risk assessment since there may be a higher level of control Therefore there is only a limited benefit for financial entities when relying on ICT intragroup service providers in terms of compliance requirementsppSuch ICT intragroup service providers are only insofar privileged as they are exempt under Article 318 DORA from the classification as critical ICT thirdparty service providers pursuant to Article 311 for which DORA stipulates EUwide supervision powersppIn cases where an ICT intragroup service provider is not itself a financial entity the ICT risk management requirements under Chapter II of DORA do not apply to that entity However depending on the nature of its services and whether the thresholds are reached the NIS2 Directive may apply insteadppWhere DORA applies for financial entities identified as essential or important entities under NIS2 and its implementing laws DORA is a sectorspecific Union legal act under Article 4 NIS2 Directive see Recital 28 NIS Directive Article 12 DORA For this reason the relevant provisions of NIS2 will not apply where the obligations under DORA are at least equivalent Further clarification on the interpretation of this was provided by the European Commission pursuant to Article 43 NIS2 Directive through Communication 2023C 32802pp pp ppAuthored by Dr Stefan Schuppert and Valentin Reiterpp
Dr Stefan Schuppert LLM Harvard
pp
Munich
pp
Email me
pp
Valentin Reiter
pp
Munich
pp
Email me
ppView morepp18 December 2024pp18 December 2024pp30 October 2024pp04 June 2024pp14 March 2024pp11 March 2024pp13 February 2024pp01 February 2024pp07 December 2023ppRegister now to receive personalized content and morepp pp 2025 Hogan Lovells All rights reserved Hogan Lovells or the firm refers to the international legal practice that comprises Hogan Lovells International LLP Hogan Lovells US LLP and their affiliated businesses each of which is a separate legal entity Attorney advertising Prior results do not guarantee a similar outcomep
Panoramic Automotive and Mobility 2025
pp
ppThe EU NIS2 Directive defines cybersecurity obligations also for entities providing IT services only within their own corporate group of companies To assess the applicability of these obligations the necessary thresholds need to be calculated in a complex process This process takes into account partner and linked enterprises but subject to potential limitations under national NIS2 implementation laws The applicability may influence decisions on groupwide insourcing or outsourcing of IT services We present several scenarios and the respective applicability of the NIS DirectiveppWhile the NIS2 Directive remains to be implemented in several EU Member States including Germany companies should use the time to assess whether they fall within the scope of the Directive and prepare for its implementation When making this assessment particular attention should be paid to entities providing IT services within the corporate group Where a corporate group considers outsourcing or insourcing the IT services within the same group it is also worthwhile considering the impact of NIS2 The NIS2 Directive applies in principle only to companies that exceed certain thresholds for employed persons and annual turnover However these thresholds are calculated in accordance with the Annex to Recommendation 2003361EC which requires that data from the entire group including partner and linked enterprises be taken into account Since intragroup IT service entities are often of limited headcount and annual turnover they are easily overlooked as neither essential nor important entities However a careful threshold calculation should be made to determine whether this entity qualifies as important or even essential entity under the NIS2 Directive Taking into account the data of partner or linked enterprises may then result in the thresholds being exceeded and thus the respective entity being within the scope of the NIS2 Directive Different scenarios can be distinguished We conclude this analysis with a comparison of similar provisions under the Digital Operational Resilience Act Regulation EU 20222554 DORA for intragroup IT services within groups of financial entitiesppThe NIS2 Directive imposes cybersecurity obligations on socalled essential entities and important entities These are primarily entities that fall under one of the sectors of Annex I and Annex II of the NIS2 Directive which the EU considers to be particularly relevant and additionally exceed a certain threshold of persons employed and annual turnoverppThe sectors mentioned in Annex I and include in particularppSince essential and important entities have numerous obligations under the existing and forthcoming NIS2 implementation laws including the duty to register with the national authority within 3 months it is critical to determine the applicability of the laws for intragroup IT service providersppThese sectors cover in particular data centre providers or managed security service providers If an entity provides such services to another entity the providing entity is likely within the scope of the NIS2 Directive regardless of whether the services are provided to third parties or only to other entities within the group The NIS2 Directive does not provide for a group privilege ppBy contrast Recital 35 of the NIS2 Directive explicitly excludes only in house data centres owned and operated by the entity for its own purposes The term data centre service should not apply to inhouse corporate data centres owned and operated by the entity concerned for its own purposes This exclusion in the Recitals is not picked up in the respective definition in Article 631 NIS2 Directive but should be taken into account by the national implementation legislator or authorities enforcing the implementing lawppIn addition the NIS2 Directive does generally not contain a provision according to which the activity falling within one of the sectors must be the main activity of an entity even nonessential activities can lead to the applicability of the NIS2 Directive Exceptions to this are explicitly stated only for the sectors drinking water waste water or waste management Thus if an entity provides IT services to its subsidiaries alongside its core business this may also result in the applicability of the NIS2 Directive to the providing entity since there is no exception stated for these sectorsppThis applicability to entities where the IT services are only an ancillary part of the main business has been reflected for instance in the Belgian NIS2 implementing lawppIn contrast the German draft implementation law of July 2025 in its draft section 28 para 3 explicitly excludes the applicability of NIS2 to entities where the activity under Annex I or Annex II is only a negligible part of the business activity It remains to be seen whether this will be adopted into law and whether it will be considered compliant with the NIS2 DirectiveppThus many entities providing IT services within their corporate group likely fall under one of these sectors even if this is outside of their main business activityppThus if all IT services are fully insourced and provided
only as an internal function within the legal entity for instance as part of
the parent company in the area of manufacturing or providing financial
services such internal service does not qualify as data centre service
provider and would therefore fall outside the scope of the sector digital
infrastructure in Annex I Sectors of High Criticality However if the
same service is outsourced to a separate group company providing such IT
services to other companies in the group this legal entity would be qualified
as data centre service provider and fall within the scope of NIS2ppTherefore the decision to insource or outsource IT services within the group should also be taken against the background of the NIS2 Directive applying to the separate IT services group company but not to the IT service function insourced as an integral part of the manufacturing or financial services companyppIf the insourced IT services function however provides IT
services to other group companies NIS2 Directive would be applicable even if
this service is only a nonessential part of the parent companys businessppA key element in determining the NIS2 applicability is the respective quantitative thresholdppIf the IT services group company falls short of these thresholds the NIS2 Directive could still apply since the thresholds need to be calculated considering partner and linked enterprises as discussed in the followingppFor calculating these thresholds the methods set out in the Annex to Recommendation 2003361EC apply This means that not only the number of persons employed and the turnover of the entity falling under one of the sectors of the NIS2 Directive are relevant but also the data of partner or linked enterprises must be taken into account for the calculation This is not even limited to partner or linked enterprises within the EU but includes partner or linked enterprises outside the EUppRecital 16 still provides for the possibility for the EU Member States to take into account the degree of independence of an entity where the addition of the data of partner or linked enterprises may be disproportionate In particular Member States are able to take into account the fact that an entity is independent from its partner or linked enterprises in terms of the network and information systems that that entity uses in the provision of its services and in terms of the services that the entity provides In the German July 2025 draft implementation law draft section 28 para 4 this independence is for instance specified as being independent with regard to the nature and the operation of information technology systems components and processes The German legislator points out though that this is probably not the case for any service provider as group subsidiary with agreements in place that determine the aforementioned aspects Such agreement would also determine the services by an intragroup IT service company and therefore exclude any independence of such entity Such independence could be found however for a parent company offering such services to subsidiaries with the parent companys free discretion in providing the servicesppIn addition it also should be noted that under the NIS2 Directive there is generally no infection of other entities of the group This means that the NIS2 Directive only applies to the entity falling under one of the sectors of the NIS2 Directive As a consequence the IT services entity may be subject to the NIS2 Directive but the other group entities not involved in the provision of the IT service are not subject to the NIS2 DirectiveppSummarizing the current status of the NIS2 Directive and always subject to its implementing laws the following scenarios can be distinguished for a group of companies with its core business outside the sectors of Annex I and Annex II of NIS2 but using intragroup IT servicesppNO applicability of NIS2 DirectiveppDoubtful nonapplicability under certain implementation lawsppApplicability of NIS2 DirectiveppSince noncompliance with the obligations of the NIS2 Directive can be subject to significant administrative fines of EUR 10 million or 2 of the total worldwide annual turnover in the preceding financial year of the undertaking to which the entity belongs whichever is higher it should be thoroughly assessed as to whether an entity is within the scope of the NIS2 Directive In addition when planning and managing IToutsourcing projects careful attention should be paid as to whether this may lead to the applicability of the NIS2 DirectiveppNonetheless even if the NIS2 Directive does not apply it is essential to implement robust cybersecurity measures to safeguard valuable data and company knowhow from external threats Additionally when the GDPR is applicable Art 32 GDPR requires the implementation of appropriate technical and organizational measures to protect personal datappThe provision of IT services within the same group of companies is also addressed by DORA theDigital Operational Resilience Act Regulation EU 20222554 which generally applies to financial entities regardless of their size However the applicability of DORA is different than of NIS2 Directive ppAs DORA does consequently not provide an exemption for inhouse IT services each group company that qualifies as a financial entity is subject to DORAs requirements regardless of whether it operates its own internal IT servicesppWith regard to intragroup IT services Article 320 DORA defines the ICT intragroup service provider as an undertaking that is part of a financial group and that provides predominantly ICT services to financial entities within the same group or to financial entities belonging to the same institutional protection scheme including to their parent undertakings subsidiaries branches or other entities that are under common ownership or controlppAs such an ICT intragroup provider is an undertaking providing ICT services and is therefore also an ICT thirdparty service provider This is expressly confirmed by Recital 63 DORA which states that ICT intragroup providers should be considered as ICT thirdparty service providers meaning that the same risk management and contractual obligations apply as they would for external ICT thirdparty service providers Nevertheless Recital 31 allows for the fact that the intragroup nature of the relationship may be considered as part of the overall risk assessment since there may be a higher level of control Therefore there is only a limited benefit for financial entities when relying on ICT intragroup service providers in terms of compliance requirementsppSuch ICT intragroup service providers are only insofar privileged as they are exempt under Article 318 DORA from the classification as critical ICT thirdparty service providers pursuant to Article 311 for which DORA stipulates EUwide supervision powersppIn cases where an ICT intragroup service provider is not itself a financial entity the ICT risk management requirements under Chapter II of DORA do not apply to that entity However depending on the nature of its services and whether the thresholds are reached the NIS2 Directive may apply insteadppWhere DORA applies for financial entities identified as essential or important entities under NIS2 and its implementing laws DORA is a sectorspecific Union legal act under Article 4 NIS2 Directive see Recital 28 NIS Directive Article 12 DORA For this reason the relevant provisions of NIS2 will not apply where the obligations under DORA are at least equivalent Further clarification on the interpretation of this was provided by the European Commission pursuant to Article 43 NIS2 Directive through Communication 2023C 32802pp pp ppAuthored by Dr Stefan Schuppert and Valentin Reiterpp
Dr Stefan Schuppert LLM Harvard
pp
Munich
pp
Email me
pp
Valentin Reiter
pp
Munich
pp
Email me
ppView morepp18 December 2024pp18 December 2024pp30 October 2024pp04 June 2024pp14 March 2024pp11 March 2024pp13 February 2024pp01 February 2024pp07 December 2023ppRegister now to receive personalized content and morepp pp 2025 Hogan Lovells All rights reserved Hogan Lovells or the firm refers to the international legal practice that comprises Hogan Lovells International LLP Hogan Lovells US LLP and their affiliated businesses each of which is a separate legal entity Attorney advertising Prior results do not guarantee a similar outcomep
