Search every question across sub-FAQs

A managed service provider can be in NIS2 scope because Annex I lists ICT service management (business-to-business), including managed service providers and managed security service providers. Article 6 defines an MSP as an entity providing installation, management, operation, or maintenance of ICT products, networks, infrastructure, applications, or other network and information systems through assistance or active administration, on customer premises or remotely.

That sector entry is only the first step. Article 2 applies NIS2 to Annex I or II entities that qualify as medium-sized enterprises under Recommendation 2003/361/EC or exceed those ceilings, and it also captures certain entities regardless of size through specific special-case rules. Article 3 then separates covered Annex I entities into essential or important entities, with larger Annex I entities generally treated as essential and other covered entities treated as important unless another Article 3 rule changes the result.

The classification file should show why the service meets, or does not meet, the NIS2 MSP or MSSP definition. A sales category is not enough; the record should explain the actual installation, management, operation, maintenance, active administration, or cybersecurity risk-management activity provided to customers.

The file should also show the entity-level analysis. NIS2 applies to entities, so the evidence needs the contracting entity, group or linked-enterprise analysis where relevant, Member State establishment or representative information, and the national route used for registration or authority contact.

A provider can be an MSP or MSSP even when the customer owns the environment, because the NIS2 definition includes assistance or active administration carried out on customer premises or remotely. Conversely, a supplier is not necessarily an MSP merely because it sells software, cloud capacity, hardware, professional services, or staff augmentation.

Cross-border MSPs also need a jurisdiction check. Article 26 treats managed service providers and managed security service providers as falling under the Member State of their main establishment in the Union; if they are not established in the Union but offer services within it, they must designate a representative in the Union.

Essential entities are the higher NIS2 tier. They include large entities in Annex I high-criticality sectors, qualified trust service providers, TLD registries, DNS service providers, medium-sized public electronic communications providers, central-government public administration entities, critical entities under the CER Directive, and other entities that Member States identify as essential under the Article 3 rules.

Important entities are covered Annex I or Annex II entities that do not qualify as essential entities under Article 3(1), including entities that Member States identify under the specified Article 2(2) special-risk grounds. They are still in scope and still need cybersecurity risk-management, management-body oversight, and significant-incident reporting.

Both essential and important entities need management-body involvement. NIS2 requires management bodies to approve cybersecurity risk-management measures, oversee implementation, and follow training, with Member States deciding the national liability framework.

Both tiers also need appropriate and proportionate technical, operational, and organisational measures under Article 21. The listed measures cover risk analysis and security policies, incident handling, business continuity, supply-chain security, secure acquisition and maintenance, control effectiveness, cyber hygiene, cryptography, access control and asset management, and authentication or secure communications where appropriate.

For significant incidents, both tiers follow Article 23 notification duties, including the 24-hour early warning, 72-hour incident notification, status updates on request, and final reporting route.

Essential entities can face stronger ongoing supervision. Article 32 lists on-site inspections, off-site supervision, random checks, regular and targeted audits, ad hoc audits, security scans, information requests, document access, and evidence requests. Essential-entity enforcement can also include a monitoring officer and, where specified measures are ineffective, temporary suspension or temporary management-function prohibition routes under national law.

Important entities are mainly supervised ex post. Article 33 says competent authorities act when they have evidence, indication, or information that an important entity allegedly does not comply, especially with Articles 21 and 23. Ex post tools still include inspections, targeted audits, scans, information requests, document access, evidence requests, warnings, binding instructions, orders, and fines.

Administrative fine maxima also differ for Article 21 or 23 infringements: NIS2 sets at least EUR 10 million or 2 percent of worldwide annual turnover for essential entities, and at least EUR 7 million or 1.4 percent for important entities, whichever is higher in each tier.

Under NIS2 Article 23, essential and important entities notify their CSIRT or competent authority of significant incidents. The first required step is an early warning submitted without undue delay and, in any event, within 24 hours of becoming aware of the significant incident.

The early warning is not the full incident report. It should flag that a significant incident exists and, where applicable, say whether the incident is suspected to involve unlawful or malicious acts or could have a cross-border impact.

The evidence file should prove both the trigger and the timing. Keep the detection record, initial assessment, awareness timestamp, affected services, notification route, warning payload, submission receipt, and escalation approvals together.

Do not wait for the final root cause before sending the early warning. Article 23 expects a staged process: early warning, 72-hour incident notification, intermediate reports if requested, and a final report after the incident notification or after handling a continuing incident.

The hardest cases are usually about awareness, significance, and routing. Decide when the entity had enough certainty to treat the event as a significant incident, which Member State route applies, and whether the incident may affect recipients in more than one Member State.

For the provider categories covered by Regulation 2024/2690, the regulation says notification deadlines run from awareness and links awareness to an initial assessment with a reasonable degree of certainty. Other entities should check national implementation rules and authority guidance for local routing and procedural detail.

Submit the incident notification without undue delay and in any event within 72 hours of becoming aware of a significant incident. It should update the 24-hour early warning and include the entity's initial assessment of the significant incident, including severity, impact, and indicators of compromise where those are available.

Do not wait for perfect root-cause certainty if the Article 23 significance threshold is met. Record what is known, what is estimated, what is unavailable, and which facts will be updated through intermediate reports or the final report.

The record should be operational enough for incident responders and defensible enough for later legal, management, audit, or authority review. It should show why the incident met the significance threshold, when the organization became aware, what was submitted, and what remains open.

Separate the authority notification from customer, recipient, public, and law-enforcement communications. Article 23 includes recipient communication and authority guidance paths, but those decisions may have different owners, approval steps, and confidentiality constraints.

After the 72-hour notification, be ready to provide intermediate reports if the CSIRT or competent authority requests status updates. The final report is due not later than one month after the incident notification and should include the detailed incident description, severity and impact, likely threat type or root cause, mitigation measures, and cross-border impact where applicable.

If the incident is still ongoing when the final report would otherwise be due, Article 23 calls for a progress report at that time and a final report within one month after handling the incident.

NIS2 is an EU directive, so Member States had to adopt and publish national measures to comply with it by 17 October 2024 and apply those measures from 18 October 2024. For an organization, that means the EU text is the starting point, not the final operational answer.

Treat transposition as a jurisdiction check: identify every Member State where the entity provides relevant services, has a relevant establishment, reports incidents, registers, or is supervised, then verify the national implementing source before relying on a control, deadline, authority, or form.

The same EU obligation can require different practical steps once national law, competent authorities, portals, and supervisory structures are applied. A central NIS2 policy should therefore keep one EU baseline and a country appendix for each relevant Member State.

Avoid treating a country as complete based only on a generic EU overview. The Commission page says its content is without prejudice to the formal assessment of whether national transposition measures comply with NIS2, so teams should keep primary national sources in the evidence file where available.

A defensible transposition record should separate EU baseline facts from country-specific implementation facts. This prevents a team from accidentally using an EU article number as a substitute for national authority instructions or a national form.

If a Member State status, authority route, penalty, reporting threshold, or registration deadline is not supported by the cited source, leave it unresolved and assign a legal or country owner to verify it. Do not fill gaps with assumptions from another Member State.

Article 2(1) of NIS2 applies the directive to public or private entities of a type listed in Annex I or Annex II when they qualify as medium-sized enterprises under Recommendation 2003/361/EC, or exceed the medium-sized-enterprise ceilings, and provide services or carry out activities in the Union.

In practice, do not start with headcount alone. First confirm the entity type is in an Annex I or Annex II sector, then test the Recommendation 2003/361 employee and financial ceilings, then check whether NIS2 applies regardless of size under Article 2(2), Article 2(3), or Article 2(4).

Recommendation 2003/361/EC defines the SME category as enterprises with fewer than 250 persons and annual turnover not exceeding EUR 50 million, and/or annual balance sheet total not exceeding EUR 43 million. It also defines small enterprises as fewer than 50 persons with turnover and/or balance sheet total not exceeding EUR 10 million, and microenterprises as fewer than 10 persons with turnover and/or balance sheet total not exceeding EUR 2 million.

For a NIS2 scope record, keep the latest approved headcount, annual turnover, annual balance sheet total, group or linked-enterprise analysis, sector mapping, and the legal entity that provides the covered service. NIS2 also states that Article 3(4) of the Annex to Recommendation 2003/361/EC does not apply for NIS2 purposes, so do not import that status-change rule into the NIS2 decision without local legal review.

The size cap is not the end of the NIS2 scope analysis. Article 2(2) applies NIS2 regardless of size to certain Annex I or Annex II entities, including providers of public electronic communications networks or publicly available electronic communications services, trust service providers, top-level domain name registries, DNS service providers, sole providers of essential services in a Member State, entities whose disruption could significantly affect public safety, public security, or public health, entities whose disruption could induce significant systemic risk, nationally or regionally critical entities, and certain public administration entities.

Article 2(3) also applies NIS2 regardless of size to entities identified as critical entities under Directive (EU) 2022/2557, and Article 2(4) applies it regardless of size to entities providing domain name registration services. Member States may also apply NIS2 to local public administration entities and some education institutions, so the final answer may depend on national transposition.

A defensible size-cap decision should let legal, security, finance, compliance, and operations reviewers repeat the conclusion without guessing. Keep the source rule, entity facts, sector mapping, thresholds, exception checks, and national-law routing together.

Reopen the decision when headcount, turnover, balance sheet total, group structure, covered service, sector classification, Member State footprint, or critical-entity status changes.