---
title: "Are managed service providers in scope of NIS2?"
canonical_url: "https://www.sorena.io/artifacts/eu/nis2-directive/faq/managed-service-provider-scope"
source_url: "https://www.sorena.io/artifacts/eu/nis2-directive/faq/managed-service-provider-scope"
author: "Sorena AI"
description: "NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "NIS2 managed service provider scope"
  - "NIS2 MSP"
  - "NIS2 MSSP"
  - "ICT service management"
  - "NIS2 Annex I"
  - "NIS2 Article 26"
  - "NIS2"
  - "managed service provider"
  - "managed security service provider"
  - "essential entities"
  - "important entities"
  - "Article 26"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# Are managed service providers in scope of NIS2?

NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.

*FAQ* *EU NIS2*

## Are managed service providers in scope of NIS2?

Yes, when the entity provides covered managed service or managed security service activities in the Union and meets the NIS2 size or special-case scope rules.

Use the service definition, Annex I sector entry, Article 2 scope rule, Article 3 entity category, and Article 26 jurisdiction rule before treating an MSP or MSSP as in scope, out of scope, essential, or important.

NIS2 expressly covers managed service providers and managed security service providers as Annex I ICT service management entities. The practical question is not whether the labels appear in NIS2; it is whether the legal entity, services, size position, Member State nexus, and national implementation route make the provider an essential or important entity.

## Short answer

A managed service provider can be in NIS2 scope because Annex I lists ICT service management (business-to-business), including managed service providers and managed security service providers. Article 6 defines an MSP as an entity providing installation, management, operation, or maintenance of ICT products, networks, infrastructure, applications, or other network and information systems through assistance or active administration, on customer premises or remotely.

That sector entry is only the first step. Article 2 applies NIS2 to Annex I or II entities that qualify as medium-sized enterprises under Recommendation 2003/361/EC or exceed those ceilings, and it also captures certain entities regardless of size through specific special-case rules. Article 3 then separates covered Annex I entities into essential or important entities, with larger Annex I entities generally treated as essential and other covered entities treated as important unless another Article 3 rule changes the result.

- Start with the legal entity, not the brand name or product line.
- Confirm the activity is managed service or managed security service activity, not only advisory, resale, staffing, or one-off project work.
- Check whether the service is provided or carried out within the Union.
- Apply the size-cap and any Article 2 special-case rule before deciding the entity is outside NIS2.
- Classify the result as essential, important, outside current scope, or escalated for Member State legal review.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Article 6 defines managed service provider and managed security service provider, Article 2 supplies the size and special-case scope rule, and Annex I lists MSPs and MSSPs under ICT service management.
- [Commission Recommendation 2003/361/EC on SME definitions](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32003H0361&ref=sorena.io) - NIS2 Article 2 points to this Recommendation for the medium-sized enterprise size test used in the general scope rule.
- [European Commission NIS2 FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission FAQ context confirms NIS2 replaced the old OES/DSP split with essential and important entity categories and lists ICT service management among high-criticality sectors.

## Evidence to keep for an MSP or MSSP scope decision

The classification file should show why the service meets, or does not meet, the NIS2 MSP or MSSP definition. A sales category is not enough; the record should explain the actual installation, management, operation, maintenance, active administration, or cybersecurity risk-management activity provided to customers.

The file should also show the entity-level analysis. NIS2 applies to entities, so the evidence needs the contracting entity, group or linked-enterprise analysis where relevant, Member State establishment or representative information, and the national route used for registration or authority contact.

- Covered service evidence: service catalogue entry, statement of work, managed platform description, runbook, customer responsibility matrix, or remote administration model.
- MSSP evidence where relevant: incident response, monitoring, security administration, penetration testing, security audit, consultancy, or other cybersecurity risk-management services.
- Scope evidence: Union service footprint, customer country list, establishment details, size-cap analysis, and any special-case rule considered under Article 2.
- Classification evidence: whether the entity is essential, important, out of current scope, or escalated for country-specific interpretation.
- Jurisdiction evidence: main establishment in the Union, representative if not established in the Union, and the Member State registration or authority route used.
- Governance evidence: accountable business owner, legal reviewer, security reviewer, approval date, and trigger for reassessment after service, corporate, country, or national-law changes.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Article 3 requires Member States to keep lists of essential and important entities and requires entity details such as contact information, sector, subsector, and Member States where services are provided.
- [Commission Guidelines on Article 3(4) of NIS2](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A324%3AFULL&ref=sorena.io) - Commission guidelines support consistent submission of information for Member State lists of essential and important entities.
- [NIS2 Technical Implementation Guidance](https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance?ref=sorena.io) - ENISA guidance supports implementation of the NIS2 implementing regulation for digital infrastructure, ICT service management, and digital providers, including evidence examples and mappings.

## Common scope traps for managed services

A provider can be an MSP or MSSP even when the customer owns the environment, because the NIS2 definition includes assistance or active administration carried out on customer premises or remotely. Conversely, a supplier is not necessarily an MSP merely because it sells software, cloud capacity, hardware, professional services, or staff augmentation.

Cross-border MSPs also need a jurisdiction check. Article 26 treats managed service providers and managed security service providers as falling under the Member State of their main establishment in the Union; if they are not established in the Union but offer services within it, they must designate a representative in the Union.

- Do not classify only from a marketing label such as MSP, MSSP, SOC, cloud partner, or IT outsourcer.
- Separate project implementation from ongoing installation, management, operation, maintenance, active administration, or cybersecurity risk-management service.
- Check each legal entity in a group; one affiliate's status does not automatically settle another affiliate's NIS2 classification.
- Keep cloud, data centre, content delivery, trust service, and electronic communications classifications separate when the same group offers multiple NIS2-relevant services.
- Escalate country-specific questions because Member States transpose and operate NIS2 through national competent authorities and registration mechanisms.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Recitals 113-117 and Article 26 explain jurisdiction, main establishment, Union representative, and ENISA registry considerations for cross-border MSPs and MSSPs.
- [European Commission NIS2 FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - The Commission FAQ highlights ICT service management as a high-criticality sector and explains the differentiated supervisory regime for essential and important entities.
- [Commission Implementing Regulation (EU) 2024/2690](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - The implementing regulation sets technical and methodological cybersecurity-risk-management requirements for covered digital and ICT service management entities, including MSPs and MSSPs.

## Primary sources

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io) - Primary legal source for MSP and MSSP definitions, Annex I ICT service management scope, essential and important entity classification, registration information, and jurisdiction rules.
  - Quote: "Managed service providers"
- [Commission Recommendation 2003/361/EC on SME definitions](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32003H0361&ref=sorena.io) - Referenced by NIS2 Article 2 for the medium-sized enterprise test used in the general scope rule.
  - Quote: "medium-sized enterprises"
- [European Commission NIS2 FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs?ref=sorena.io) - Commission public FAQ for NIS2 scope, high-criticality sectors, essential and important entities, supervision, and cross-border jurisdiction context.
  - Quote: "ICT service management"
- [Commission Guidelines on Article 3(4) of NIS2](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AC%3A2023%3A324%3AFULL&ref=sorena.io) - Guidance source for information submitted to help Member States establish lists of essential and important entities.
  - Quote: "Article 3(4)"
- [Commission Implementing Regulation (EU) 2024/2690](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - EU implementing regulation for technical and methodological requirements and significant-incident specifications for MSPs, MSSPs, and other listed digital sectors.
  - Quote: "managed security service providers"
- [NIS2 Technical Implementation Guidance](https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance?ref=sorena.io) - ENISA implementation guidance for NIS2 digital infrastructure, ICT service management, and digital provider sectors under Implementing Regulation (EU) 2024/2690.
  - Quote: "Technical Implementation Guidance"

## Topic Guides

- [EU NIS2 Directive applicability test for entity scope](/artifacts/eu/nis2-directive/applicability-test.md): Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
- [EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks](/artifacts/eu/nis2-directive/deadlines-and-compliance-calendar.md): source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
- [FAQ: NIS2 essential vs important entity classification and registration obligations](/artifacts/eu/nis2-directive/faq/essential-vs-important-entities.md): Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
- [NIS2 24-hour early warning: what to send and when](/artifacts/eu/nis2-directive/faq/24-hour-early-warning.md): Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
- [NIS2 72-hour incident notification FAQ](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md): Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
- [NIS2 Annex I and Annex II Sector Scoping Guide](/artifacts/eu/nis2-directive/annex-i-and-ii-sector-scoping.md): Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
- [NIS2 Article 21 control baseline and evidence checklist](/artifacts/eu/nis2-directive/article-21-control-baseline.md): Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
- [NIS2 Article 21 control-by-control evidence checklist](/artifacts/eu/nis2-directive/article-21-control-by-control-evidence.md): Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
- [NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners](/artifacts/eu/nis2-directive/article-21-gap-assessment-workflow.md): Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
- [NIS2 Article 23 incident notification workflow](/artifacts/eu/nis2-directive/article-23-notification.md): Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
- [NIS2 Compliance Checklist: scope, controls, reporting](/artifacts/eu/nis2-directive/checklist.md): Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
- [NIS2 Compliance Guide: scope, controls, reporting, and evidence](/artifacts/eu/nis2-directive/compliance.md): A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
- [NIS2 Country Transposition Tracker: EU Status Workflow](/artifacts/eu/nis2-directive/country-transposition-tracker.md): Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
- [NIS2 Entity Classifier Workflow: essential vs important entity scoping](/artifacts/eu/nis2-directive/entity-classifier-workflow.md): Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
- [NIS2 essential vs important entities: Article 3 scope and supervision guide](/artifacts/eu/nis2-directive/scope-essential-vs-important.md): Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
- [NIS2 essential vs important entities: supervision regime and audit evidence requirements](/artifacts/eu/nis2-directive/essential-vs-important-supervision.md): Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
- [NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties](/artifacts/eu/nis2-directive/faq.md): source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
- [NIS2 incident clock triage workflow](/artifacts/eu/nis2-directive/incident-clock-triage-workflow.md): Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
- [NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps](/artifacts/eu/nis2-directive/incident-reporting-workflow.md): Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
- [NIS2 Management Body Accountability: board duties, training, and evidence](/artifacts/eu/nis2-directive/management-body-accountability.md): source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
- [NIS2 Member State Transposition: What Teams Must Check](/artifacts/eu/nis2-directive/faq/member-state-transposition.md): How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
- [NIS2 National Transposition Tracker: EU Member State Evidence Register](/artifacts/eu/nis2-directive/national-transposition-tracker.md): Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
- [NIS2 penalties and fines: Article 34 caps for essential and important entities](/artifacts/eu/nis2-directive/penalties-and-fines.md): NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
- [NIS2 Registration and Authority Notification Guide](/artifacts/eu/nis2-directive/registration-and-authority-notification.md): Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
- [NIS2 Requirements: scope, Article 21 controls, reporting, and evidence](/artifacts/eu/nis2-directive/requirements.md): Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
- [NIS2 Size Cap Rule and Special Scope Cases](/artifacts/eu/nis2-directive/size-cap-and-special-cases.md): Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
- [NIS2 size-cap rule: when medium and large entities are in scope](/artifacts/eu/nis2-directive/faq/size-cap-rule.md): Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
- [NIS2 supply chain security program: Article 21 controls, contracts, and evidence](/artifacts/eu/nis2-directive/supply-chain-security-program.md): Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
- [NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience](/artifacts/eu/nis2-directive/nis2-vs-cerc.md): Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
- [NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance](/artifacts/eu/nis2-directive/nis2-vs-dora.md): Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
- [NIS2 vs GDPR breach reporting: EU deadlines and overlap](/artifacts/eu/nis2-directive/nis2-vs-gdpr-breach-reporting.md): Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
- [NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27001.md): Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
- [NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27017.md): Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
- [NIS2 vs NIS1: what changed in EU cybersecurity compliance](/artifacts/eu/nis2-directive/nis2-vs-nis1.md): Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.

*Recommended next step*

*Placement: before sources*

## Use this FAQ to document NIS2 managed-service scope

Sorena can help convert the service definition, entity analysis, Member State route, and evidence list into a cited NIS2 scope record for managed service and managed security service providers.

- [Open Research Copilot for NIS2](/solutions/research-copilot.md): Ask source-linked questions about MSP scope, MSSP scope, essential and important entity status, and evidence using the cited sources on this page.
- [Review an MSP scope decision](/contact.md): Walk through the service facts, entity footprint, Member State route, and NIS2 evidence package with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/nis2-directive/faq/managed-service-provider-scope