Full Report
Dr. Stefan Schuppert and Valentin Reiter of Hogan Lovells write: While the NIS2 Directive remains to be implemented in several EU Member States, including Germany, companies should use the time to assess whether they fall within the scope of the Directive and prepare for its implementation. When making this assessment, particular attention should be paid... Source
Analysis Summary
# Regulation/Compliance: EU NIS2 Directive (Focus on Intra-Group IT Services)
## Overview
This summary focuses on the implications of the EU NIS2 Directive, specifically concerning entities that provide IT services within a larger corporate group (intra-group IT services), and the necessity for companies to assess if these specific entities fall under the Directive's scope.
## Key Details
- Issuing Authority: European Union (EU)
- Effective Date: Not specified in the text, but the article notes implementation is ongoing in several Member States (e.g., Germany). Companies are advised to prepare now.
- Jurisdiction: European Union Member States.
- Status: In Progress (Directive finalized, currently undergoing national implementation).
## Requirements
### Mandatory Requirements
1. **Scope Assessment:** Companies must determine if they qualify as an "essential" or "important" entity under NIS2.
2. **Group Threshold Calculation:** When assessing scope, organizations **must** calculate employee headcount and annual turnover by aggregating data from the *entire corporate group*, including partner and linked enterprises, as defined by Recommendation 2003/361/EC.
3. **Intra-Group IT Service Provider Scrutiny:** Carefully assess specialized intra-group IT service units, as they might be overlooked due to low individual headcount/turnover but could qualify as essential/important entities once the entire group's data is aggregated.
### Recommended Practices
1. **Proactive Preparation:** Use the time before full national implementation to assess NIS2 applicability.
2. **Review Intra-Group Outsourcing/Insourcing:** Consider the impact of NIS2 when moving IT services internally or externally within the same corporate group.
3. **Comparison with DORA:** Compare NIS2 requirements for intra-group IT services against similar provisions under the Digital Operational Resilience Act (DORA) if the group involves financial entities.
## Affected Organizations
- Industries: All sectors targeted by the NIS2 Directive (including "essential" and "important" entities).
- Organization Size: Entities exceeding thresholds defined by **Recommendation 2003/361/EC** when their related/partner enterprises are included in the calculation.
- Geographic Scope: European Union Member States (upon national transposition).
## Compliance Timeline
- **Current:** Companies should use the time now to assess their scope and prepare for implementation across various Member States.
- **Future:** Compliance deadlines are dependent on the national transposition timelines of each EU Member State (e.g., Germany's specific implementation date).
## Implementation Guidance
### Assessment Phase
- Perform a comprehensive calculation of employee headcount and turnover, ensuring data from all partner and linked enterprises according to Recommendation 2003/361/EC is included to accurately classify the entity (essential vs. important).
- Specifically check if small intra-group IT units cross the necessary thresholds upon group aggregation.
### Implementation Phase
- Based on the classification (essential/important), apply the necessary security measures and reporting obligations mandated by the final NIS2 text.
- Restructure or document intra-group IT service agreements to reflect new compliance burdens.
### Validation Phase
- Validation must confirm that the calculation methodologies used meet the standards for group aggregation as prescribed by the relevant EU recommendation.
## Technical Requirements
*Not detailed in the provided article.* (NIS2 generally requires robust cybersecurity risk management measures commensurate with the risk posed by the entity's services.)
## Penalties & Enforcement
- Fines: *Not detailed in the provided article.* (NIS2 generally entails significant fines for non-compliance, especially for essential entities.)
- Other Consequences: *Not detailed in the provided article.* (Likely includes public naming/shaming, administrative orders, and suspension of services.)
- Enforcement: Enforcement mechanisms will be defined by the implementing legislation of each individual EU Member State.
## Related Standards
- **Recommendation 2003/361/EC:** Used as the defining standard for calculating employee headcount and turnover thresholds, including partner and linked enterprises.
- **DORA (Regulation (EU) 2022/2554):** A comparable framework to examine for financial entities regarding intra-group IT services.
## Resources
- Official Documentation: NIS2 Directive (The full text needs to be consulted via official EU channels).
- Guidance Documents: Hogan Lovells publication detailing the intra-group IT impact analysis.
- Tools: *Not specified.*
## Practical Recommendations
1. **Immediately Verify Group Structure:** Identify all linked and partner enterprises relevant to Recommendation 2003/361/EC.
2. **Recalculate Scope:** Apply the aggregated data to determine if any entity, particularly specialized IT providers within the group, is suddenly in scope for NIS2 as an Important or Essential entity.
3. **Engage Legal Counsel:** Consult with legal experts regarding pending national transposition laws in relevant jurisdictions (like Germany).