Are we a Managed Service Provider under NIS 2?
NIS 2 added MSPs as a new sector that did not exist in NIS 1. If you remotely run customer IT, you are very likely in scope. Annex I sector 9 names the activity. Article 6(39) defines what counts. The size test still applies, with one narrow exception that does not cover most MSPs.
The short version
NIS 1 did not have MSPs as a category at all. The 2022 directive added them. Annex I sector 9 lists ICT service management on a business-to-business basis, and Article 6(39) gives the legal definition: an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers' premises or remotely. If that describes you, you are most likely an MSP in scope.
MSP and MSSP are two separate categories. Article 6(39) defines the MSP. Article 6(40) defines the MSSP as a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management. Both are in Annex I sector 9. An entity can be both at once. Most general IT service houses are MSPs and not MSSPs. A pure SOC or pen test shop is an MSSP.
The size test still applies. NIS 2 normally applies to medium enterprises and larger: at least 50 staff, or more than 10 million euro turnover and balance sheet, per Article 2(1) and Recommendation 2003/361/EC. Article 2(2)(g) carves out a narrow set of sectors where size does not gate scope, but that override covers DNS, TLD registries, qualified trust service providers and a few other digital infrastructure types. It does not pull small MSPs in regardless of size. A small MSP below the size test is out of scope of NIS 2.
NIS 2 Directive (2022/2555), Annex I sector 9
ICT service management (business-to-business): providers of managed services; providers of managed security services.
NIS 1 did not contain this sector at all. NIS 2 introduced it as a new category, which is one of the biggest practical expansions of scope in the directive. Both MSP and MSSP sit inside the same Annex I sector 9 bucket. The 'business-to-business' qualifier matters: serving consumers is not covered by sector 9, serving other businesses is.
Article 6(39) NIS 2 Directive (MSP definition)
Managed service provider means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers' premises or remotely.
Article 6(40) adds the MSSP definition: a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management. The directive picks the verbs deliberately: installation, management, operation, maintenance, active administration. Selling a product without ongoing operation does not meet the definition. A help desk that resets passwords without running the systems does not meet it either.
§28 BSIG (Germany), Anlage 1 sector 'Digitale Infrastruktur'
Besonders wichtige Einrichtungen und wichtige Einrichtungen sind natürliche oder juristische Personen oder rechtlich unselbständige Organisationseinheiten einer Gebietskörperschaft, die einer der in den Anlagen 1 oder 2 genannten Einrichtungsarten zuzuordnen sind und die Schwellenwerte nach Artikel 2 der Empfehlung 2003/361/EG erreichen oder überschreiten.
§28 BSIG together with Anlage 1 of the BSIG names 'Anbieter von verwalteten Diensten' (MSP) and 'Anbieter von verwalteten Sicherheitsdiensten' (MSSP) explicitly under Sektor Digitale Infrastruktur, which corresponds to NIS 2 Annex I sector 9. The BSI sektorspezifische FAQ adds a useful working clarification: pure web hosting does not make you an MSP, and a one-off project handover does not either. Ongoing active administration is what matters.
Do you actively run customer IT?
Article 6(39) lists the verbs that count: installation, management, operation, maintenance, active administration. Carried out on customer premises or remotely. The customer relationship has to be ongoing, not a one-off install. Pure web hosting without administration is out. Selling a software licence and walking away is out. Running a managed firewall, patching customer servers, operating their Microsoft 365 tenant, remote-managing endpoints: all in.
Are you medium or larger?
Article 2(1) plus Recommendation 2003/361/EC: at least 50 staff, or more than 10 million euro turnover and balance sheet. Apply the test to the legal entity. Article 2(2)(g) lists narrow sector overrides where size does not gate scope, but MSP is not on that override list. The override applies to DNS service providers, TLD name registries, qualified trust service providers and a few other digital infrastructure types. A small MSP that is below the size test is out of scope, full stop.
Are you also providing security services?
Article 6(40) defines the MSSP as a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management. A SOC, a managed detection and response service, a penetration testing engagement with ongoing remediation support, a vulnerability management service: those are MSSP activities. A general IT service house that runs servers and endpoints is an MSP. A house that runs the security stack on top is both. Annex I treats both as 'wichtige Einrichtung' under §28(2) BSIG by default.
'Managed' is a broad verb list, not a marketing label
Some entities do not call themselves an MSP and still meet the definition. Some call themselves an MSP and do not. The legal test is the verb list in Article 6(39): installation, management, operation, maintenance, active administration of ICT products, networks, infrastructure, applications or systems for other parties. If those verbs describe what you do on a recurring basis, you are an MSP under NIS 2 whether your website says so or not.
Your own internal IT does not make you an MSP
Running IT for yourself is not a managed service. The customer has to be someone else. Internal IT departments serving their own employer are not in scope as MSP. A separate service company inside a group that runs IT for the sister entities is a different question and usually does count, because the sisters are legally separate parties. See the group-IT page for that case.
BSI / §28 BSIG and Anlage 1
The BSI is the cyber authority for MSPs in Germany. Anlage 1 of the BSIG lists 'Anbieter von verwalteten Diensten' and 'Anbieter von verwalteten Sicherheitsdiensten' under Digitale Infrastruktur, which maps directly to NIS 2 Annex I sector 9. The BSI sektorspezifische FAQ has the most useful working text: pure web hosting is not MSP, a one-off project is not MSP, ongoing active administration is. The §33 BSIG registration portal is where MSPs above the size test register.
ENISA Technical Implementation Guidance
ENISA's TIG covers MSP and MSSP activities under the Annex I sector 9 chapter and maps the Article 21 controls onto the operations a typical MSP runs. The TIG mapping table cross-walks to ISO 27001, NIST CSF 2.0 and ETSI 319 401, so MSPs already running an ISMS or an ETSI-aligned operation can reuse the bulk of that work.
MSPs in NL, AT, BE and the rest
Article 6 of the directive is one set of definitions for the whole EU. Other transpositions copy the wording: Austria via NISG, Netherlands via Cyberbeveiligingswet, Belgium via NIS2-Wet. An MSP serving customers across borders is in scope wherever it has an establishment, and registers in each member state where it provides the service. The substantive definition does not change between countries.
We just respond to tickets, we are not really managing customer systems.
If the tickets involve installing, configuring, patching or operating customer systems on an ongoing basis, that is active administration under Article 6(39). Reactive does not mean out of scope. A help desk that only resets passwords without touching the underlying systems is a narrow exception. A help desk that patches Windows, restarts services or pushes endpoint configuration is doing managed services.
We are too small to be in scope, the override pulls us in anyway.
Article 2(2)(g) does not pull small MSPs in regardless of size. The override applies to DNS service providers, TLD name registries, qualified trust service providers, providers of public electronic communications networks and services, and a few other digital infrastructure types. MSPs are not on that list. A small MSP below the size test (under 50 staff and not over the turnover and balance sheet thresholds) is out of scope of NIS 2 itself, even though customer contracts may still require you to demonstrate Article 21 controls under the supply chain clause.
We only serve our own group, so we are an internal IT department.
If the entities you serve are legally separate from your service company, even inside the same group, those are services to other parties under Article 6(39). A central IT service GmbH that runs infrastructure for the sister GmbHs is an MSP in the NIS 2 reading. The separate group-IT page works this case through in more detail.
A typical mid-market MSP with 70 staff, around 80 SME customers and a service mix of managed endpoints, Microsoft 365 administration, managed firewalls and patch management for customer servers sits unambiguously inside NIS 2 scope. Annex I sector 9 catches the activity. Article 6(39) catches the verbs. The size test is comfortably passed at 70 staff. Default classification under §28(2) BSIG is 'wichtige Einrichtung'.
The §30 risk register has to cover the management infrastructure that touches customer systems: RMM tooling, jump hosts, the SOC stack if you operate one, the privileged access stack. The §32 incident reporting cascade applies when an incident affects your own infrastructure or, by extension, the customers you administer. The §33 registration is one submission with the BSI for the whole legal entity. Customer contracts then need Article 21(2)(d) clauses pointing at the same controls, which is where supply chain compliance meets MSP compliance.
The applicability check walks MSPs through the Annex I sector 9 case explicitly. You tick the service verbs you run, the platform applies the size test, and tells you which §28 BSIG bucket you land in. If you also run security services it offers the MSSP branch in parallel without forcing you to pick one or the other.
The supplier portal handles the other side of the contract. Customers that buy managed services from you can be given a structured questionnaire and a published Article 21 controls summary, so a single piece of evidence covers all the contract clauses you would otherwise be sending out in PDFs to every customer separately.
- Directive (EU) 2022/2555 (NIS 2), Annex I sector 9 (ICT service management B2B) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Directive (EU) 2022/2555 (NIS 2), Article 6(39) (managed service provider definition) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Directive (EU) 2022/2555 (NIS 2), Article 6(40) (managed security service provider definition) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Directive (EU) 2022/2555 (NIS 2), Article 2(1) and Article 2(2) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises
- BSI Act (BSIG), §28 and Anlage 1 sector Digitale Infrastruktur, as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- BSI sektorspezifische FAQ on Anlage 1 Nr. 6.1.10 (Managed Services Provider) — bsi.bund.de