NIS 2 Annex I sector 9

Group IT companies as managed service providers under NIS 2

When your group's central IT serves the subsidiaries, that IT company can be in scope of NIS 2 on its own. Annex I sector 9 (ICT service management, business-to-business) names MSP and MSSP. Article 6(40) and (41) define them. German practitioners have started to apply this to group structures.

Simon OrzelSimon Orzel·

The short version

A lot of German and European groups bundle their IT into one central department or one service company that runs infrastructure, applications and security for the rest of the group. The NIS 2 question is whether that IT company itself counts as a managed service provider (MSP), separate from whatever the parent or the subsidiaries do.

This matters because MSP and MSSP sit in Annex I sector 9 of the Directive (ICT service management, business-to-business). If you sit there as MSP or MSSP and you hit the medium-enterprise size threshold, you are an important entity. On your own. With your own registration, your own risk management and your own incident reporting duty. Being part of a group does not absorb any of that.

The page works through three layers. First, what the Directive actually says in Annex I sector 9 and in Article 6(40) and (41). Second, a three-part test that tells you whether a group IT company falls in scope. Third, the German practitioner reading and the misreadings we hear most often.

The legal source
Three layers. The Annex of the Directive lists managed services as a sector. Article 6 says what a managed service provider is. German practitioners have published a reading on how that applies to group structures.

Annex I sector 9 NIS 2 Directive (2022/2555)

ICT service management (business-to-business): providers of managed services; providers of managed security services.

Annex I sector 9 ('Verwaltung von IKT-Diensten, Business-to-Business' in the German text) names MSP and MSSP as in-scope entity types. They sit in their own sector, separate from Annex I sector 8 (digital infrastructure: cloud, data centres, DNS, CDN, trust services).

Article 6(40) and 6(41) NIS 2 Directive

Managed service provider means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers' premises or remotely. Managed security service provider means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management.

Article 6(40) defines MSP. Article 6(41) defines MSSP. The test is what the entity does (installation, management, operation, maintenance, active administration), not whether it bills external customers.

German practitioner reading (Piltz Legal)

Companies that exclusively operate the central IT operations of a corporate group typically fall under the MSP definition.

Piltz Legal read the German transposition and reached this conclusion: central IT service companies that serve group subsidiaries fall under the MSP definition. The German legislative materials they cite point the same way: services to legally separate group entities are managed services.

The three-part test
Whether a group IT company falls under NIS 2 as MSP turns on three questions. All three have to be yes for the entity to be in scope on its own.
Step 1

Own legal entity

Is the central IT set up as its own legal entity (a GmbH, an AG, or the equivalent in other member states)? If yes, NIS 2 assesses it on its own. If the IT is just an internal cost centre with no legal personality, scope runs through the parent that operates it.

Step 2

Managed services to other parties

Does the entity install, manage, operate, maintain or actively administer ICT products, networks, infrastructure, applications or systems for other parties? Subsidiaries are legally separate from the IT service company, even inside the same group. Services to them count as services to other parties under Article 6(40).

Step 3

Size threshold met

Does the IT entity hit the medium-enterprise threshold (50 or more staff, or turnover above EUR 10 million with a balance sheet above EUR 10 million)? Watch the linked-enterprise rule under Commission Recommendation 2003/361/EC: it counts staff and financials across the whole group. A 30-person IT company inside a 400-person group counts at the group level.

Two rules that decide every borderline case
Annex I sector 9 and Article 6 rest on two rules. Get these wrong and the borderline cases will come out wrong.

Each legal entity is assessed on its own

NIS 2 scope is decided per legal entity. The parent being in scope (say, as a manufacturer) does not automatically pull the IT subsidiary in. The IT subsidiary being in scope does not pull the parent in. Each entity registers, runs risk management and reports incidents on its own duty.

Function decides scope, not purpose

Article 6(40) describes what the entity does, not why. The services do not need to be commercial, priced at arm's length or sold to outside customers. An IT company that exists only to serve its own group still provides managed services under the definition. What you do decides scope. Why you do it does not.

How this is read across Europe
The Directive sets one Article 6 definition for everyone. Practitioners in different countries have started to apply it.
Germany

Piltz Legal practitioner analysis

Piltz Legal's published reading: German group IT companies typically fall under the MSP definition when they run the central IT for the rest of the group. The German legislative materials around the NIS2 Implementation Act point the same way: services to legally separate group subsidiaries are managed services for Article 6(40) purposes.

EU-wide

Article 6 is the same across the EU

Article 6 of the Directive is one set of definitions that binds every member state. National laws copy the wording almost word for word. The German, Dutch, Austrian and Belgian transpositions all mirror Article 6(40) and (41), so the three-part test gives you the same answer everywhere.

Other member states

Mirror transpositions

The Netherlands (Cyberbeveiligingswet), Austria (NISG) and Belgium (NIS2-Wet) put the MSP and MSSP definitions into national law. A group IT company that operates across borders can be in scope in several member states at once, with a separate registration at each national competent authority.

Three traps we see all the time
Three assumptions about group IT and the MSP category that come up in almost every scoping call. None of them holds up against the text above.

  • Internal IT does not count as MSP.

    It depends on how it is set up. If the central IT is its own legal entity and serves other, legally separate group companies, those are managed services to other parties under Article 6(40). A pure internal cost centre with no legal personality is not in scope on its own. A service GmbH inside the group usually is.

  • Only commercial MSPs with external customers count.

    Article 6(40) describes a function (installation, management, operation, maintenance, active administration of ICT products, networks, infrastructure, applications or systems), not a commercial purpose. Captive IT companies that only serve their own subsidiaries still meet the definition if they perform that function. The Piltz Legal reading and the German legislative materials say the same.

  • The parent's scope covers the IT subsidiary automatically.

    NIS 2 looks at every legal entity on its own. The parent can be in scope as a manufacturer under Annex II while the IT subsidiary is in scope under Annex I sector 9 as MSP. Registration, risk management and incident reporting attach to each entity separately. The only place where the group is treated as a whole is the size test.

Practice: the Konzern-IT shortcut and how NIS 2 inverts it

For two decades, German groups have merged their IT into one service company. Cleaner operations, better VAT treatment, less duplication. NIS 2 partly flips that incentive. A consolidated group IT GmbH that used to fly under the regulatory radar can now be a NIS 2 important entity on its own, with its own registration, its own risk management framework and its own incident line to the BSI.

What that means in practice: structural decisions you made for tax or operational reasons need a second look with NIS 2 in front of you. If the IT entity is in scope as MSP, it also picks up the supply-chain duties under Article 21(2)(d) toward its group customers. Those customers may themselves be in scope under Annex I or II. The same internal contract then sits under NIS 2 from both ends.

How we handle this on the platform

The applicability check walks the three-part test out loud: legal entity yes or no, services to other legal entities (inside or outside the group), size including the linked-enterprise rule. The answer carries through to the registration module, so the IT entity registers separately where it has to.

The supplier portal covers the other side of the contract. Subsidiaries that buy managed services from a sister IT company can run the supplier questionnaire against them like any other supplier. Both ends of the deal end up documented with the same Article 21(2)(d) evidence.

Sources
  • Directive (EU) 2022/2555 (NIS 2), Article 6(40), 6(41) and Annex I sector 9 (ICT service management B2B) — eur-lex.europa.eu/eli/dir/2022/2555/oj
  • Piltz Legal, 'Konzern-IT-Gesellschaften unter der NIS 2-Richtlinie' — piltz.legal/news/konzern-it-gesellschaften-unter-der-nis-2-richtlinie
  • BSIG (German NIS2 transposition), §2 No. 26 (MSP definition) and §28 (scope) — gesetze-im-internet.de
  • Commission Recommendation 2003/361/EC on the definition of micro, small and medium-sized enterprises (linked-enterprise rule) — eur-lex.europa.eu/eli/reco/2003/361/oj
  • BSI sector-specific FAQ on NIS 2 entity types — bsi.bund.de
Run the three-part test on your group IT
Applicability check, registration, risk management and supplier portal evidence on one platform. Free, open source, no lock-in.
Open the free platform