NIS 2 Art. 2 + Rec. 2003/361/EC

Subsidiary and holding company under NIS 2

Scope is judged per legal entity under Article 2 NIS 2. But the size test, via Commission Recommendation 2003/361/EC, adds the whole group together.

Simon OrzelSimon Orzel·

The short version

NIS 2 looks at each legal entity on its own. Your subsidiary is not pulled in just because the parent is. The Directive applies to entities that themselves do something listed in Annex I or II and that themselves cross the size threshold.

The catch sits in the size test. Article 6(2) NIS 2 points to the SME definition in Commission Recommendation 2003/361/EC. That recommendation adds 100 percent of the headcount and financials of every majority-controlled affiliate into one figure.

So the right question is not "is our parent in scope." It is two parts. First: does this specific entity itself do something from Annex I or II? Second: once we add the figures from the rest of the group, do we cross the medium-enterprise threshold?

The legal source
Three layers stacked: the Directive's scope rule, the SME definition it points to, and a German transposition example.

Article 2 NIS 2 (scope)

This Directive applies to public or private entities of a type referred to in Annex I or II which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article, and which provide their services or carry out their activities within the Union.

Scope attaches to the entity that itself does the Annex I or II activity. Article 2(2) and (3) add 'regardless of size' overrides (DNS, TLD registries, qualified trust service providers, public electronic communications providers, sole providers of essential services, and others) that pull individual entities in even below the SME ceiling.

Commission Recommendation 2003/361/EC, Annex Art. 3 (linked enterprises)

Linked enterprises are enterprises which have any of the following relationships with each other: (a) an enterprise has a majority of the shareholders' or members' voting rights in another enterprise; (b) an enterprise has the right to appoint or remove a majority of the members of the administrative, management or supervisory body of another enterprise. To the data of the enterprise in question is added 100 percent of the data of any enterprise which is linked directly or indirectly to it, where the data were not already included through consolidation in the accounts.

This is the rule Article 6(2) NIS 2 imports. A 30-person subsidiary that is majority-owned by a 400-person parent gets counted as part of a 430-person group for the size test. Recital 16 lets Member States consider operational independence, but the starting point is: add the figures up.

§28 BSIG (Germany, example transposition)

Besonders wichtige Einrichtungen und wichtige Einrichtungen sind Einrichtungen, die einer in Anlage 1 oder Anlage 2 aufgeführten Einrichtungsart angehören und die die in §28 BSIG genannten Schwellenwerte erreichen.

BSIG keeps the per-entity logic. The BSI reads the size test through Recommendation 2003/361/EC and therefore adds the linked-enterprise figures together. Other Member States follow the same Recommendation. The transposition wording differs. The mechanic does not.

Three steps to check a subsidiary
Run these steps in order, one legal entity at a time. Do not assess the group as a whole.
Step 1

Does this entity sit in Annex I or II?

Ask whether this specific subsidiary itself does something listed in Annex I (high-criticality) or Annex II (other critical sectors) of NIS 2. A pure holding that only owns shares and books dividends usually does not. An operating subsidiary that runs a wastewater plant, a hospital, an MSP or a manufacturing line usually does.

Step 2

Is the entity itself big enough?

Take the entity's own headcount and financials. If it already meets the medium-enterprise threshold on its own (50 or more staff, or turnover above 10 million euro with balance sheet above 10 million euro), the size test is done. You do not need to add the group.

Step 3

Add the group figures

If the entity is below the threshold on its own, add 100 percent of the headcount and financials of every majority-controlled affiliate and the controlling parent under 2003/361/EC Annex Art. 3. If the combined figure crosses the threshold, the entity meets the size test through its group. Recital 16 lets you argue independence in front of the regulator. But it is an exception you have to prove, not a plan you can rely on.

Two rules that answer every group-structure question
Read these two rules together. The rest of the page is detail.

Scope is per legal entity (Article 2 NIS 2)

The Directive has no 'group in scope' concept. It applies to each entity that itself does a covered activity. The status of the parent, of the holding or of sister subsidiaries does not transfer to your entity. Your entity is in scope only if it itself qualifies.

Size is added up under 2003/361/EC

The size test uses the SME Recommendation. It counts linked-enterprise data at 100 percent. A small subsidiary inside a large group will usually count as a medium or large enterprise for the size test, even if its own payroll is tiny. This is the mechanism that pulls a lot of small subsidiaries into scope.

How national regulators handle this
Same Directive, same SME Recommendation, slightly different national wording. The mechanic is identical.
Germany

§28 BSIG and BSI scope guidance

Germany transposes through §28 BSIG. The published BSI guidance reads the size test through Recommendation 2003/361/EC and adds the linked-enterprise figures together. Subsidiaries register and report on their own if they themselves pass the test. The holding does not register on their behalf.

EU

ENISA and the SME Recommendation

ENISA's scope materials follow the Directive: scope is per entity, size aggregates under 2003/361/EC. There is no 'group registration' shortcut. The Recital 16 independence argument exists. But it is an exception you have to prove, not a planning route.

Other Member States

NL, AT, FR transposition examples

The Dutch Cyberbeveiligingswet, the Austrian NISG-Neufassung and the French Ordonnance n. 2024-1233 all keep the per-entity scope and import the SME Recommendation. The wording differs. The linked-enterprise aggregation rule does not.

Three traps we see all the time
These come up in almost every applicability call. All three are wrong.

  • Our parent is in scope, so we are too.

    No. Scope is per legal entity under Article 2 NIS 2. The parent's classification does not bind the subsidiary. Your subsidiary is in scope only if it itself does an Annex I or II activity and itself meets the size threshold (possibly through linked-enterprise aggregation).

  • We can stay out by splitting into smaller subsidiaries.

    No. The SME Recommendation adds 100 percent of the linked-enterprise figures. Splitting a 200-person business into four 50-person GmbHs that remain majority-owned by the same parent does not break the size test. The corporate split is invisible to the 2003/361/EC calculation.

  • The holding registers and reports for the whole group.

    No. Each in-scope legal entity registers itself with the competent authority (in Germany via portal.bsi.bund.de) and files its own incident reports under Article 23 NIS 2. The holding can coordinate operationally. It cannot substitute its registration for the subsidiaries' duties.

How this plays out in real Mittelstand groups

In the groups we see, the question almost always lands on step 3. The operating subsidiary does something from Annex I or II. On its own it is small. Inside the group it sits above 50 staff or above 10 million euro turnover. Under 2003/361/EC, that pulls it in.

The lever is the Recital 16 independence argument. If a subsidiary is genuinely independent in how it runs (own management body, own customer contracts, own decisions, no group cost allocation that decides its business model), the national authority may treat it as stand-alone for the size test. Write the independence down before you rely on it. Do not assume it.

How we handle group structures on the platform

The applicability check walks through Annex I and II sector membership for the specific entity, then the size test with linked-enterprise aggregation built in. The output is a written applicability assessment with sector, size figures, the linked-enterprise inputs and the final classification (essential, important or out of scope).

For groups with several operating subsidiaries, each entity runs its own check and, if it is in scope, its own obligation register. The platform supports a separate workspace per legal entity, so registrations, incident reports and management sign-offs sit against the right registered entity.

Sources
  • NIS 2 Directive (EU) 2022/2555, Art. 2 (scope), Art. 6 (definitions), Recital 16 (linked enterprises and independence) — EUR-Lex, eli/dir/2022/2555/oj
  • Commission Recommendation 2003/361/EC of 6 May 2003, Annex Art. 2 (SME definition) and Annex Art. 3 (linked enterprises, 100 percent aggregation) — EUR-Lex, CELEX 32003H0361
  • BSIG (Germany), §28 (classification of essential and important entities) — gesetze-im-internet.de
  • BSI scope FAQ for NIS 2 entities (sector-specific) — bsi.bund.de, NIS-2-FAQ-sektorspezifisch
  • ENISA reference materials on NIS 2 scope and the SME Recommendation — enisa.europa.eu
Run the applicability check on each entity
One workspace per legal entity. Sector check, size check, linked-enterprise aggregation, written output. Free, open source, no lock-in.
Start the applicability check