Dr. Stefan Schuppert and Valentin Reiter of Hogan Lovells write:
While the NIS2 Directive remains to be implemented in several EU Member States, including Germany, companies should use the time to assess whether they fall within the scope of the Directive and prepare for its implementation. When making this assessment, particular attention should be paid to entities providing IT services within the corporate group. Where a corporate group considers out-sourcing or in-sourcing the IT services within the same group, it is also worthwhile considering the impact of NIS2. The NIS2 Directive applies in principle only to companies that exceed certain thresholds for employed persons and annual turnover. However, these thresholds are calculated in accordance with the Annex to Recommendation 2003/361/EC, which requires that data from the entire group, including partner and linked enterprises, be taken into account. Since intra-group IT service entities are often of limited headcount and annual turnover, they are easily overlooked as neither essential nor important entities. However, a careful threshold calculation should be made to determine whether this entity qualifies as important or even essential entity under the NIS2 Directive. Taking into account the data of partner or linked enterprises may then result in the thresholds being exceeded and thus the respective entity being within the scope of the NIS2 Directive. Different scenarios can be distinguished. We conclude this analysis with a comparison of similar provisions under the Digital Operational Resilience Act (Regulation (EU) 2022/2554 – DORA) for intra-group IT services within groups of financial entities.
Read their analysis at Hogan Lovells.