The EU’s new Network and Information Security Directive (NIS2) and its transpositions into the national laws of Member States will – contrary to all political objectives – not only apply to critical infrastructures, but all sectors of the economy.
The threats to corporate cybersecurity no longer come from teenage hackers. They come from highly professional international criminal organizations and hostile state actors. In particular, the phenomenon of ransomware – malware that encrypts corporate data and decrypts it only after a ransom has been paid – has become a highly lucrative and still growing business for criminal organizations. There are now even “providers” offering “ransom as a service” – a phenomenon which enlarges the scope of potential attackers by allowing “ordinary” (i.e., non-tech-savvy) felons to become part of the threat landscape.
These threats pose not only economic risks to businesses but also risks to society as a whole such as the failure of a power plant or the collapse, or at least delay, of medical care as a result of cyber-attacks.
The EU first regulated the area of cybersecurity for critical infrastructure in 2016 by means of what is now also referred to as the “NIS1 Directive”, which had left quite a lot of leeway to the Member States. The new NIS2 Directive is intended to extend the scope of regulation to other critical sectors such as waste water, space, public administration, waste management, chemicals, postal and courier services, food processing and manufacturing industries, and IT services in general. NIS2 is also more prescriptive and detailed than NIS1 in order to reduce heterogeneity and thus fragmentation of Member States’ implementation laws.
The regulation of non-critical industry sectors
However, companies that do not conduct business in any of the critical sectors mentioned above are often still subject to NIS2. The reason for this is that NIS2 also applies to companies that merely provide IT services within their corporate group. For example, if the parent company of a group of companies provides IT services to its subsidiaries, as is the case in many corporate groups, the parent company is subject to NIS2.
Such services provided within the group may consist of the operation of IT infrastructure (servers, cloud environment, etc.) or the simple provision of IT support services. In particular, NIS2 also covers the provision of “managed services”, which it defines very broadly as “installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely”.
Therefore, even if the parent company of a corporate group only provides IT support services (e.g., operating an IT help desk) to other group companies to a very limited extent, the parent company is subject to NIS2. According to the clear wording of NIS2, this applies not only to the organizational unit of the parent company that provides the IT services, but to the entire parent company. This unsatisfactory result stems from the fact that NIS2 does not take into account the practical realities of intra-group IT services (e.g., the fact that providing intra-group services is often not a main business function of the parent company and only presents a small portion of its overall economic activity).
Application of cybersecurity regulation to small group companies
To avoid the application of NIS2 to the parent company, the organizational unit providing the IT services could be transferred to a dedicated subsidiary (which would also avoid the potential inclusion of all affiliates as “linked enterprises” into the threshold calculation – see below).
In this case, only the dedicated subsidiary would be potentially subject to NIS2. For the subsidiary to also escape the application of NIS2, it would have to qualify as a small enterprise with fewer than 50 employees whose annual turnover and/or annual balance sheet does not exceed EUR 10 million.
NIS2 foresees that, for the purpose of the calculation of these thresholds, all linked enterprises (i.e., all group companies) would have to be considered jointly. However, NIS2 gives Member States the flexibility to create exemptions where such group-wide perspective would be disproportionate. For example, the latest legislative drafts for the transposition of NIS2 in Austria and Germany provide such exception where the subsidiary is sufficiently independent.
Conclusion
The new cybersecurity rules of NIS2 also apply to companies in non-critical industry sectors if they provide intra-group IT services, in particular a parent entity that provides IT services to its subsidiaries. In this case, NIS2 applies to all organizational units of the parent entity providing the services and not just to the IT department providing the services. However, in such non-critical sectors, it is possible to at least avoid the application of NIS2 for the parent entity by transferring the IT service organization to a dedicated subsidiary. Whether that dedicated subsidiary, too, is able to escape the application of NIS2 depends on the number of its employees, its turnover, and the implementing legislation in the respective Member State.
For more on NIS2, see our past blogs on NIS2 and what we can learn from its implementation in Hungary, one of the first-movers.