NIS2: for me too! The trap for corporations

The last day of October has arrived and that means Cybersecurity Month is almost at an end. Of course, we at Poelmann van den Broek remain actively engaged in cybersecurity legislation and are ready to support you in applying this new legislation. After all, it remains a topical issue. To further help you as business owner , Niels van den Bogaard wrote the blog below. As a business owner or group director you are most likely aware of the arrival of the NIS2/cybersecurity law. Do you think you are not covered by it, as these rules 'are only for essential and important entities such as energy companies and car manufacturers'? If so, you may well be wrong in that. Read on!

#production
#tech

Date: Oct. 31, 2024

Modified October 31, 2024

Written by: Niels van den Bogaard

Reading time: +/- 3 minutes

IT infrastructure within a concern: who bears the risks?

It is not unusual for parent companies within a group to offer IT services to their subsidiaries. Examples include managing servers, networks and security systems. What is often overlooked, however, is that these services, although provided internally, may qualify as "managed services" under the NIS2 Directive. This means that the parent company must meet the same strict requirements as external providers of such services.

This poses significant risks:

What can you do to reduce this risk?

There are some concrete steps you can take to prevent your parent company from being considered a "managed services provider" under NIS2:

  1. Review the structure of internal services

    A first step is to critically assess the internal IT services provided by the parent company. Are there opportunities to redesign these services or limit them to an advisory role, without actually performing management and maintenance? Shifting responsibilities for operational IT tasks to the subsidiaries themselves can reduce risk.

  2. Adapt Contracts and Service Level Agreements (SLAs)

    Ensure that internal agreements and SLAs clearly establish that the subsidiary has responsibility for the management and maintenance of its IT systems. For example, the parent company's role can be limited to strategic advice or implementation support, without being involved in day-to-day management.

  3. Establish internal compliance structures

    Establish an internal compliance structure to ensure that the parent company does not inadvertently perform tasks that qualify it as a provider of managed services. This includes regular audits and monitoring of services provided to subsidiaries.

Conclusion: be prepared for the NIS2 impact!

The NIS2 Directive and the Cybersecurity Act present new challenges for groups in which parent companies provide IT services to their subsidiaries. By proactively taking the steps listed above, you can minimize the risks of unwanted classification as a "managed services provider."


Stay Focused

Do you have questions about the impact of NIS2 on your organization or want to know how to prepare for it? If so, please contact our specialists. Our team of experts is ready to guide you through this complex legal landscape.

Contact

More on this topic: