NIS2: for me too! The trap for corporations

IT infrastructure within a concern: who bears the risks?

It is not unusual for parent companies within a group to offer IT services to their subsidiaries. Examples include managing servers, networks and security systems. What is often overlooked, however, is that these services, although provided internally, may qualify as "managed services" under the NIS2 Directive. This means that the parent company must meet the same strict requirements as external providers of such services.

This poses significant risks:

• Compliance Risks: Parent companies are required to comply with expanded cybersecurity and reporting requirements under the NIS2 Directive, including duties of care and notification.
• Fines and Penalties: Non-compliance can result in heavy fines and other penalties, which can cause both financial and reputational loss.
• Supervision and Enforcement: Parent companies may come under intense supervision by the relevant authorities, something that would normally be beyond their expectation.

What can you do to reduce this risk?

There are some concrete steps you can take to prevent your parent company from being considered a "managed services provider" under NIS2:

1. Review the structure of internal services
   
   A first step is to critically assess the internal IT services provided by the parent company. Are there opportunities to redesign these services or limit them to an advisory role, without actually performing management and maintenance? Shifting responsibilities for operational IT tasks to the subsidiaries themselves can reduce risk.
   
   
2. Adapt Contracts and Service Level Agreements (SLAs)
   
   Ensure that internal agreements and SLAs clearly establish that the subsidiary has responsibility for the management and maintenance of its IT systems. For example, the parent company's role can be limited to strategic advice or implementation support, without being involved in day-to-day management.
   
   
3. Establish internal compliance structures
   
   Establish an internal compliance structure to ensure that the parent company does not inadvertently perform tasks that qualify it as a provider of managed services. This includes regular audits and monitoring of services provided to subsidiaries.

Conclusion: be prepared for the NIS2 impact!

The NIS2 Directive and the Cybersecurity Act present new challenges for groups in which parent companies provide IT services to their subsidiaries. By proactively taking the steps listed above, you can minimize the risks of unwanted classification as a "managed services provider."