When is an IT service provider subject to NIS2?

IT service providers fall under different NIS2 categories depending on their activities: Managed Service Providers (MSP) and Managed Security Service Providers (MSSP) are classified as Essential Entities under Annex I No. 8, irrespective of size, when providing critical services to NIS2-obligated customers. General IT service providers without MSP character only fall under NIS2 Annex II No. 9 from medium enterprise size (50 employees or 10M EUR turnover). Classification is case-specific and should be verified legally.

What special obligations apply to MSPs and MSSPs under NIS2?

MSPs and MSSPs are Essential Entities under Annex I No. 8 with the strictest NIS2 obligations: risk management under § 30 BSIG-neu, reporting within 24/72 hours under § 32 BSIG-neu, BSI registration within three months under § 33 BSIG-neu, and management liability under § 38 BSIG-neu. Especially relevant is the obligation to report security incidents affecting customer systems, as the MSP is considered an extended attack surface for critical sectors.

What is the difference between NIS2 Annex I and Annex II for IT service providers?

Annex I (Essential Entities) covers critical IT providers such as MSPs, MSSPs, DNS services, TLD registries, and trust service providers irrespective of company size. Annex II (Important Entities) covers general digital services and IT service providers only from medium enterprise size. Essential Entities are subject to proactive BSI supervision and higher fine levels; Important Entities are predominantly supervised reactively.

What fines do IT service providers face for NIS2 violations?

§ 65 BSIG-neu provides fines up to 10 million Euro or 2 percent of global annual revenue for Essential Entities (Annex I, e.g. MSPs). The same ceilings apply to Important Entities (Annex II). In addition, personal management liability under § 38 BSIG-neu applies. For incidents affecting customer data, GDPR fines under Art. 83 GDPR may also be incurred.

What do NIS2 supply-chain obligations mean for IT service providers?

§ 30 Para. 2 No. 4 BSIG-neu requires IT service providers to secure their own supply chain: data center providers, cloud platforms, open-source components, and subcontractors must be committed to cybersecurity requirements. At the same time, the IT service provider itself may be a supplier to its NIS2-obligated customers and must fulfill their supply-chain security requirements.

When must IT service providers register with the BSI?

§ 33 BSIG-neu requires registration within three months of determining applicability. MSPs and MSSPs, due to their classification as Essential Entities under Annex I, are generally required to register directly from BSIG-neu's entry into force. Registration is via the BSI reporting portal and includes entity category, services provided, and contact details.

Are IT service provider managing directors personally liable for NIS2 violations?

§ 38 BSIG-neu explicitly requires management of Essential and Important Entities to approve, supervise, and train on cybersecurity measures. Proven neglect can trigger personal liability. IT service providers with multiple managing directors should assign responsibilities in writing and document them in regular resolutions.

Industry-specific Self-Check

Is my IT service provider affected by NIS2?

MSP, MSSP, system integrator, consultant - as B2B ICT service management, NIS2 applies from 50 employees. Supply-chain security at clients adds weight.

Step 1 / 2

Service structure and customer access

NIS2 Annex I No. 8 covers B2B ICT service management. Check what applies to your operation.

Managed IT services for external business customers (B2B)MSP/Managed Services, MSSP/Managed Security, outsourcing, operating third-party infrastructurePrivileged access to customer systemsAdmin access, remote access, agents on customer systems, backup accessCybersecurity or incident response services in portfolioSOC, SIEM, EDR operations, vulnerability management, incident responseMore than 10 active B2B managed customersIndicator of multiplier relevance in the supply chain

Step 2 / 2

Company size

IT Service Provider: The Complete NIS2 Guide

IT service providers face a dual role under NIS2: many are themselves Important or Essential Entities as managed service providers (MSPs) or cloud providers under NIS2 Annex II No. 6 (ICT Services). At the same time, as suppliers to other NIS2-obligated companies, they are subject to supply chain obligations under § 30 Para. 2 No. 4 BSIG-new. This guide is written for managing directors and CISOs of IT service providers, MSPs, and cloud providers.

Who is affected?

IT service providers fall directly under NIS2 Annex II No. 6 (providers of digital infrastructure) or Annex II No. 7 (ICT services B2B) when they exceed the SME thresholds: at least 50 employees or at least EUR 10 million in annual revenue (EU Recommendation 2003/361/EC Art. 2).

Large cloud providers, DNS resolvers, TLD registries, and internet exchange points fall under NIS2 Annex I No. 7-8 as Essential Entities - regardless of revenue thresholds.

Additionally: IT service providers that serve other NIS2-obligated entities (e.g., hospitals, energy suppliers, government agencies) are treated as critical suppliers by those customers under § 30 Para. 2 No. 4 BSIG-new. This means: even if not directly in scope, you may be required to be NIS2-compliant by customer demand.

An MSP with 60 employees serving hospitals, municipalities, and energy utilities is affected by NIS2 both directly and indirectly.

Obligations under § 30 BSIG-new

§ 30 BSIG-new requires seven technical and organizational measure areas that are especially significant for IT service providers as critical suppliers:

Risk analysis and management: IT service providers must assess their own security architecture and also the risks their services pose to their customers.
Incident handling: A security incident at the MSP can simultaneously affect many NIS2-obligated customers. The incident response plan must include customer notification and coordinated response.
Business continuity: IT service providers must maintain BCP plans for their own infrastructure and for the services they deliver to customers.
Supply chain security: IT service providers are themselves part of their customers' supply chains. They must demonstrate to customers that they meet the requirements of § 30 Para. 2 No. 4 BSIG-new.
Access control and MFA: Privileged Access Management (PAM) and MFA for all privileged access to customer systems are an absolute requirement.
Encryption: Customer data, configuration data, and communications must be fully encrypted.
Training and awareness: IT personnel managing customer systems must receive regular cybersecurity training.

Deadlines and reporting obligations

BSI registration under § 33 BSIG-new within three months. For security incidents under § 32 BSIG-new: initial report within 24 hours, full report within 72 hours, final report within 30 days.

Special aspect for IT service providers: an incident at the MSP that affects NIS2-obligated customers must both satisfy your own NIS2 reporting obligations and be communicated to affected customers. Those customers have their own reporting obligations to the BSI.

Fines and personal liability

Important Entity (Annex II): up to EUR 7 million or 1.4% of turnover. Essential Entity (Annex I): up to EUR 10 million or 2% of turnover.

§ 38 BSIG-new: personal liability for management. For IT service providers, contractual liability to customers following security incidents is an additional layer. NIS2 fines plus customer damages can be existential.

Supply chain obligation § 30 Para. 2 No. 4: MSPs as critical suppliers and contract design

§ 30 Para. 2 No. 4 BSIG-new obligates all NIS2 entities to address "security aspects in the relationships between the entity and its direct suppliers." For IT service providers as frequent suppliers, this means: NIS2-obligated customers will make security demands on you.

This materializes in contracts: SLA clauses on security, customer audit rights, obligations to notify the customer of security incidents, and proof of security certifications (ISO 27001, SOC 2). Many NIS2 entities are already beginning to renegotiate existing supplier contracts accordingly.

MSPs can use the supply chain obligation as a market opportunity: those who achieve NIS2 compliance early and get certified differentiate themselves from competitors. ISO 27001 or SOC 2 Type II are the standard certifications that NIS2-obligated customers will demand.

First steps

Clarify your direct NIS2 scope: Annex I, Annex II, or no direct scope?
Identify which of your customers are NIS2-obligated. They will make security demands on you.
Review your current contracts: do they include security SLAs, audit rights, and incident notification?
Build a Privileged Access Management (PAM) system if one is not already in place.
Create an MSP-specific incident response plan that includes customer notification.
Evaluate ISO 27001 or SOC 2 Type II as a certification basis for customer inquiries.
Register with the BSI if you have direct NIS2 scope.

Common pitfalls

"We are not directly affected" as an excuse: Even without direct NIS2 scope, customers will impose security requirements under § 30 Para. 2 No. 4 BSIG-new. Those who are not prepared will lose customers.

Missing Privileged Access Management: MSPs managing customer systems with shared passwords do not meet NIS2 requirements. PAM is not an optional add-on.

Customer incidents handled only internally: If a security incident at the MSP affects NIS2-obligated customers, those customers must be informed. Failure to do so breaches both contractual obligations and NIS2 requirements.

Certification treated as a future project: NIS2-obligated customers will demand security certifications promptly. Those who only start the process when customers ask are already too late.

Use the industry-specific NIS2 calculator for IT service providers to clarify your obligations.

Authored by

Julian Köhn

Founder & CEO, Kopexa

Julian Köhn is Founder and CEO of Kopexa. He has been building security and compliance solutions for European mid-market companies for over 10 years. Focus areas: NIS2, ISO 27001, GDPR, TISAX. Kopexa was founded to make GRC transparent and self-service for SMEs.

LinkedIn View profile

Reviewed by

Kopexa GRC Team

Subject Matter Experts — NIS2, ISO 27001, KRITIS

The Kopexa GRC Team consists of security and compliance experts certified in ISO 27001, CISA, CRISC. The team develops framework mappings and validates content on NIS2, KRITIS, and industry-specific requirements.

Last updated: 2026-04-17

Frequently asked questions

Industry-specific answers on NIS2 obligations, thresholds, and sanctions.

Is my IT service provider affected by NIS2?

IT Service Provider: The Complete NIS2 Guide

Who is affected?

Obligations under § 30 BSIG-new

Deadlines and reporting obligations

Fines and personal liability

Supply chain obligation § 30 Para. 2 No. 4: MSPs as critical suppliers and contract design

First steps

Common pitfalls

Frequently asked questions

01When is an IT service provider subject to NIS2?

02What special obligations apply to MSPs and MSSPs under NIS2?

03What is the difference between NIS2 Annex I and Annex II for IT service providers?

04What fines do IT service providers face for NIS2 violations?

05What do NIS2 supply-chain obligations mean for IT service providers?

06When must IT service providers register with the BSI?

07Are IT service provider managing directors personally liable for NIS2 violations?