I am going to tell the story of several companies, each established in a different EU Member State, and the question of whether they fall within the scope of the NIS2 directive (Directive (EU) 2022/2555). Before the story, its takeaway, because the takeaway is simple. Such an assessment needs to be made at group level. The risk of a subsidiary making the wrong decision on its own is high, and getting it wrong can mean monetary fines, and personal liability for top management.
The reason the assessment belongs at group level is easier to see through the story than through the rule, so here is the story. It is the story of one subsidiary whose facts never change. What changes is the country it sits in. The same company, looked at in five Member States, does not produce one answer. It produces a map of different legal outcomes: in some countries it is in scope, in others it is out, and in at least one the answer depends on the regulator.
I. The scope test: sector first, size second
At the centre of it, we have a group of companies held by one parent. One of them, Company A is a managed services provider of real size, and its position is not in doubt: it falls squarely within NIS2. Company B is also a managed services provider, but a much smaller one. On its own figures it has fewer than fifty employees and does not cross the financial thresholds. It therefore reached the comfortable conclusion that NIS2 did not apply to it. Company B is the one to watch, because its answer changes from one country to the next.
The sectors NIS2 covers are set out across two annexes to the directive (Directive (EU) 2022/2555).
- Annex I gathers the sectors it treats as most critical: energy, transport, banking, health, digital infrastructure, and, the one that matters here, the management of ICT services.
- Annex II adds a further set of important sectors, from postal services to the manufacture of certain goods.
A provider of managed services falls within Annex I, and Company B provides managed services, so the sector condition is met and the analysis will not return to it. The size condition is the one that does the work. As a rule, NIS2 reaches only entities that are at least medium-sized, a threshold it takes directly from the European definition of small and medium-sized enterprises: broadly, a company crosses it once it employs fifty people or more, or once its turnover and balance sheet exceed the ceilings set for smaller firms.
II. Recital 16: the optional independence exception
There is an exception, and Company B knew about it. A defined list of entities, among them DNS providers, top-level domain registries and trust service providers, are caught whatever their size, because the directive regards their function as too important to leave to a headcount or size. Ordinary managed services do not sit on that list.
This is the point at which the reasoning of a great many companies quietly goes wrong, and it is worth being precise about how. The European definition of a medium-sized enterprise, set out in Commission Recommendation 2003/361/EC (Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises), does not look at a company in isolation. It separates autonomous enterprises, which are assessed alone, from partner enterprises, whose figures are counted in proportion, and linked enterprises, whose figures are counted in full. Two companies are linked whenever one controls the other, or a third party controls them both, which is exactly the position of two sisters held by a common parent. The headcount and the financials of the entire group are therefore brought to bear on the question of whether any one member is medium-sized.
The mistake is a natural one. A subsidiary that keeps its own books, files its own accounts and sits outside any tax consolidation tends to assume it stands on its own figures. For company law and for tax, it does. For NIS2, it does not. The absence of fiscal consolidation has no bearing on whether the rule in Commission Recommendation 2003/361/EC applies, because that rule follows ownership and control and operates whatever the tax position. This is the mistake that many subsidiaries make without realising it. Once the group’s figures are counted, Company B, modest on its own, becomes part of something plainly large, and on the face of the directive it is in scope.
The directive, however, leaves a door open, and it leaves it to the Member States to decide whether to walk through it. Recital 16 accepts that adding in the whole group’s figures can be disproportionate where a subsidiary is genuinely independent of its group, in particular where it runs its own network and information systems. On that basis it allows a Member State to take that independence into account and to treat the subsidiary, despite the group, as falling below the size threshold. This is however an opportunity, not a requirement to be transposed. A recital does not create a standalone operative rule. It may guide interpretation, but it does not by itself give a company a defence unless the national law gives that idea legal effect. Whether this opportunity is present at national level depends entirely on whether the Member State in question wrote that possibility into its national law, and on the terms it chose when it did. Some did. Some did not. And with that, the answer for Company B stops being a question about the NIS2 directive itself and becomes a question about where Company B happens to sit.
III. Five Member States, five approaches
If anything saves a subsidiary from the group’s figures, it is independence, so the facts about Company B that matter from here are the ones that measure how independent it really is. Company B runs its own information systems: its own infrastructure, its own identity management, its own security monitoring, none of it shared with the rest of the group. It serves its own clients. The single exception is one engagement it delivers jointly with Company A, for a shared client, through a defined and self-contained interface that keeps the two companies’ systems apart. On those facts, Company B sets off across the five Member States.
Bulgaria is the simplest case, because Bulgaria did not open the door. Its transposition (Закон за изменение и допълнение на Закона за киберсигурност (обн. ДВ, БР. 17 от 2026г.) applies the group calculation and stops there, with no provision allowing a subsidiary’s independence to be weighed against the consolidated figures. Company B is counted with its group, the group is large, and Company B is in scope. Everything that is true about how separately it runs its systems is, in Bulgaria, beside the point.
Germany opened the door, and linked it to systems. Under the German transposition (Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung vom 05.12.2025), the figures of linked enterprises are left out of the calculation where the entity, judged by the legal, economic and factual circumstances of how its information technology systems are built and run, is independent of its group. In substance, the question German law asks is who runs the entity’s systems. Company B runs its own. The reading is not beyond challenge: the same test weighs legal and economic circumstances, and on those a wholly owned subsidiary answers to its parent. What the provision puts its weight on, however, is the operation of the systems, and there Company B is separate. The group’s figures fall away, Company B stands on its own modest size, and it falls outside the directive. The joint engagement with Company A makes no difference, because German law is looking at the systems, and the systems remain Company B’s own.
Poland opened the door wider still. The Polish transposition (Ustawa z dnia 23 stycznia 2026 r. o zmianie ustawy o krajowym systemie cyberbezpieczeństwa oraz niektórych innych ustaw) lets a subsidiary out of the group calculation on either of two independent grounds: that its information systems are independent of the group’s, or that it does not provide its services jointly with the group. The two grounds are joined by “or”, and either one is enough on its own. Company B satisfies the first on the same facts that rescued it in Germany. It fails the second, because of the joint engagement with Company A. In Poland that failure costs it nothing, one ground being sufficient, and Company B is again out of scope.
Italy opened the door and made it narrow. The Italian transposition (Decreto legislativo 4 settembre 2024, n. 138) creates a safeguard clause, applied by the national cybersecurity authority under criteria fixed by decree. In practical terms, those criteria appear to require independence both in the network and information systems used and in the activities and services provided. Company B’s systems are its own, which carries the first half. The joint engagement with Company A defeats the second. Because Italy requires both, that single shared service is enough to keep Company B in scope, and the very facts that were immaterial in Germany and forgivable in Poland are, in Italy, decisive.
Belgium opened the door but kept its hand on it. Belgian law (loi du 26 avril 2024 établissant un cadre pour la cybersécurité des réseaux et des systèmes d’information d’intérêt général pour la sécurité publique) allows the regulator, where strict consolidation would be disproportionate, to take account of a subsidiary’s independence in both its systems and the services it provides. Two things set it apart. Independence is assessed by the regulator rather than asserted by the company, and the burden of demonstrating it rests on the company that wants the benefit. Company B’s own systems would help its case, and the joint engagement with Company A would count against it. Where the balance falls is not something the text settles in advance: it is left to the regulator’s judgement. Belgium therefore does not give Company B an automatic answer. It gives it an argument to submit.
Five Member States, one company, and the results fall into a pattern more orderly than the variety first suggests. Where a State did not transpose the independence exception at all, the subsidiary is in, and nothing about how it is run will change that. Where a State tied the exception to the systems alone, or to systems or joint service in the alternative, the subsidiary that runs its own systems is out. Where a State required independence of both systems and services, a single shared engagement puts the subsidiary back in. Where the State left the matter to its regulator, the answer is whatever the regulator decides. What separates Company B’s freedom from its regulation is, in the end, a drafting choice: whether a national legislature wrote “and” or “or”, and whether it looked at services at all.
One uncertainty runs beneath all of this, and even the Member States that opened the door left it unaddressed. Even where Member States enacted the exception, most did not fully settle what independence is measured against: only the systems used to provide the regulated service, the whole IT environment, or the group-level services on which the subsidiary depends. The same subsidiary can pass or fail on that question alone, and the texts are silent on it.
IV. What the divergence means in practice
Two conclusions follow, and the second matters more than the first.
The first is the one the story was told to make. Whether a subsidiary falls within NIS2 is not a question it can answer about itself. The answer depends on figures that belong to the whole group, on whether the subsidiary’s Member State chose to soften that arithmetic, and on the precise words it used if it did. A subsidiary that assesses itself alone is not being cautious. It is guessing, and in the story that guess is wrong in two of the five States and unsafe in a third. The assessment belongs at group level, made once, centrally, with the map of national divergence in front of whoever makes it.
The second conclusion is the practical one, and it concerns how little the independence exception is likely to be worth in real life. On paper it offers a way out: a subsidiary that runs its own systems sees the group’s figures fall away. But independence of systems describes a subsidiary that shares nothing, and that is not how groups are built. A company that acquires or creates a subsidiary integrates it, because integration is the point. The subsidiary is folded into the group’s Active Directory, put on the group’s Microsoft 365 tenancy, run through the same SAP and the same CRM, watched by the same security team, staffed in part by the same people. Shared licences, shared platforms and shared talent are not failures of separation. They are the ordinary economics of owning more than one company. A subsidiary genuinely independent in its systems is, in most groups, an accident rather than a design.
So the exception, where it exists at all, will rarely reach the companies that would most like to use it, because the very integration that makes a group efficient is the integration that defeats the claim to independence. And even the rare subsidiary that could make the claim runs into the gap the texts never closed: none of the States that enacted the exception said what independence is measured against, which leaves the question to the authority applying the rule, country by country, with no settled answer to point to.
The result is an exception that looks generous on the page and proves thin in practice. It exists in some States and not in others, it is defined differently in each that has it, and whether a given subsidiary qualifies is, in more places than not, left to a regulator’s judgement rather than settled by a rule. The danger in that is quieter than it first looks. It is not that a group studies five transpositions and chooses the wrong one. It is that the exception, visible on the page in its own Member State, gives a group a reason to believe a subsidiary sits outside the directive. The groups drawn to that belief are the integrated ones, sharing an Active Directory, a Microsoft tenancy and a security team across their subsidiaries, because those are the groups carrying the consolidated figures they would most like to escape. They are, for that same reason, the groups least able to show the independence the exception demands. The exception is read most hopefully by the companies that qualify for it least, and a hopeful reading is how a group arrives, in writing, at the wrong answer.
And there is a further turn, which belongs to another discussion. The independence the exception rewards is not a fixed feature of a company. It shifts with what the company does. The moment two sisters bid together, deliver a service jointly, or share the infrastructure that delivery needs, that independence thins, and a subsidiary that sat outside the directive can be drawn back inside it. How scope moves when companies in the same group go to market together is a question of its own, and one worth taking up separately.