"While the NIS2 Directive remains to be implemented in several EU Member States, including Germany, companies should use the time to assess whether they fall within the scope of the Directive and prepare for its implementation. When making this assessment, particular attention should be paid to entities providing IT services within the corporate group. Where a corporate group considers out-sourcing or in-sourcing the IT services within the same group, it is also worthwhile considering the impact of NIS2."
"The NIS2 Directive applies in principle only to companies that exceed certain thresholds for employed persons and annual turnover. However, these thresholds are calculated in accordance with the Annex to Recommendation 2003/361/EC, which requires that data from the entire group, including partner and linked enterprises, be taken into account. Since intra-group IT service entities are often of limited headcount and annual turnover, they are easily overlooked as neither essential nor important entities."
NIS2 implementation timing allows companies to determine whether they fall within the Directive's scope and to prepare accordingly. Entities providing IT services inside corporate groups require particular scrutiny. Outsourcing or insourcing IT services within a group can change applicability under NIS2. Applicability is tied to employee and turnover thresholds calculated per the Annex to Recommendation 2003/361/EC, which mandates inclusion of partner and linked enterprise data. Small intra-group IT units can therefore exceed thresholds when group data are aggregated. Careful threshold calculations are essential to identify important or essential entities. DORA contains comparable provisions for financial groups.
Read at DataBreaches.Net
Unable to calculate read time
Collection
[
|
...
]