info@altf7.com
+3185 - 060 3548
en
POWERED BY APPELIT

When does NIS2 apply to companies within a group?

13/06/2025

Intro

The new NIS2 directive introduces strict cybersecurity obligations for a wide range of sectors. Many companies assume it only applies to their "core" legal entity. But in practice, subsidiaries and support units within a corporate group may also fall under its scope.

This article explains how NIS2 affects group structures, why supporting entities matter, and how AltF7 — in collaboration with software experts like APPelit — helps organizations assess and manage their exposure.

What is NIS2 about?

NIS2 is the updated EU directive on cybersecurity for essential and important sectors. These include healthcare, energy, digital infrastructure, logistics, cloud services and managed IT providers.

Companies that fall within NIS2 must meet strict security standards, report incidents quickly, and comply with supervisory authorities.

What makes a group entity fall under NIS2?

The key point: NIS2 doesn't just apply to the legal entity delivering the essential service. It can also apply to other units within the same group that provide technical or operational support.

For example:

  • A subsidiary managing cloud infrastructure for a logistics provider

  • An internal IT department delivering cybersecurity for a hospital

  • A shared services unit responsible for software used by a regulated entity

If these units are critical to delivering essential services, they may fall under NIS2 — even if they don't face customers directly.

What does this mean in practice?

1. legal ownership isn't enough

Supervision applies to function, not structure. If a unit enables critical services, it must meet requirements

2. broader compliance responsibility

It's not just the "frontline" company that must comply. Any part of the group supporting the delivery chain may be affected.

3. infrastructure and data location matters

If key data or systems are hosted elsewhere in the group, they fall within scope — and must be secured accordingly.

What steps should you take now?

AltF7 supports organizations with:

  • software and system audits across group entities

  • NIS2 gap assessments based on operational roles

  • compliance consulting for internal IT and shared services

  • technical implementation support in collaboration with APPelit

NIS2 isn't just legal — it's operational. It impacts how your teams and technology are set up.

The real question isn't whether NIS2 applies to your group — it's whether your supporting units are fully prepared. Hidden dependencies can lead to overlooked compliance risks.

Need clarity on your group's NIS2 exposure? Contact AltF7 for an independent assessment and expert advice tailored to your structure.

Share