NIS2 Enforcement Begins: What US IT Providers Serving EU Clients Must Know

The EU's updated Network and Information Security Directive expands scope to cover IT service providers — including non-EU companies that serve EU clients.

March 3, 2026 · Compliance

The NIS2 Directive (Directive 2022/2555) replaced the original NIS Directive across EU member states, with national transposition deadlines falling throughout 2024-2025 and enforcement actions beginning in early 2026. For US-based IT service providers, NIS2 introduces a new dimension of compliance risk: extraterritorial applicability.

Under NIS2, managed IT service providers and managed security service providers are classified as "essential" or "important" entities, depending on their size and the sectors they serve. Critically, this classification applies to non-EU providers that deliver services to entities within the EU.

Who's in scope

NIS2 significantly expands the number of sectors and entity types subject to cybersecurity obligations. For IT service providers, the relevant categories include:

The size thresholds are relatively low: medium-sized enterprises (50+ employees or €10M+ turnover) in covered sectors fall under NIS2 obligations. Smaller MSPs may still be in scope if member states designate them based on criticality criteria.

Extraterritorial reach

NIS2 Article 26 establishes jurisdiction over non-EU entities that provide services within the EU. A US-based MSP managing infrastructure for a German manufacturing client is potentially subject to the directive. The practical enforcement mechanism is through the EU client: if the client is an essential or important entity under NIS2, their supply chain cybersecurity obligations extend to their IT service providers, regardless of where those providers are headquartered.

This means US MSPs serving EU clients may face:

NIS2 doesn't ask where your company is incorporated. It asks where your services are consumed. If that answer includes the EU, you're potentially in scope.

Core obligations under Article 21

NIS2 Article 21 specifies minimum cybersecurity risk management measures that apply to covered entities and, by extension, their service providers:

RequirementWhat it means for MSPs
Risk analysis and security policiesDocumented risk assessment process and security policies covering services delivered to EU clients
Incident handlingDefined incident detection, response, and reporting procedures with 24/72-hour notification capability
Business continuityBackup management, disaster recovery, and crisis management plans
Supply chain securityAssessment of your own suppliers' cybersecurity — the obligation cascades
Vulnerability handlingVulnerability disclosure and management processes
EncryptionUse of cryptography and encryption policies
Access controlHuman resources security, access control policies, asset management
MFA and secure communicationsMulti-factor authentication, secured voice/video/text, secured emergency communications

Penalties

NIS2 introduces GDPR-style penalties: up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% of turnover for important entities. Member states can also impose personal liability on management bodies that fail to oversee cybersecurity risk management.

For US MSPs, the penalty risk is primarily indirect — through contractual liability to EU clients who face regulatory action due to provider deficiencies. However, direct regulatory action is possible for providers that member states classify as operating within their jurisdiction.

What US MSPs should do now

NIS2 preparation checklist