The NIS2 Directive (Directive 2022/2555) replaced the original NIS Directive across EU member states, with national transposition deadlines falling throughout 2024-2025 and enforcement actions beginning in early 2026. For US-based IT service providers, NIS2 introduces a new dimension of compliance risk: extraterritorial applicability.
Under NIS2, managed IT service providers and managed security service providers are classified as "essential" or "important" entities, depending on their size and the sectors they serve. Critically, this classification applies to non-EU providers that deliver services to entities within the EU.
Who's in scope
NIS2 significantly expands the number of sectors and entity types subject to cybersecurity obligations. For IT service providers, the relevant categories include:
- Managed service providers (MSPs) — explicitly listed as "important entities" under NIS2
- Managed security service providers (MSSPs) — added as a separate category, classified as "essential entities"
- Cloud computing service providers — essential entities
- Data centre service providers — essential entities
- DNS service providers and TLD name registries — essential entities
The size thresholds are relatively low: medium-sized enterprises (50+ employees or €10M+ turnover) in covered sectors fall under NIS2 obligations. Smaller MSPs may still be in scope if member states designate them based on criticality criteria.
Extraterritorial reach
NIS2 Article 26 establishes jurisdiction over non-EU entities that provide services within the EU. A US-based MSP managing infrastructure for a German manufacturing client is potentially subject to the directive. The practical enforcement mechanism is through the EU client: if the client is an essential or important entity under NIS2, their supply chain cybersecurity obligations extend to their IT service providers, regardless of where those providers are headquartered.
This means US MSPs serving EU clients may face:
- Contractual requirements to implement specific cybersecurity measures aligned with NIS2 Article 21
- Incident notification obligations — significant incidents must be reported within 24 hours (early warning) and 72 hours (full notification)
- Supply chain security requirements, including documenting cybersecurity practices for the client's compliance evidence
- Potential direct regulatory oversight if the provider is deemed to serve critical sectors in the EU
NIS2 doesn't ask where your company is incorporated. It asks where your services are consumed. If that answer includes the EU, you're potentially in scope.
Core obligations under Article 21
NIS2 Article 21 specifies minimum cybersecurity risk management measures that apply to covered entities and, by extension, their service providers:
| Requirement | What it means for MSPs |
|---|---|
| Risk analysis and security policies | Documented risk assessment process and security policies covering services delivered to EU clients |
| Incident handling | Defined incident detection, response, and reporting procedures with 24/72-hour notification capability |
| Business continuity | Backup management, disaster recovery, and crisis management plans |
| Supply chain security | Assessment of your own suppliers' cybersecurity — the obligation cascades |
| Vulnerability handling | Vulnerability disclosure and management processes |
| Encryption | Use of cryptography and encryption policies |
| Access control | Human resources security, access control policies, asset management |
| MFA and secure communications | Multi-factor authentication, secured voice/video/text, secured emergency communications |
Penalties
NIS2 introduces GDPR-style penalties: up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% of turnover for important entities. Member states can also impose personal liability on management bodies that fail to oversee cybersecurity risk management.
For US MSPs, the penalty risk is primarily indirect — through contractual liability to EU clients who face regulatory action due to provider deficiencies. However, direct regulatory action is possible for providers that member states classify as operating within their jurisdiction.
What US MSPs should do now
NIS2 preparation checklist
- Inventory EU client relationships — identify which clients are essential or important entities under NIS2 and which member state jurisdictions apply
- Review contracts — expect EU clients to add NIS2 compliance clauses; prepare to meet Article 21 requirements contractually
- Establish 24/72-hour incident notification capability — this is significantly faster than most US providers currently support
- Document your supply chain — NIS2's supply chain requirements cascade; you need to demonstrate cybersecurity oversight of your own vendors
- Consider ISO 27001 certification — the directive explicitly references international standards, and ISO 27001 maps well to Article 21 requirements
- Designate an EU representative — if your exposure is significant, NIS2 may require a designated representative in an EU member state