Territorial scope of NIS-2 – When does the German BSIG apply to managed service providers (MSPs) from third countries?

In a previous article (only available in German), we addressed the question of who qualifies as a managed service provider (MSP) or managed security service provider (MSSP) under the amended German Act on the Federal Office for Information Security and on information security in entities (BSI Act – BSIG) (Note: There is currently no official English translation of the current version of the BSIG. However, there is at least a machine translation by the EU.). If a company within a group of companies is centrally responsible for the operation of the group's IT, it can be classified as an MSP and thus as an important or particularly important entity within the meaning of Sec. 28 para. 1 no. 4 and/or Sec. 28 para. 2 no. 3 BSIG – provided that it falls within the scope of the BSIG.

The (territorial) scope of application of the BSIG

But when does the territorial scope of application of the BSIG actually apply? This question arises in particular in view of the fact that corporate groups are often characterized by transnational structures. Can companies from groups of companies also be classified as particularly important and/or important entities within the meaning of the BSIG if one of the companies in the group is located in Germany, but the company responsible for the IT operations of the entire group of companies is located in India, for example?

The BSIG itself does not provide any information on the extent of its scope of application. There is simply no provision dealing with the territorial scope of application. It stands to reason that the BSIG extends to the territorial jurisdiction of the Federal Republic of Germany.

The (territorial) scope of application of the NIS 2 Directive

The relevant provisions of the BSIG are based largely on the implementation of the NIS 2 Directive. One could therefore consider looking to the NIS 2 Directive for an answer to the above question.

According to Art. 2 para. 1 subpara. 1 NIS 2 Directive, this Directive applies “to public or private entities of a type referred to in Annex I or II which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article, and which provide their services or carry out their activities within the Union”.

What does “provide their services […] within the Union” mean?

The decisive factor for determining the (territorial) scope of the NIS 2 Directive is therefore when an entity provides “their services […] within the Union”. This criterion could either require that the service in question (in this case: the managed service and/or the managed security service) must also be provided from within the European Union, or alternatively that the provision of services from third countries is also sufficient. In other words, does fulfilling the criterion of service provision depend on whether the MSP itself is located in Germany (= MSP is located in the European Union or in Germany and provides its services to other companies in the group located there), or is it sufficient for the service provision to be affirmed if the MSP is located in a third country (= MSP company of a group of companies is based in India, for example, and manages the IT of other companies in the group from there in Europe or Germany)? In the latter case, this would mean that the territorial scope of the NIS 2 Directive and thus of the BSIG would also apply if the MSP and/or MSSP is located in a third country.

The wording “provide their services […] within the Union,” which also appears in other digital legislation (see, for example, Rec. 12 sen. 5 CRA or Rec. 123 sen. 2 DSA), does not require the MSP and/or MSSP itself to be established in a Member State of the Union. This is already supported by the fact that Art. 2 para. 1 subpara. 1 NIS-2 Directive – unlike, for example, Art. 3 para. 1 GDPR – does not mention the existence of an establishment as a prerequisite.

In addition, the NIS-2 Directive provides for the concept of a representative for entities not established in the Union (more information on this topic can be found here). According to Art. 26 para. 3 sen. 1 NIS 2 Directive, an entity within the meaning of Art. 26 para. 1 lit. b) NIS 2 Directive must appoint a representative in the Union if it is not established in the Union but offers services within the Union (see also Rec. 116 first sentence NIS-2 Directive). The entities referred to in Art. 26 para. 1 lit. b) NIS-2 Directive include, among others, managed service providers and managed security service providers.

In summary, this means that an MSP or MSSP does not need to have an establishment in the European Union in order to fall within the (territorial) scope of the NIS 2 Directive. What is more important is that it provides its services within the Union.

However, the wording “provides its services […] within the Union” is not necessarily fulfilled in every case. Rec. 116 para. 3 and 4 NIS 2 Directive lists various assessment criteria for determining when services are provided in the Union:

The following is not sufficient:

• mere accessibility of the entity’s or an intermediary’s website or of an email address or other contact details in the Union; and/or
• use of a language generally used in the third country where the entity is established.

May be sufficient:

• use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that language; and/or
• mentioning of customers or users who are in the Union.

If, for example, an MSP and/or MSSP of a group of companies is located in India and provides its IT/IT security-related services to companies in the group in Germany from there, it may still fall within the scope of the BSIG and qualify as a particularly important and/or important entity under Sec. 28.

Conclusion & recommendations

Even groups of companies that operate primarily from outside the Union or only have a (non-decisive) establishment in Germany should therefore familiarize themselves with the new IT security regulations and check whether they too may fulfill the definition of an entity – in particular that of an MSP and/or MSSP.

It is interesting to note that Art. 26 para. 2 sen. 2 NIS 2 Directive provides for the distribution of responsibilities among authorities precisely for this case of no main establishment in the Union. In any event, the responsibility of the respective authority should not prevent such constellations from being addressed and dealt with.