NIS2 directive explained: Part 1 - Main establishment rules

Introduction

The NIS2 Directive marks a significant evolution in the European Union’s approach to cybersecurity, introducing more stringent requirements and expanding the scope of covered sectors to address emerging digital threats. For organisations operating across multiple EU Member States, navigating these changes is vital, not only for compliance but also for maintaining robust security and capitalising on new digital opportunities.

This insight, part of a three-part series on NIS2 by DLA Piper, focuses on the main establishment exemption within the NIS2 Directive—a key provision that enables certain businesses providing essential or important digital services in several Member States to streamline their obligations by interacting with a single regulatory authority.

The Main Establishment Exemption

Who Can Avail of the Main Establishment Exemption

Under NIS2, the main establishment exemption applies to entities providing essential or important services across multiple EU Member States—such as cloud service providers, managed service providers, DNS operators, and online platforms. This exemption allows these organisations to interact with a single competent authority in the EU rather than multiple regulators, potentially simplifying compliance and reporting obligations. It is particularly relevant for companies with cross-border operations, as the result is expected to be a reduction in administrative complexity and a more consistent regulatory approach.

What Does It Mean

The concept of a “main establishment” will generally refer to the location within the EU where strategic decisions on cybersecurity risk management are made and implemented. It is not simply the registered office or headquarters; we can expect regulators look for substantive control over governance and operational execution. The exemption ensures that oversight is centralised, preventing fragmented enforcement and enabling organisations to manage incident reporting and compliance obligations through one lead authority. This approach promotes efficiency and predictability for entities operating in several jurisdictions.

The Three-Step Waterfall Test

To determine the main establishment under NIS2, organisations apply a three-step waterfall test:

1. Primary Criterion: The Member State where decisions on cybersecurity risk management are taken.
2. Secondary Criterion: If unclear, the jurisdiction where cybersecurity operational activities are primarily carried out.
3. Tertiary Criterion: If still indeterminate, the Member State with the largest workforce.

Strengths of the Exemption

• Regulatory Simplification: Instead of facing different rules and authorities in each country, businesses interact with just one main regulator.

• Consistent Enforcement: Having a single regulatory authority responsible ensures that companies are not faced with inconsistent guidance or contradictory decisions across the EU. This clarity enables organisations operating in multiple countries to better understand their obligations, resulting in more streamlined and effective compliance.

• Streamlined Operations: By consolidating incident reporting and compliance tasks into a single process, organisations can respond to cybersecurity incidents more promptly and efficiently. This unified approach supports quicker decision-making and enhances adaptability in the face of emerging threats.

• Facilitates Expansion Across Borders: Eliminating the need to navigate separate regulatory frameworks in each EU Member State simplifies the process for businesses seeking to offer digital services in multiple countries. The exemption lowers administrative barriers, making it easier for companies to grow and operate throughout the European market.

Challenges of the Exemption

• Determining Main Establishment: Applying the three-step waterfall test can be complex, especially for organisations with decentralised structures or shared decision-making across multiple locations, or when headcounts change. It is also unclear if the main establishment must shift if the decisive factorg. the location of where cybersecurity decisions are made, moves to another Member State during a governance restructure.

• Regulatory Scrutiny: Authorities may closely examine claims about where substantive control and decision-making occur, potentially leading to disputes or delays.

• Adapting Governance Structures: Businesses may need to adjust internal governance and reporting lines to align with the requirements for designating a main establishment, which could require significant organisational changes.

• Local Law Variances: While the benefits of the exemption mean that a group company should be able to follow the local transposition of NIS2 in the jurisdiction of their main establishment, group entities located in other Member States may come under pressure from local customers and professional associations to follow the transposition of NIS2 (and any related guidance) in the jurisdiction where they are actually located. This issue is especially challenging due to inconsistent NIS2 implementation across Member States, a drawback of it being a directive rather than a regulation.

• Management Bodies: It isn’t yet clear whether a group benefiting from the exemption will be able to allocate the NIS2 management body role to the single entity of their main establishment or one management body per entity providing the in-scope service across the group. While the latter may aid local local accountability, it could reduce the benefits of a single regulator.

• Non-EU Entities: It is noted that the main establishment exemption only applies to companies with an establishment in the EU. Companies established solely outside the EU must instead appoint a representative within the Union, adding another layer of compliance and potential cost.

Conclusion

The main establishment exemption under NIS2 is a powerful compliance simplifier for eligible digital service providers, but its narrow scope, interpretative gaps, and reliance on national implementation mean it’s not a universal solution. Organisations should document their rationale for main establishment selection and maintain evidence of governance structures to defend their position if challenged. Since this is likely to be an area of varying interpretation across EU Member States, we also recommend organisations keeping a close eye on developing jurisprudence and local law guidance in this space.