NIS2 and the ICT Service Management (B2B) Sector
Managed service providers (MSPs) and managed security service providers (MSSPs) serving B2B clients are covered under NIS2 Annex I. Their privileged access to client systems makes them high-risk vectors for supply-chain attacks.
Key cyber risks in ICT Service Management (B2B)
- ▸Lateral movement through MSP access to client environments
- ▸Credential compromise affecting multiple client organisations
- ▸RMM (remote monitoring and management) tool exploitation
- ▸Insufficient client isolation in shared infrastructure
Focus obligations for ICT Service Management (B2B)
- ✓Strict access control and zero-trust architecture
- ✓72-hour incident notification to national authority
- ✓Client contract security clauses
- ✓Incident response plans covering client impact
Who is covered?
Examples of in-scope organisation types:
- ·Managed service providers (MSPs)
- ·Managed security service providers (MSSPs)
- ·IT outsourcing firms serving critical-sector clients
- ·Network operations centre (NOC) operators
Is your ICT Service Management (B2B) organisation in scope?
Answer 5 questions and get a personalised NIS2 scope assessment, obligation checklist and readiness score — free.
Check your scope →ICT Service Management (B2B) NIS2 compliance by country
See how national transpositions affect ICT Service Management (B2B) obligations in each EU member state:
Frequently asked questions
Is the ICT Service Management (B2B) sector covered by NIS2?
Yes. The ICT Service Management (B2B) sector is listed in NIS2 Annex I (highly critical sectors). Medium and large organisations in this sector must comply with NIS2 obligations. Managed service providers (MSPs) and managed security service providers (MSSPs) serving B2B clients are covered under NIS2 Annex I. Their privileged access to client systems makes them high-risk vectors for supply-chain attacks.
Are ICT Service Management (B2B) organisations Essential or Important Entities?
Under NIS2, large ICT Service Management (B2B) organisations are typically Essential Entities. Medium-sized ICT Service Management (B2B) organisations are Essential (large) / Important (medium). The distinction affects supervisory intensity and fine levels.
What are the key NIS2 obligations for the ICT Service Management (B2B) sector?
Strict access control and zero-trust architecture; 72-hour incident notification to national authority; Client contract security clauses; Incident response plans covering client impact. Obligations apply under NIS2 Articles 21 (security measures) and 23 (incident reporting).
Which national authorities supervise NIS2 for ICT Service Management (B2B) in each EU country?
Each EU member state designates a national competent authority for NIS2. Visit any country page on NISDESK to see the specific authority and CSIRT for the ICT Service Management (B2B) sector in that country.
For decision-support purposes only. Exact scope depends on national transposition.