12 November 20244 minute read

The one-stop-shop mechanism in the NIS2 Directive

Guidance for companies on identifying the main establishment

Under the NIS2 Directive, entities that fall within its scope have to register on the Italian National Cybersecurity Agency (ACN) portal. They have to provide the information specified in the Italian Legislative Decree No. 138/2024. And some digital service providers might have to indicate the so-called “main establishment.”

In this article, we'll consider what a main establishment is with regard to digital service providers that also operate outside the national territory. They could be the recipients of the so-called “one-stop-shop” mechanism, aimed at streamlining applicable jurisdiction issues for companies.

 

What is “one-stop-shop” under NIS2 Directive

One of the most relevant themes NIS 2 Directive is the “one-stop-shop” mechanism. This mechanism provides that companies who may benefit from it will be subject to the exclusive jurisdiction of the EU member state in which they provide their services or, for specific categories that we will see below, in which they have their “main establishment.”

 

Who can benefit from the “one-stop-shop”?

According to Article 5 of the Decree, the mechanism applies to specific categories of digital service providers characterized by the cross-border nature of their services, including:

  • providers of public electronic communications networks or publicly available electronic communications services, which are deemed to be under the jurisdiction of the member state in which they provide their services;
  • public administration bodies, which are subject to the jurisdiction of the member state that established them;
  • DNS domain name system service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, online search engines or social networking service platforms, which are instead subject to the jurisdiction of the member state where they have their main establishment in the EU.

So if your company falls into the latter category, it's crucial to correctly identify your “main establishment” in the EU.

 

How to identify the main establishment?

The NIS2 Directive provides for different ways of determining the main establishment. Specifically, it's considered to be the main establishment in the EU:

  • that of the member state in which decisions on IT security risk management measures are predominantly taken;
  • if it's not possible to determine the member state in which such decisions are taken or if they're not taken in the EU, the principal establishment is deemed to be the one located in the member state in which the IT security operations are carried out;
  • if this is also not possible, that of the member state in which the person concerned has the establishment with the largest number of employees in the EU.

If the entities referred to above aren't established in the EU territory but offer services within it, they have to designate a representative in the EU. The representative must be established in one of the member states where those services are offered and will be subject to that state's jurisdiction.

 

Challenges in identifying the main establishment

Many companies may find it difficult to define their main establishment with certainty according to the criteria just described, especially when cybersecurity decisions are decentralised and spread across several locations in the EU.

Pending specific clarifications by the competent national authorities, since the one-stop-shop mechanism in the context of digital services is also present in other EU regulatory instruments (such as the GDPR and the DSA), it's reasonable to consider the developments of the concept of principal establishment in the context of data protection. In this regard, it may be useful to refer to the guidelines of the European Data Protection Board (EDPB) on the one-stop-shop mechanism in the context of the GDPR.

According to the EDPB, the main establishment should be the place where decisions regarding the purposes and means of data processing are made, with the power to have them implemented. Transferring this concept to the NIS2 context, the main establishment would be the member state where strategic decisions on cyber risk management are made, with the power to impose their implementation.

However, if it's not possible to verify using the above criteria, it will always be possible to apply the more easily determinable criterion of the number of employees. In this scenario, the main establishment is be the member state with the largest number of employees in the EU.

 

Conclusions

The NIS2 Directive is still being transposed in several EU countries, creating a regulatory landscape that can generate uncertainty for businesses operating at the European or cross-border level. The one-stop-shop mechanism is an opportunity for businesses to simplify their compliance obligations, but they have to carefully analyse and prepare to take advantage of it.

Print