Abstract

The NIS2 Directive significantly broadens its subjective scope as compared with its predecessor, by imposing cybersecurity obligations on new sectors and entities, including managed service providers and cloud service providers. However, the broad definitions used in NIS2 can lead to the inclusion of entities whose primary business is not within the sector specified in the directive, but which offer related services incidentally. The paper explores interpretative challenges of defining managed service providers and cloud service providers under NIS2, highlighting potential issues for companies offering minor software solutions, such as simple web applications. Without specific guidelines, many entities may face disproportionate regulatory burdens, even if their impact on broadly conceived cybersecurity is minimal.