Are Subsidiaries Counted Separately Under NIS 2 or Do They Roll Into the Parent Entity?
When you’re leading information security for a group structured across the EU, the core scoping question under the NIS 2 Directive is as strategic as it is operational: Are subsidiaries subject to NIS 2 requirements directly, or can a parent company’s compliance programme “cover” multiple legal entities? The stakes run from board-level accountability to the very foundation of your group’s compliance risk posture.
Every legal entity-parent or subsidiary-is directly accountable under NIS 2. Group-wide compliance doesn’t shield individual subsidiaries from obligations.
NIS 2 Compliance Is Assessed Per Legal Entity, Not at Group Level
NIS 2 applies at the level of legal entities. Each subsidiary or group company must be individually assessed against the size, activity, and criticality thresholds set out in the directive, regardless of whether the parent company is compliant or centrally certified.
This strategic split is more than technical: central policies, board oversight, and audit documentation must be mapped back to each entity that triggers scope, not simply rolled up in a group report. Neglecting this is the fastest way to introduce “hidden risk” into a complex group-even if your dashboards look green at headquarters.
Where Mistakes Happen: The Group-Think Trap
Multinational boards are often seduced by the efficiency of group-wide GRC, but regulators have flagged this as a root cause of compliance failure. Recent ENISA findings attribute 32% of group NIS 2 failures to missed subsidiary registration or lack of entity-level audit evidence, despite mature central policies. A missed entity is not a footnote-its a vulnerability, and the gap always localises as an individual subsidiarys risk.
Book a demoWhat Does NIS 2 Legally Require-Can Parent Compliance Cover Subsidiaries?
One of the most persistent misconceptions in European compliance circles is that a parent company’s robust NIS 2 programme will create a de facto umbrella, “covering” all subsidiaries from scrutiny. But the directive is explicit: each qualifying legal entity must comply in its own right.
Parent company compliance cannot substitute for subsidiary compliance. Each entity is independently responsible for meeting its obligations.
What Do the Law and Regulators Say?
NIS 2 Articles 2 and 3 are categorical: each in-scope entity, by sector or by size, must be registered and must maintain its own compliance evidence-no umbrella, no shortcut. Group-level controls, policies, and certifications are useful for harmonisation, but they do not exempt subsidiaries from separate obligations or local audits.
How Does This Work for Cross-Border Groups?
For subsidiaries with cross-jurisdictional footprints, compliance actions and registrations must follow each relevant national regulation. There is no “one and done” registration or programme-fragmented legal entities demand evidence and registration, country by country.
The Real-World Risk: Omission
Insufficient subsidiary registration or missing local documentation is more than a technical issue. In 2024, 20% of EU group compliance diagnostics found unregistered in-scope entities, triggering pre-audit remediation and, in some cases, direct sector inquiries. The remedy is time-consuming and erodes trust, while regulatory fines are just the first consequence.
Each group company must assess and demonstrate NIS 2 compliance as if it were a standalone entity-even if controls and operations are shared.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
Who’s Accountable-What Happens If Subsidiaries Get It Wrong?
Responsibility under NIS 2 is deliberately atomized. Non-registration, process weaknesses, or gaps in audit evidence fall squarely on the subsidiary as a legal entity-not on the parent company, unless the parent is itself an in-scope entity. For leaders and boards, this matters as much for governance as for enforcement.
Gaps at the subsidiary level lead to isolated enforcement. There’s no group immunity for mistakes made by individual entities.
How Is Exposure Assigned?
Enforcement is performed at the legal entity level. If a subsidiary violates NIS 2-whether through missing evidence, poor incident handling, or even inherited group-level errors-national authorities will pursue that specific entity’s leaders and directors for remediation and potential sanction.
Shared Controls-Not Sufficient Unless Localised
Subsidiaries that depend on central, group-level tools must still log entity-specific evidence, approvals, and audit trails. It’s not enough to point to a corporate-wide GRC platform; you must show granular, local logs, SoAs (Statements of Applicability), and named accountability for each subsidiary.
The NIS 2 audit expectation is show your work-subsidiary-by-subsidiary, not as a consolidated group snapshot.
If a gap is found, this structure allows authorities to issue targeted fines, corrective orders, or management accountability measures without engaging the wider group’s operation-unless, of course, the “miss” signals a broader systemic failure.
Can Groups Centralise Compliance or Does Each Subsidiary Need Its Own Programme?
Centralisation offers scale and consistency, but under NIS 2, it’s a nuanced play: centralise tooling and guidance, decentralise responsibility and evidence capture.
Over-centralisation leads to compliance passengers-unmapped entities that become blind spots. Auditors seek explicit subsidiary ownership.
Effective Use of Central Control
Regulators nod to common tooling, templates, and training delivered group-wide, as long as each subsidiary can show:
- A named, local compliance and security lead
- Entity-level risk registers, SoAs, and incident action logs
- Approval processes and evidence logs tagged to the individual entity
Best-in-class programmes use group platforms for automation and harmonisation, but enforce local adaptation and accountability.
Where Centralisation Fails
Problems emerge when group templates lack local sign-off, incident logs aren’t mapped to legal entities, or compliance actions ignore member state overlays. A central project dashboard, if not entity-specific, becomes a source of risk-not resilience.
Subsidiary non-compliance remains the single biggest audit gap in group structures, even with advanced, group-wide ISMS in place.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
Are There National Differences-Does Country Matter for Subsidiary Scope?
NIS 2 strives for EU-wide harmonisation, but each member state transposes the directive with unique overlays and timing. Every member state expects direct registration and compliance at the local legal entity level, often with added local demands.
Always default to strictest local guidance-over-register at the subsidiary level when in doubt.
Nuances by Member State
“First mover” countries like Italy have already enforced subsidiary-by-subsidiary registration regardless of group structure, while other states default to direct entity-level compliance pending full national rollout. Cross-border overlays occasionally duplicate work, so real-time monitoring of regulatory guidance is a must, not a nice-to-have.
Protecting Group Resilience
- Track both EU and national regulations closely
- Secure locally experienced legal counsel
- Register every potentially in-scope subsidiary independently-regulators scrutinise gaps more severely than over-preparation
A single overlooked local requirement can compromise multi-year investments in group risk management within months.
Does Sector Affect How Subsidiaries Are Scoped or Audited?
Sector overlays under NIS 2 are decisive. “High criticality” sectors such as health, energy, finance, and digital infrastructure can trigger compliance even for subsidiaries that don’t meet normal size thresholds.
In critical sectors, small or newly acquired subsidiaries can be pulled into full NIS 2 obligations-for sector, not size, reasons.
Sector Example Table: How NIS 2 Scoping Changes by Sector and Subsidiary Profile
Every group must confirm the sector status of each subsidiary:
| Subsidiary | Sector | Register Required? | Extra Steps |
|---|---|---|---|
| Large (100+) | Telecom | Yes | Sector overlays; enhanced incident reporting |
| Small (15) | Healthcare | Yes | Localised incident logs; stricter timing on board review |
| Medium (50) | SaaS/Cloud | Sometimes | Confirm sector specifics; compliance not always required |
| Acquisition | Transport | Often | Must align and register within 6 months post-acquisition |
Small subsidiaries in energy and telecom are often surprised by their scoping-sector outweighs size. The audit is always local.
Uniform compliance can’t be assumed; sector overlays shift compliance boundaries for entire group portfolios.
Adapt Audit Plans to Sector
- Confirm sector overlays for every subsidiary-not just at parent level
- Map entity-level risk registers, incident reports, and evidence logs to sector requirements
- Double-check incident response and board approval timing for regulated sectors-requirements get stricter
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
Entity-Level Traceability Table & ISO 27001 Bridge-How Do You Prove Each Subsidiary’s Compliance?
Your compliance success hinges not on policy harmonisation but on traceability-regulators and auditors expect every subsidiary to have a visible, continuous evidence trail. Gaps or confusion about “who owns what” will become bottlenecks at audit or in the event of a breach.
Half of group NIS 2 audit failures last year resulted from missing or inadequately mapped subsidiary SoA and evidence, not policy gaps.
How to Build Unambiguous Traceability
Audit panels and regulators apply four key tests to subsidiary traceability:
- Scope Event: What triggered the subsidiary’s NIS 2 obligation?
- Risk Response: What risk assessment or update did this trigger?
- Control Mapping: Which controls were put in place, by whom, mapped to which entity?
- Evidence and Logging: What tangible evidence-logs, approvals-was generated at the right level?
Traceability Table Example
| Trigger | Risk Update | Control / SoA | Evidence Logged |
|---|---|---|---|
| 50 FTE mark breached | Subsidiary marked in-scope | ISMS Policy A.5.1 | Registered lead; SoA; roll call |
| Small, energy sector, critical | Sector overlay applied | Sector Control Policy | Sector overlay log; audit docs |
| Transport acquisition | On-boarding due diligence | M&A Controls | Board minute; asset inventory log |
ISO 27001 Bridge Table: Expectation to Operationalisation
| NIS 2 Expectation | ISMS.online Tech / Practise | ISO 27001/Annex A Control |
|---|---|---|
| Entity registration (local layer) | Compliance workflows per entity | Clause 4.3, A.5.1 |
| Audit logs (unique, per entity) | Separate SoA, evidence per entity | A.5.1, A.5.35, A.8.34 |
| Sector overlays (localisation) | Mapping to sector overlays | A.5.19, A.5.21 |
Subsidiary compliance is proven only when controls, responsible owners, and evidence can be mapped directly-no links, no audit pass.
Start Mapping Subsidiary Scope and Evidence in ISMS.online Today
Your next audit or tender will demand more than group-wide assurance language: auditors will expect to walk entity by entity, through independently registered subsidiaries, sector overlays, and live evidence logs.
ISMS.online equips group structures to map every subsidiary, assign local owners, trace every piece of evidence, and maintain a single compliance dashboard that reflects every national and sector requirement-without losing the benefit of harmonised workflows.
In 2024, over 1,000 group structures in the EU closed discovery gaps and eliminated missed-entity risk using ISMS.online’s compliance framework.
Snapshots: How to Achieve Group-Resilient Compliance
- Map every subsidiary, no matter how small or new
- Assign a live compliance owner for each entity
- Hire or retain local expertise to navigate national overlays in every country
- Ensure every log, SoA, risk response, and incident plan is traceable to that entity-not just to HQ
- Run central dashboards, but supplement with entity-level views and documentation
Start now. The least visible entity is often the first cause of group exposure-and the weakest link in your compliance chain rarely stays silent for long.
Confidently prepare for NIS 2 audits and national regulator requests by mapping every subsidiary and sector overlay with ISMS.online-so each in-scope legal entity is covered, every control is defensible, and your group leads the way with entity-specific, audit-ready compliance.
Book a demoFrequently Asked Questions
How does NIS 2 determine if subsidiaries require separate compliance, or can the parent company’s programme alone suffice?
NIS 2 requires that each legal entity in a group-parent or subsidiary-is individually assessed and held accountable for its own compliance, regardless of how central programmes or documentation are managed.
If a subsidiary meets local thresholds for size, sector, or risk, it cannot simply “inherit” the parent’s compliance programme. ENISA confirms this: every qualifying company must conduct its own registration, risk assessments, and maintain live audit trails, even if group policies help with harmonisation (ENISA, 2024). From an auditor’s perspective, there’s no “blanket” coverage-subsidiaries must show local evidence, appoint responsible leads, and file separately where required by national law.
Table: NIS 2 Subsidiary Scoping Rules
| Entity Scenario | Registration Needed By | Local Evidence? | Common Result |
|---|---|---|---|
| Parent-only group | Parent | Yes | Subs risk enforcement gaps |
| Subsidiary > threshold | Subsidiary | Yes | Must show audit trail |
| JV or cross-border structure | Both/all entities | Yes | Each files, audits locally |
If a subsidiary sits in scope but lacks unique logs or filings, you haven’t closed your group compliance gap.
Can a subsidiary “piggyback” on the group’s NIS 2 compliance, or must it stand alone?
No: NIS 2 mandates that each subsidiary must “stand on its own feet.”
The Directive and recent enforcement guidance reinforce that entity-level accountability trumps group-level comfort. Central ISMS tooling or uniform policies can guide and accelerate compliance, but every subsidiary must maintain its own registration, risk and incident logs, and actively adopt controls (Advisense, 2024). If a subsidiary is audited, regulators will require proof it didn’t just “set and forget” group policies but actively managed local requirements. Attempting to shortcut entity-level compliance often results in duplicated audit work or penalties during post-incident investigations.
Mini Table: Group vs. Subsidiary Accountability
| Compliance Step | Group-wide allowed? | Subsidiary Action Required? |
|---|---|---|
| Central policy templates | Yes | Must tailor/adopt locally |
| Registration & reporting | No | Must file, log, assign lead |
| Evidence logs/SoA/risk records | No | Must be entity-specific |
Auditors need to see the fingerprints of each subsidiary, not just the parent’s signature on a policy.
Who is liable if a subsidiary misses its NIS 2 duties-the group parent, or the subsidiary?
Liability is direct and falls on the failing subsidiary; group companies are not automatically on the hook unless they themselves are in-scope.
When a subsidiary misses a required step-like registration, sector overlay, evidence logs, or incident reporting-regulators target the exact legal entity responsible. Even when a group programme exists, enforcement actions (such as orders, fines, or naming) are addressed to the specific entity in breach (Hogan Lovells, 2024; Alliuris, 2024). The group is only drawn in for liability if it is itself in-scope or proven to have orchestrated/neglected requirements at a higher level.
No group-level immunity: Each subsidiary stands or falls on its own-local audit readiness is not optional.
Can you run group-wide or centralised compliance under NIS 2, and what must remain local?
Centralisation is powerful, but never a substitute for subsidiary ownership. ENISA and leading regulatory voices encourage group-wide platforms and shared templates to streamline workflows (see case studies across ISMS.online clients), but entity-level evidence and local adoption are non-negotiable.
Each subsidiary must show a live risk register, SoA, local owner, and fresh logs-reused group docs aren’t enough (ENISA, 2024; PWC Hungary, 2024). Platforms like ISMS.online enable this duality: harmonised policies at the top, tailored controls and audit evidence at every entity.
Table: What Groups Can Share vs. What Subs Must Own
| Compliance Element | Group-shared possible? | Must be subsidiary-local? |
|---|---|---|
| Policy templates | Yes | Local adoption required |
| SoA/controls log | No | Each entity logs, updates |
| Registration/contact | No | File per entity, per sector |
| Risk assessments | Partial | Must validate/adapt local |
A harmonised ISMS is efficient only if every legal entity is logged, registered, and audit-ready on its own.
Do national and sector rules affect how subsidiaries are scoped or managed under NIS 2?
Absolutely. Every EU member state and regulated sector introduces overlays that reshape compliance:
Some nations (e.g., Italy, Hungary) force separate registrations and local lead assignments for each entity, regardless of group systems (Cullen International, 2024). Digital infrastructure, energy, and health often set lower size thresholds for subsidiary scoping, and can accelerate reporting or board responsibility requirements (OpenKritis, 2024).
Sectors or countries regularly update transposition rules-sometimes monthly-which means a subsidiary’s obligations today may shift before the next audit. Boards must actively monitor national and sector guidance and be ready to revalidate subsidiary compliance when notified.
Table: National & Sector Variable Examples
| Variable | Potential Impact |
|---|---|
| Country | Early/late registration, filings |
| Sector | Lower thresholds, more logs |
| Org. structure | JVs, cross-border = dual filings |
| Subsidiary size | Can trigger scoping if critical |
Compliance is not static-rule changes can turn ‘out’ subsidiaries ‘in’ with no notice.
What qualifies as a “subsidiary audit trail” for NIS 2? What proof will auditors expect?
A compliant audit trail links every scoping event-like headcount increase, sector shift, or acquisition-to live, owner-named logs and up-to-date controls for each subsidiary.
Auditors will ask to trace from “why is this subsidiary in scope” all the way through to “prove the risk was assessed, controlled, and evidence logged.” Gaps often occur where group policies are in force but not individually adopted or documented per entity, especially after acquisitions. Best practise is for each subsidiary to display a living SoA, up-to-date risk register, and audit file with local lead and sector overlays (Hogan Lovells, 2024; ENISA, 2024).
Table: Traceable Events to Audit-Ready Proof
| Trigger | Risk/Event | Control/SoA | Proof Logged |
|---|---|---|---|
| 50+ FTE hired | In-scope declared | Policy A.5.1 assigned | Owner registered, log updated |
| Sector overlay | Sector activated | Sector SoA mapped | Sector-specific audit entry |
| Acquisition | Due diligence event | M&A control adopted | Acquisition register entry |
Audit insurance comes from entity-level logs-not just group files-showing live ownership and proof.
How do you guarantee a group and all subsidiaries are truly NIS 2 audit-ready?
Leverage a compliance platform that fuses entity-level registers and controls with group-wide oversight-so every legal entity, regardless of scale or location, is logged and ready when the audit line is drawn.
In 2024, European groups using ISMS.online cut their NIS 2 audit preparation time by over 40% and prevented audit failures arising from missed subsidiary evidence or filings (Advisense, 2024). This approach gives each local leader a clear dashboard and living audit trail, while group governance can confidently map compliance across the portfolio. Mapping triggers, logging events, and keeping controls live at every entity is now the minimum threshold for resilience and trust with regulators.
Identity CTA:
Map your group and subsidiary compliance in a unified environment and ensure every legal entity-parent, subsidiary, or joint venture-is registered, audit-ready, and robust. With ISMS.online, your entire group can meet NIS 2 head-on: no missed filings, no hidden gaps, no audit surprises.
