NIS2 - Main establishment (one-stop-shop)

The Italian NIS2 authority (ACN) recently clarified in its FAQs that the one-stop-shop rule for the different categories of ICT providers referred to in Article 5(1)(b) of the NIS Decree (e.g. cloud services, managed services, social networks, etc.) applies with reference to the establishments of a single legal entity and not with reference to a group of companies (FAQs 3.15 and 2.8).

Therefore, among others, all companies belonging to the above categories that failed to register in 2025 because another company in their group based in another EU country was taking the majority of decisions on cybersecurity should proceed with registration this year by the deadline of 28 February 2026.

While not disputing the ACN's interpretation, which appears to be in line with the NIS Decree and the Directive, the question that arises is: given that the one-stop-shop rule was created to “take into account the cross-border nature” of these services (Recital 114 of the NIS2 Directive), why does the legislator assume that entities providing these services always operate through a company in a single EU country (with establishments in other countries) and do not set up companies in various EU countries?

Why should the simple fact that a group is structured within the European Union by opening companies in different countries mean that each company is accountable to the authorities of that country when, in the vast majority of cases, the management of its security measures is centralised in a single EU country (unless outside the EU) and the services provided are identical?

As we know, each EU country is transposing and then implementing the NIS2 Directive with significant differences from one country to another, both in the preliminary identification phase and in the application phase.

The end result is that companies belonging to groups operating in different EU countries that provide the same ICT services in all countries find themselves having to liaise with their own authorities in relation to cybersecurity choices that are often not made by them, and to apply operational, organisational and technical specifications that differ from country to country.

This approach can cause significant problems for many international groups.