Online Marketplaces, Search Engines, and Social Networks Under NIS2 Annex II: Article 21 Obligations and the DSA Dual-Regulation Trap
Online marketplaces, search engines, and social networking platforms now sit inside two separate EU regulatory frameworks simultaneously. The NIS2 Directive has applied to all three platform types since October 18, 2024; the Digital Services Act has imposed systemic risk assessment obligations on the largest platforms since August 2023. Most compliance resources cover one regulation or the other. This guide covers both — and the practical gap where they overlap without any formal coordination mechanism.
What follows covers the Annex II scope decision, what Article 21(2) requires in a platform context, the additional direct-regulation layer added by Commission Implementing Regulation 2024/2690, the dual-regulation comparison for platforms above the 45 million EU user threshold, and which national authority supervises your organisation under Article 26. For the full scope decision framework across all NIS2 sectors, see our NIS2 scope guide.
Who Falls Under Annex II: The Scope Decision
Three entity types are listed in NIS2 Annex II, Section 8 under “Digital providers”: providers of online marketplaces, providers of online search engines, and providers of social networking services platforms. The size threshold that brings any of these entities within the directive’s reach is the same as the general NIS2 rule in Article 2 — your organisation qualifies when it employs 50 or more people, or when its annual turnover or balance-sheet total exceeds €10 million. Meeting one criterion is sufficient; both are not required [2].
The directive applies extraterritorially. If your platform offers services within the EU, you are in scope regardless of where you are headquartered. A US-based social network with EU users, a South Korean search engine accessible in EU member states, or an Australian online marketplace serving European buyers — all are covered once the size threshold is met. Entities with no EU establishment must designate a representative in a member state where their services are offered under Article 26(3), and that representative’s country becomes the supervising authority [3].
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
One important limitation: Annex II digital providers are not in the Article 2(2) “regardless of size” exceptions. Those apply to DNS providers, top-level domain registries, trust service providers, and public electronic communications providers. A social network with 25 employees and €8 million in annual turnover is generally outside NIS2 scope unless a member state explicitly extends coverage to smaller entities.
| Step | Question | Result: Yes | Result: No |
|---|---|---|---|
| 1 | Does your platform operate an online marketplace, search engine, or social network? | Proceed to Step 2 | Annex II digital-provider scope does not apply |
| 2 | Do you have 50 or more employees, or annual turnover or balance-sheet total above €10 million? | Proceed to Step 3 | Below size threshold — generally exempt (member states may extend scope to smaller entities) |
| 3 | Do you offer services to users within the EU, regardless of where your headquarters is located? | In scope — registration and Article 21 compliance obligations apply | No EU-facing service = no EU scope |
| 4 | (If no EU establishment) Have you designated an EU representative under Article 26(3)? | Compliant with territorial requirement | Required action — designate an EU representative in a member state where your services are offered |
Three Platform Types, One Classification: Important Entities
All three Annex II digital provider types are classified as important entities — not essential entities. That single classification carries significant practical differences in the supervisory regime you face and the penalty ceiling that applies [2].
| Dimension | Important Entities (Annex II) | Essential Entities (Annex I) |
|---|---|---|
| Supervision model | Reactive (ex-post) — authority investigates after receiving evidence of non-compliance | Proactive — regular audits regardless of incident history |
| Maximum fine | €7 million or 1.4% of global annual turnover, whichever is higher | €10 million or 2% of global annual turnover |
| Management liability | Article 20 — governing bodies personally liable for approving cybersecurity risk-management measures | Same |
| ENISA registration | Required — details submitted to national competent authority, forwarded to ENISA central database | Required |
| CIR 2024/2690 | Directly applicable — no national transposition needed | Separate implementing act provisions apply |
Reactive supervision does not mean lenient enforcement. Once an incident triggers a regulatory investigation — or once a platform self-reports under Article 23’s 24-hour early warning requirement — the competent authority has full investigative and enforcement powers. For social networking services platforms, which enter EU cybersecurity law for the first time under NIS2 (they were not covered under NIS1 Directive 2016/1148, which only addressed online marketplaces, search engines, and cloud computing services), the gap between current product-security practice and a fully documented Article 21(2) control set can be substantial [2].
The important-entity classification also means digital providers receive less proactive supervisory attention than Annex I sectors such as energy, healthcare, or water utilities. In practice, this gives platforms more autonomy in how and when they implement controls — but it does not reduce the obligation itself. The ten Article 21(2) measures and CIR 2024/2690’s 13 Annex I sections apply in full. For a detailed comparison of the two entity classifications, see our guide on essential versus important entities under NIS2.
The DSA Dual-Regulation Trap: When Two Risk Frameworks Apply
Platforms meeting the 45 million monthly active EU user threshold face a compliance obligation that mid-sized platforms do not: a second, parallel risk assessment requirement under the Digital Services Act, with a different scope, different documentation standards, and a different supervisor. There is no coordination mechanism between the two regimes.
Under DSA Article 33, the Commission designates platforms reaching 45 million average monthly active EU users — approximately 10% of the EU population — as Very Large Online Platforms (VLOPs) or Very Large Online Search Engines (VLOSEs) [7]. Designated platforms must comply with DSA Article 34: an annual systemic risk assessment targeting societal harms including unlawful content distribution, threats to fundamental rights and democratic processes, public health risks, and harm to minors [6]. This obligation sits entirely separate from NIS2’s cybersecurity risk framework.
| Dimension | NIS2 Article 21(2)(a) | DSA Article 34 |
|---|---|---|
| Who it applies to | All covered Annex II digital providers (50+ employees or €10M turnover providing services in the EU) | VLOPs and VLOSEs only — platforms designated by the Commission with 45M+ average monthly active EU users |
| Risk scope | Cybersecurity risks: threats to the availability, confidentiality, and integrity of network and information systems | Systemic societal risks: unlawful content, fundamental rights, democratic processes and elections, public health, protection of minors |
| Update trigger | Ongoing obligation; material update when risk landscape changes | Annually, and before deploying major new functionalities or recommendation systems |
| Documentation required | Risk assessment methodology, risk register, risk treatment plan, treatment report | Systemic risk report; independent audit by Commission-approved auditor published publicly |
| Competent authority | National competent authority (NCA) designated under NIS2 in the member state of main establishment | Digital Services Coordinator (DSC) in each member state; European Commission for VLOP/VLOSE enforcement |
| Penalty for non-compliance | Up to €7 million or 1.4% of global annual turnover | Up to 6% of global annual turnover under DSA Article 74 |
| Coordination between regimes | None mandated — platforms must manage both obligations independently with separate documentation trails and separate regulator contacts | |
The practical consequence: a large search engine or social media platform must maintain two parallel risk registers — one cybersecurity-focused for the NCA under NIS2, one systemic-harm-focused for the Digital Services Coordinator and Commission under the DSA. A risk assessment satisfying DSA Article 34 does not satisfy NIS2 Article 21(2)(a). A platform below 45 million EU users faces NIS2 obligations only. A platform above that threshold faces both, with additive documentation requirements and two separate enforcement tracks running simultaneously.
CIR 2024/2690: The Layer That Applies Directly
Commission Implementing Regulation 2024/2690 entered into force on November 7, 2024 [4]. Unlike the NIS2 Directive itself — which required transposition into national law — CIR 2024/2690 is directly applicable in all 27 EU member states without any national implementation step. It covers providers of online marketplaces, online search engines, and social networking services platforms alongside eight other digital service categories.
CIR 2024/2690 translates the ten Article 21(2) measures from high-level directive text into 13 auditable technical requirement sections listed in the regulation’s Annex I. For the full detail on how the implementing regulation interacts with the directive, see our CIR 2024/2690 compliance guide.
| CIR Annex I Section | NIS2 Article 21(2) | Platform-Relevant Requirement |
|---|---|---|
| 1. Security policy | (a) | Documented information security policy approved by the governing body |
| 2. Risk management | (a) | Asset-based risk register with treatment decisions and residual risk acceptance |
| 3. Incident handling | (b) | Detection, analysis, containment and recovery procedures with Article 23 notification workflow integration |
| 4. Business continuity | (c) | Business continuity plan and disaster recovery with tested recovery time objectives |
| 5. Supply chain security | (d) | Third-party risk assessments for API providers, CDN vendors, ad-tech suppliers, and payment processors |
| 6. System acquisition and maintenance | (e) | Secure software development lifecycle for algorithm and feature updates; coordinated vulnerability disclosure process |
| 7. Effectiveness assessment | (f) | Security KPIs per control area; periodic review methodology; internal audit scope |
| 8. Cyber hygiene and training | (g) | Role-based security awareness training; documented annual training records |
| 9. Cryptography | (h) | Encryption at rest and in transit; documented key management procedures |
| 10. HR security | (i) | Background check policy for privileged roles; joiner, mover, and leaver access process |
| 11. Access control | (i) | Least-privilege principle for algorithm access and user data processing; privileged access management |
| 12. Asset management | (i) | Asset inventory covering cloud infrastructure, third-party integrations, and data processing systems |
| 13. Physical security | (i) | Data centre and office physical access controls; environmental protection measures |
Incident Reporting Thresholds for Digital Providers
CIR 2024/2690 establishes specific thresholds that make an incident “significant” for digital providers — triggering the Article 23 reporting obligation. An incident qualifies when it meets any one of the following criteria [4][5]:
- Service disruption: complete unavailability or material degradation of the platform affecting more than 5% of the EU user base, or more than 1 million EU users — whichever threshold is smaller
- Financial impact: direct financial loss exceeding €500,000 or 5% of annual turnover, whichever is lower
- Data compromise: any unauthorised access to or exfiltration of data from suspected malicious action, regardless of scale
- Recurring pattern: multiple individually minor incidents indicating a systematic compromise of platform infrastructure
Meeting any single threshold triggers the 24-hour early warning obligation to the national CSIRT, followed by a 72-hour formal incident notification with an initial impact assessment, and a final report within one month containing root-cause analysis and remediation steps [1].
Article 21 Compliance in Practice: Platform-Specific Obligations
Each of the ten Article 21(2) measures applies to Annex II digital providers, but the implementation context differs from sectors such as energy or healthcare. The table below maps each measure to a platform-specific context, with effort estimates reflecting the gap most digital providers face when starting from an existing product-security posture rather than a purpose-built NIS2 programme [1][5].
| Article 21(2) | Measure | Platform-Specific Context | Effort |
|---|---|---|---|
| (a) | Risk analysis and information system security policies | Risk register covering algorithm manipulation, account hijacking, DDoS during peak events, and API abuse as a supply chain threat vector | High |
| (b) | Incident handling | Detection pipeline calibrated to CIR thresholds (5% EU users or 1M users); 24h/72h/1-month notification workflow to national CSIRT | High |
| (c) | Business continuity, backup, disaster recovery, crisis management | Availability SLAs for platform services; tested DR procedures for major outages; crisis communications protocol for publicly visible incidents | High |
| (d) | Supply chain security | Security clauses in contracts with third-party seller platforms, ad-tech providers, payment processors, and CDN or infrastructure vendors | Medium |
| (e) | NIS acquisition, development, maintenance; vulnerability handling | Secure SDLC for ranking algorithm and feature releases; documented bug bounty or coordinated vulnerability disclosure programme; patch SLA by severity tier | High |
| (f) | Policies to assess effectiveness of cybersecurity risk-management measures | Security KPIs reviewed quarterly; annual penetration testing; internal audit scope covering CIR Annex I sections | Low |
| (g) | Cyber hygiene and cybersecurity training | Annual security awareness training for all staff; targeted phishing simulation for content moderation and administrator roles | Low |
| (h) | Cryptography and encryption policies | End-to-end encryption for private messaging; AES-256 or equivalent for user data at rest; TLS 1.2 minimum for all data in transit | Medium |
| (i) | Human resources security, access control, asset management | Privileged access management for ranking algorithm access; regular access reviews tied to role changes; comprehensive asset inventory including cloud infrastructure | Medium |
| (j) | MFA or continuous authentication; secured communications | Mandatory multi-factor authentication for all administrative, moderation, and developer accounts; secure internal communication tools for security teams | Low |
Measures rated High typically require new documentation frameworks or significant process change where a platform does not already have a formalised cybersecurity management system. Measures rated Low — MFA, training, effectiveness measurement — are frequently already partially implemented in product-focused organisations and need formalisation rather than new investment. The CIR 2024/2690 Annex I sections provide the technical specification for each. For sector-specific guidance on online marketplace obligations, see our online marketplace NIS2 compliance guide; for search engine and social network specifics, see our search engine and social network guide.
Jurisdiction and Enforcement: Which National Authority Supervises You?
Article 26 of NIS2 determines which member state’s competent authority has jurisdiction over an Annex II digital provider. The determination follows a three-step hierarchy specific to entities with operations across multiple countries [3].
Step 1 — Cybersecurity decision location. The entity falls under the jurisdiction of the member state where cybersecurity risk-management measures are predominantly decided and taken. In most global platforms, this is wherever the CISO, security leadership, and security governance structures operate. This is the most determinative criterion.
Step 2 — Cybersecurity operations location. If cybersecurity decisions are distributed or the answer to Step 1 is unclear, jurisdiction defaults to the member state where cybersecurity operations — threat monitoring, incident response, threat intelligence functions — are primarily carried out.
Step 3 — Largest EU employee count. If both prior criteria remain inconclusive, the member state hosting the largest number of the entity’s EU-based employees determines jurisdiction.
For non-EU platforms with no EU establishment, Article 26(3) requires designating an EU representative in a member state where the platform’s services are offered. That member state’s NCA becomes the supervising authority. Critically, representative designation does not limit enforcement against the entity itself — the NCA retains full investigative and enforcement powers directly against the parent entity, not only against the representative [3].
Digital providers should formally document their main-establishment determination. An undocumented claim that a particular member state supervises the platform — without records showing where cybersecurity decisions are made — provides no legal protection if a second member state’s authority asserts concurrent jurisdiction. For a full overview of the NIS2 supervisory framework, see our guide to NIS2 supervisory measures and enforcement powers.
Compliance Checklist by Role
Annex II digital providers face obligations across four functional areas. Article 20 of NIS2 holds governing bodies personally accountable for approving cybersecurity risk-management measures — compliance is not solely a technical responsibility [1].
| Role | Immediate Actions (0–3 months) | Ongoing Obligations |
|---|---|---|
| CISO / IT Security | Run CIR 2024/2690 Annex I gap analysis; implement MFA for all admin and developer accounts; build platform-specific risk register per Article 21(2)(a) | Annual risk register review; CIR Annex I effectiveness assessment; patch management and vulnerability disclosure programme management |
| Legal / Compliance | Document main establishment for Article 26 jurisdiction; register with national competent authority; check VLOP or VLOSE designation status under DSA | Article 23 incident notification management; annual DSA Article 34 systemic risk report if VLOP or VLOSE designated; monitor member-state transposition variations |
| Board / C-Suite | Approve cybersecurity risk-management policy per Article 20; review personal liability provisions; allocate compliance budget | Quarterly security KPI briefing; annual risk posture review; post-incident governance review for significant incidents |
| IT / Engineering | Map existing security controls to CIR 2024/2690’s 13 Annex I sections; configure incident detection aligned to CIR significance thresholds (5% EU users or 1M users) | Secure SDLC for all feature and algorithm releases; supply chain security assessments for new third-party integrations; access review cycle |
Frequently Asked Questions
Are all social networks covered by NIS2 Annex II?
No. Social networking services platforms only fall under NIS2 if they meet the size threshold — at least 50 employees, or annual turnover or balance-sheet total exceeding €10 million. A community platform with 12 staff and €5 million in annual revenue is generally outside scope unless a member state explicitly extends coverage to smaller entities. Social networks are new to EU cybersecurity law: they did not appear in NIS1 (Directive 2016/1148), which covered only online marketplaces, search engines, and cloud computing services as digital service providers [2].
Does NIS2 apply to a non-EU platform with EU users?
Yes. Article 2 of the NIS2 Directive applies to any entity offering services within the Union, regardless of where that entity is established. Meeting the size threshold and serving EU users is sufficient to trigger scope. The platform must then designate an EU representative under Article 26(3); that representative’s member state national competent authority becomes the supervising regulator for NIS2 purposes [2][3].
What is the practical difference between the NIS2 Article 21(2)(a) risk analysis and the DSA Article 34 risk assessment?
NIS2 Article 21(2)(a) requires a cybersecurity risk analysis: identifying threats to the availability, integrity, and confidentiality of your network and information systems, and documenting treatment decisions. DSA Article 34 requires a systemic societal risk assessment: identifying how your platform’s design, algorithms, and content moderation systems could cause harm to democratic processes, public health, fundamental rights, or the protection of minors. The first focuses on protecting your infrastructure from external attack; the second focuses on protecting society from the potential harms of your infrastructure’s design. Both are mandatory for VLOP-designated platforms, with separate documentation sets and separate supervisors. The comparison table in this article maps both obligations side by side [1][6].
Which national authority supervises a platform with offices across three EU countries?
The NCA of the member state where your cybersecurity risk-management decisions are predominantly made — in practice, where your CISO and security governance operate. If genuinely unclear, the fallback is where your cybersecurity operations are carried out, then where you have the most EU employees. Document the determination formally: an undocumented claim provides no protection if a second member state’s authority asserts jurisdiction. See our guide to NIS2 Article 26 jurisdiction for the full framework [3].
Conclusion
Three platform types sit inside a single Annex II classification, but the compliance workload is not uniform across all of them. All covered digital providers face ten Article 21(2) measures plus the 13 technical sections of CIR 2024/2690 — both directly applicable since late 2024 and requiring no further national transposition. Platforms at or above the 45 million monthly active EU user threshold face a second, additive risk assessment obligation under DSA Article 34, with no formal coordination mechanism between the NIS2 NCA and the DSA Digital Services Coordinator. The Article 26 jurisdiction logic adds a further obligation: which member state supervises your platform depends on a specific factual question — where cybersecurity decisions are predominantly made — that requires deliberate documentation rather than assumption.
The compliance sequence in priority order: confirm whether Annex II scope applies using the step decision above; document your main establishment for jurisdiction clarity and register with your national competent authority; implement the CIR 2024/2690 technical baseline across the 13 Annex I sections; and — if your platform has been designated or is approaching VLOP or VLOSE status — establish a parallel documentation trail for DSA Article 34 that is maintained separately from your NIS2 risk register.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- European Union. Directive (EU) 2022/2555 — Article 21: Cybersecurity Risk-Management Measures. NIS-2-Directive.com.
- European Union. Directive (EU) 2022/2555 — Article 2: Scope. NIS-2-Directive.com.
- European Union. Directive (EU) 2022/2555 — Article 26: Jurisdiction and Territoriality. NIS-2-Directive.com.
- Hunton Andrews Kurth. Implementing Regulation Developing NIS2 Rules for Certain Digital Service Providers Enters into Force. Hunton Privacy and Cybersecurity Law Blog, 2024.
- Advisera. NIS2 CIR 2024/2690: Cybersecurity Requirements for EU Digital Infrastructure. Advisera, 2024.
- European Union. Regulation (EU) 2022/2065 — Article 34: Risk Assessment. EU-Digital-Services-Act.com.
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
