NIS2 for Search Engines and Social Networks: Annex II Scope, Article 21 Controls, and GDPR Dual Reporting

Search engines and social networks occupy a distinct position under NIS2: they appear in Annex II, Section 6 as important entities—subject to mandatory cybersecurity requirements, but supervised reactively and facing a lower penalty ceiling than the essential infrastructure sectors in Annex I. For platform operators, the complexity lies not in Article 21’s ten measures themselves, which map closely to standard information security practice, but in three areas that generic NIS2 guides consistently miss: the platform-specific threat vectors NIS2 captures, the precise per-service thresholds in Commission Implementing Regulation (EU) 2024/2690, and the dual regulatory reporting obligation that fires when a cybersecurity incident also touches personal data. This guide addresses all three.

Are You In Scope? Annex II Section 6 Digital Providers

The NIS2 Directive’s Annex II, Section 6 covers three types of digital providers: providers of online marketplaces, providers of online search engines, and providers of social networking services platforms. The definitions matter for scope purposes.

Article 6(29) of the directive defines an online search engine by reference to Regulation (EU) 2019/1150—a service that allows users to perform searches of all websites, or websites in a particular language, on the basis of a query on any subject. Article 6(33) defines a social networking services platform as “a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices.” Annex II extends this to include platforms operating “in particular via chats, posts, videos and recommendations.”

Entity type	NIS2 classification	Size threshold	Supervision model
Online search engine	Important entity — Annex II, Section 6	≥50 employees OR >€10M annual turnover	Reactive
Social networking services platform	Important entity — Annex II, Section 6	≥50 employees OR >€10M annual turnover	Reactive
Cloud computing service	Essential entity — Annex I	≥50 employees OR >€10M annual turnover	Proactive
DNS service provider	Essential entity — Annex I	None (in scope regardless of size)	Proactive

Unlike DNS service providers and TLD name registries, which are in scope regardless of size, search engines and social networks must meet the size threshold: at least 50 employees or annual turnover exceeding €10 million. The threshold is OR, not AND—a platform with 60 employees and €8 million revenue qualifies on headcount alone.

Important entity classification means reactive supervision: national competent authorities audit and sanction based on incident reports and complaints rather than conducting routine proactive inspections. For a full breakdown of how important vs. essential classification affects your penalty ceiling and supervisory regime, see Essential vs Important Entity Under NIS2. For the complete scope rules covering all sectors, see Who Must Comply with NIS2.

Article 21 Controls and CIR 2024/2690 — What Platforms Must Implement

Article 21 of the NIS2 Directive requires appropriate and proportionate technical, operational and organisational measures to manage cybersecurity risks. For search engines and social networks, those measures are further specified in Commission Implementing Regulation (EU) 2024/2690, which entered into force on 7 November 2024 and establishes technical and methodological requirements for digital service providers specifically.

All ten Article 21 measures apply. The table below maps each to the platform-specific documentation an auditor expects.

Measure	Article 21(2)	Platform-specific application
Risk analysis and information system security policies	(a)	Risk register must document algorithm manipulation, coordinated account hijacking, and API abuse as explicit threat scenarios
Incident handling	(b)	Response playbooks calibrated to CIR 2024/2690 Articles 12–13 thresholds; CSIRT escalation paths documented
Business continuity, backup management, and disaster recovery	(c)	Recovery time objectives for search availability and platform uptime; backup and restore procedures for user data and algorithmic infrastructure
Supply chain security	(d)	Third-party API providers, CDN infrastructure, and ML training data pipelines treated as supply chain elements requiring documented security assessment
Network and information systems security	(e)	Secure development practices for ranking and recommendation algorithms; vulnerability management for the platform codebase
Policies for assessing measure effectiveness	(f)	Regular penetration testing; vulnerability disclosure programme; bug bounty documentation
Basic cyber hygiene and cybersecurity training	(g)	Anti-phishing training for privileged account holders; secure development lifecycle training for engineering staff
Cryptography and encryption	(h)	Encryption at rest and in transit for user data; secure key management for API credentials and platform signing keys
Human resources security, access control, and asset management	(i)	Privileged access management for platform administrators and algorithm configuration interfaces; role-based access control documentation
Multi-factor authentication and secure communications	(j)	MFA mandatory for all platform administrator accounts; MFA for user-facing systems with elevated access privileges

Management approval of these measures is required under Article 20—management bodies are personally accountable for compliance. A security measure that operates in practice but lacks approved documentation does not satisfy the directive. For full context on what the directive requires, see the NIS2 Directive overview.

Platform-Specific Threat Vectors: How NIS2 Maps to Your Attack Surface

Standard NIS2 compliance guides apply Article 21 horizontally across all sectors. Search engines and social networks face threat patterns that require explicit mapping to NIS2’s availability, integrity, and confidentiality framework—and a risk register that omits them will not survive an audit calibrated to your platform type.

Algorithm manipulation as an availability and integrity attack. When a threat actor exploits vulnerabilities in a platform’s ranking or recommendation system—through coordinated SEO spam injection at scale, manipulation of engagement signals via compromised accounts, or direct compromise of algorithmic infrastructure—the result is degraded service in NIS2 terms. If search results become systematically corrupted or a recommendation feed diverted at scale, the platform’s core service integrity is compromised. Article 21(2)(a) risk analysis must document this threat category explicitly. Generic enterprise risk registers do not capture it.

Large-scale account hijacking campaigns as significant incident candidates. Credential stuffing attacks targeting social networking platforms, or compromise of administrator or API-level accounts at a search engine, qualify as significant incidents if they breach the CIR 2024/2690 Article 13 thresholds. Any data compromise from suspected malicious action triggers the reporting obligation regardless of scale. At user-impact scale, the threshold is 5% of EU users or 1 million EU users, whichever is the smaller number. For a social network with 40 million EU users, the 1 million absolute cap applies before the 5% threshold is reached—a hijacking campaign compromising 1,000,001 accounts triggers mandatory CSIRT notification. Article 21(2)(b) requires pre-designed incident-handling playbooks for mass account compromise events, not just generic breach response procedures.

API abuse enabling scraping and data harvesting as a supply chain and confidentiality risk. Third-party developers consume platform APIs under usage agreements. Systematic API abuse—rate-limiting bypass, token theft, data harvesting beyond authorised parameters—threatens both data integrity and confidentiality. Under Article 21(2)(d), platforms must assess API gateway security as part of supply chain risk management. CIR 2024/2690’s supply chain provisions apply directly: the developer ecosystem is a supply chain element in NIS2 terms, and its security must be documented as such.

Disinformation injection via platform vulnerabilities: a NIS2-adjacent concern. Disinformation is not a NIS2 regulatory obligation directly—the directive does not mandate content accuracy standards. However, when disinformation is delivered through a security breach—a compromised administrative account broadcasting false safety alerts at scale, a manipulated trending algorithm via a software vulnerability, or a hijacked verification system publishing fraudulent content—the underlying mechanism is a cybersecurity incident. The breach of the system’s authenticity and integrity falls within NIS2’s scope. The content itself does not.

When a Breach Triggers Two Regulators: GDPR and NIS2 Dual Reporting

For platforms processing personal data at scale—which describes every major search engine and social network—a single security incident commonly activates two independent notification obligations. NIS2 and GDPR create parallel but non-substitutable requirements that do not cancel each other out.

Obligation	Regulatory basis	Authority	Deadline
Significant incident — early warning	NIS2 Article 23	National CSIRT or competent authority	24 hours from awareness
Significant incident — notification	NIS2 Article 23	National CSIRT or competent authority	72 hours from awareness
Significant incident — final report	NIS2 Article 23	National CSIRT or competent authority	1 month from notification
Personal data breach notification	GDPR Article 33	National Data Protection Authority (DPA)	72 hours without undue delay

The two notifications go to entirely separate authorities with different reporting formats and threshold criteria. In Germany, a platform facing a breach must notify the BSI (NIS2 competent authority) and the Federal Commissioner for Data Protection (BfDI) independently. In France, ANSSI receives the NIS2 notification; the CNIL receives the GDPR notification. There is no shared reporting portal between NIS2 CSIRTs and GDPR data protection authorities for cross-framework incidents.

A large-scale account hijacking campaign on a social network triggers both obligations: it is a significant cybersecurity incident (platform service integrity compromised) and a personal data breach (unauthorised access to user personal data). Both obligations activate simultaneously from the moment the platform becomes aware. NIS2’s 24-hour early warning deadline means CSIRT notification begins before the full data breach scope is determined—triggering the NIS2 notification ahead of completing the GDPR Article 33 assessment is the operational norm, not an exception to plan around.

The practical response is an integrated incident response procedure that tracks both notification pathways from the first detection event. Treating NIS2 and GDPR as sequential processes—complete the cybersecurity response, then notify the DPA—will miss the GDPR 72-hour window on any significant platform incident.

Extraterritorial Scope and the EU Representative Requirement

US-headquartered and other non-EU search engines and social networks offering services to EU users are within NIS2’s scope. Article 2 brings any entity offering services within the Union into scope. Article 26 then determines which member state has jurisdiction.

The jurisdiction hierarchy works as follows: the member state where the entity’s main EU establishment is located has jurisdiction—specifically, where cybersecurity risk-management decisions are predominantly taken. If that cannot be determined, jurisdiction follows where cybersecurity operations are carried out. The final tiebreaker is the member state where the entity employs the most people in the Union.

If the platform has no EU establishment at all, Article 26(3) requires designation of a representative established in a member state where services are offered. That representative’s member state becomes the enforcement jurisdiction. The designation does not limit legal action against the entity itself in other member states where services are provided.

In practice, most large global platforms have EU legal entities—typically established for GDPR compliance—which sets NIS2 jurisdiction at the member state where the EU cybersecurity function is headquartered, not the nominal registered office. Platforms without any EU office must treat the Article 26(3) NIS2 representative requirement as a distinct compliance obligation, separate from any GDPR Article 27 representative already in place.

What Counts as a Significant Incident for Your Platform

Commission Implementing Regulation (EU) 2024/2690 sets sector-specific significance thresholds for digital service providers. Article 12 applies to online search engines; Article 13 applies to social networking service platforms. Both use the same threshold structure.

An incident is significant if it causes any of the following:

• Complete unavailability affecting more than 5% of the platform’s EU user base, or more than 1 million EU users—whichever number is smaller
• Limited availability (degraded service) at the same 5%/1 million EU user threshold
• Any data compromise from suspected malicious action—regardless of the number of users affected; a targeted breach of a small number of accounts triggers this criterion if malicious intent is suspected
• Wider data compromise affecting more than 5% of EU users or more than 1 million EU users

There is no financial loss threshold and no minimum duration requirement in Articles 12 or 13. User impact and suspected malicious intent are the operative criteria. Once a significant incident occurs, the three-stage Article 23 reporting timeline applies: early warning to the national CSIRT within 24 hours; incident notification with initial severity assessment within 72 hours; and a final report with root cause analysis within one month.

Compliance Priorities for Annex II Digital Providers

• Confirm scope: Verify entity type against Annex II Section 6 definitions; confirm size threshold (50 employees OR >€10M turnover) is met
• Map Article 21(2)(a)–(j) to platform operations: Risk analysis documentation must explicitly cover algorithm manipulation, mass account compromise, and API abuse as documented threat scenarios
• Review CIR 2024/2690 Articles 12–13: Translate the 5%/1 million EU user thresholds into platform-specific incident criteria for your monitoring and escalation procedures
• Build a dual-reporting procedure: Integrate NIS2 CSIRT notification and GDPR DPA notification into a single incident response workflow, with both timers running from first detection
• Confirm CSIRT registration: Register with the national CSIRT in your jurisdiction; verify current registration deadline with the national competent authority
• Designate EU representative if applicable: Platforms without EU establishment must appoint an Article 26(3) representative—separate from any GDPR Article 27 representative already designated
• Audit supply chain documentation: Third-party API providers, CDNs, and ML data pipeline suppliers require documented Article 21(2)(d) security assessments
• Ensure management sign-off: Article 20 requires management body approval of cybersecurity risk-management measures—documentation without a governance approval record does not satisfy the directive

Frequently Asked Questions

Does NIS2 apply to a social network headquartered outside the EU?
Yes. Article 2 of the NIS2 Directive brings any entity offering services within the EU into scope regardless of where it is headquartered. A non-EU social network meeting the size threshold must comply and must designate an EU representative under Article 26(3) if it has no EU establishment.

What are the penalties for failing to notify a significant incident?
Important entities face administrative fines of up to €7 million or 1.4% of total worldwide annual turnover in the preceding financial year, whichever is higher. Member states may also impose non-monetary remedies including temporary prohibition orders and mandatory compliance audits. Senior management faces personal accountability under Article 20.

Does a large-scale account compromise on a social network require CSIRT notification?
Yes, if it meets the CIR 2024/2690 Article 13 thresholds. Any data compromise from suspected malicious action triggers the reporting obligation regardless of user count. Compromises affecting more than 5% of EU users or 1 million EU users (whichever is smaller) are significant incidents requiring the three-stage Article 23 notification. Since mass account compromises typically involve personal data, the parallel GDPR Article 33 DPA notification obligation also fires.

Does ISO 27001 certification satisfy NIS2 Article 21?
ISO 27001 provides structural alignment with several Article 21 measures, and many controls map between the two frameworks. Certification does not, however, constitute legal compliance. NIS2 adds specific obligations ISO 27001 does not cover: the incident reporting timelines under Article 23, management accountability under Article 20, CIR 2024/2690 sector-specific thresholds, and CSIRT registration. The frameworks are complementary, not interchangeable.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. NIS2 Directive (EU) 2022/2555 — Annex II: Other Critical Sectors (Section 6 — Digital Providers)
2. NIS2 Directive (EU) 2022/2555 — Article 6: Definitions (online search engine, social networking services platform)
3. NIS2 Directive (EU) 2022/2555 — Article 26: Jurisdiction and Territoriality
4. Commission Implementing Regulation (EU) 2024/2690 — Article 12: Significant incidents for providers of online search engines
5. Commission Implementing Regulation (EU) 2024/2690 — Article 13: Significant incidents for providers of social networking service platforms
6. European Commission — NIS2 Commission Implementing Regulation on Critical Entities and Networks
7. Maniszewska Law — NIS2 and GDPR: Cybersecurity and Data Protection Obligations
8. Legiscope — Incident Reporting: Aligning NIS2 and GDPR
9. Hunton Andrews Kurth — Implementing Regulation for Digital Service Providers Enters Into Force
10. ISMS.online — What Counts as a Significant Incident Under NIS2?