The NIS2 Directive (EU 2022/2555) is the most significant EU cybersecurity legislation to date. It applies to over 160,000 organisations across 18 sectors — and it makes management personally liable for compliance failures. Private cloud infrastructure addresses several of its most demanding requirements.
NIS2 replaces the original NIS Directive (2016/1148) with dramatically expanded scope, stricter obligations, and real enforcement teeth.
The original NIS Directive covered a narrow set of "operators of essential services." NIS2 expands this to two categories — essential entities and important entities — across 18 sectors including energy, transport, health, digital infrastructure, public administration, manufacturing, food, chemicals, and waste management.
Any medium-sized enterprise (50+ employees or EUR 10M+ turnover) in a covered sector is automatically in scope. Member States can designate smaller entities if they are critical. The European Commission estimates NIS2 applies to more than 160,000 organisations across the EU.
Article 20 of NIS2 requires that "management bodies of essential and important entities approve the cybersecurity risk-management measures" and "oversee its implementation." Management bodies can be held personally liable for non-compliance.
This is not a theoretical risk. Article 20(2) requires management to "follow training" to gain sufficient knowledge and skills to identify risks and assess cybersecurity practices. NIS2 shifts cybersecurity from an IT concern to a board-level governance obligation — with personal consequences for inadequate oversight.
Article 21 defines the minimum cybersecurity measures. Each one has direct implications for infrastructure decisions.
| NIS2 Requirement (Art. 21) | What It Demands | Private Cloud Relevance |
|---|---|---|
| Risk analysis and information system security policies | Documented risk assessment and security policies covering all information systems | Full visibility into the infrastructure stack enables comprehensive risk analysis. No black-box components where risk cannot be assessed. |
| Incident handling | Procedures for prevention, detection, and response to incidents | Direct access to all logs, network flows, and system telemetry. No dependency on a provider's incident detection and notification timeline. |
| Business continuity and crisis management | Backup management, disaster recovery, and crisis management procedures | Full control over backup locations, recovery procedures, and failover architecture. No vendor lock-in that constrains recovery options. |
| Supply chain security | Security of relationships with direct suppliers and service providers | Minimal supply chain with individually vetted components. No dependency on a provider with hundreds of undisclosed sub-processors. |
| Security in network and information systems acquisition, development, and maintenance | Security throughout the system lifecycle, including vulnerability handling and disclosure | You control the full lifecycle — procurement, deployment, patching, decommissioning. Vulnerability response on your timeline, not a vendor's. |
| Policies and procedures for assessing the effectiveness of cybersecurity measures | Regular testing and auditing of cybersecurity measures | Unrestricted penetration testing and security auditing. No provider terms of service limiting the scope of your security assessments. |
| Basic cyber hygiene practices and cybersecurity training | Foundational security practices and awareness training for all staff | Infrastructure team has complete knowledge of the environment. No abstraction layers hiding security-relevant configuration. |
| Policies and procedures regarding the use of cryptography and encryption | Appropriate use of cryptography, including key management | You own the encryption keys. No provider-managed KMS where the provider retains access. HSMs under your physical control. |
| Human resources security, access control policies, and asset management | Personnel security, access controls, and asset inventory | Complete asset inventory under your control. Access policies enforced at every layer without relying on a provider's IAM implementation. |
| Use of multi-factor authentication, secured communications, and secured emergency communications | MFA, encrypted communications, and resilient emergency communication systems | MFA and encrypted communications implemented on infrastructure you operate. Emergency communication channels that do not depend on a single provider's availability. |
Article 21(2)(d) requires entities to address "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." This is the requirement with the most far-reaching implications for cloud infrastructure decisions.
When your infrastructure runs on a hyperscaler, your supply chain includes that provider's entire dependency tree: their hardware vendors, their sub-contractors, their support partners, their software supply chain. You cannot audit what you cannot see, and you cannot secure what you cannot audit.
Recital 85 of NIS2 explicitly states that entities should "take into account the vulnerabilities specific to each direct supplier and service provider" and "the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures."
Article 23(4)(a): An early warning must be submitted to the CSIRT or competent authority within 24 hours of becoming aware of a significant incident. This must indicate whether the incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.
Article 23(4)(b): A full incident notification within 72 hours, updating the early warning and providing an initial assessment of severity, impact, and — where available — indicators of compromise.
Article 23(4)(d): A final report within one month of the incident notification, including a detailed description of the incident, root cause analysis, mitigation measures applied, and cross-border impact where applicable.
Meeting the 24-hour early warning deadline requires immediate visibility into your infrastructure. If the incident occurs at the provider level and the provider does not notify you promptly, you may breach the reporting deadline through no fault of your own — but the liability is still yours.
NIS2 introduces GDPR-scale fines for cybersecurity failures — plus personal liability for management.
Administrative fines of up to EUR 10,000,000 or 2% of total worldwide annual turnover, whichever is higher. Essential entities include organisations in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.
Supervisory authorities have the power to conduct audits, issue binding instructions, order remediation measures, and — in the most serious cases — temporarily prohibit a natural person from exercising managerial functions.
Administrative fines of up to EUR 7,000,000 or 1.4% of total worldwide annual turnover, whichever is higher. Important entities include organisations in postal services, waste management, chemicals, food, manufacturing, digital providers, and research.
Important entities are subject to ex-post supervision rather than the proactive supervision applied to essential entities. However, the fines and enforcement powers are still substantial — and still include personal liability provisions for management bodies.
| Enforcement Measure | Essential Entities | Important Entities |
|---|---|---|
| Maximum fine | EUR 10M or 2% of global turnover | EUR 7M or 1.4% of global turnover |
| Supervision type | Proactive (ex-ante) | Reactive (ex-post) |
| On-site inspections | Yes — regular and ad hoc | Yes — when evidence of non-compliance exists |
| Binding instructions | Yes | Yes |
| Management suspension | Yes — temporary prohibition of managerial functions | Yes — temporary prohibition of managerial functions |
| Management training obligation | Yes (Article 20) | Yes (Article 20) |
NIS2 covers 18 sectors divided into essential and important entities. If your organisation is in any of these sectors with 50+ employees or EUR 10M+ turnover, you are in scope.
NIS2 uses the EU SME definition as the baseline. Organisations are in scope if they meet either criterion:
Exceptions: Member States may designate smaller entities as in scope if they provide a critical function. DNS service providers, TLD registries, and certain digital infrastructure providers are in scope regardless of size.
NIS2 is in effect. Understand your obligations, evaluate your supply chain risk, and explore EU-jurisdiction private cloud infrastructure.