Understanding NIS-2: Scope, Obligations, and Director Accountability

The NIS-2 Directive (Directive (EU) 2022/2555) came into force on 16 January 2023, replacing the original NIS Directive. Member States are required to transpose its provisions into national law by 17 October 2024. Its primary goal is to enhance the overall level of cybersecurity across the EU by expanding the scope to cover more sectors and entities, strengthening security requirements, and introducing stricter enforcement measures.

NIS-2 introduces direct accountability for senior management. Article 32 of the Directive states that members of the management body of essential and important entities can be held liable for breaches of cybersecurity risk management measures. This means directors can face administrative fines and, in some Member States, even criminal penalties for failing to implement adequate cybersecurity practices. The fines can be substantial, reaching up to €10 million or 2% of the entity's total worldwide annual turnover, whichever is higher, for essential entities, and €7 million or 1.4% for important entities.

This shift places cybersecurity firmly on the board's agenda, requiring a proactive approach to risk management. Directors must not only understand the technical aspects of their organisation's security but also ensure that appropriate governance, resources, and oversight are in place. A fundamental component of this oversight is ensuring that robust backup and recovery solutions are implemented and regularly tested, directly addressing NIS-2's requirements for incident handling and business continuity.

The Indispensable Role of Backup in NIS-2 Compliance

Backup and recovery are not merely good practice; they are explicitly mandated under NIS-2 as essential technical and organisational measures. Article 21 of the Directive requires entities to implement measures for 'incident handling' and 'business continuity, such as backup management and disaster recovery, and crisis management'. This highlights that the ability to restore data and services quickly after a cyber incident, such as a ransomware attack or system failure, is critical for maintaining operational continuity and mitigating the impact of an attack.

Effective backup management under NIS-2 goes beyond simply making copies of data. It encompasses a comprehensive strategy that includes:

• Regularity and Scope: Ensuring backups are performed consistently and cover all critical systems and data.
• Integrity and Immutability: Protecting backups from tampering, encryption, or deletion, often through Immutable Storage or Object Lock features.
• Accessibility and Recoverability: Guaranteeing that backups can be accessed and restored efficiently within defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
• Testing: Regularly testing backup and recovery procedures to validate their effectiveness and identify any weaknesses.
• Off-site Storage: Storing copies of backups in a geographically separate location to protect against localised disasters.

Without a resilient backup strategy, organisations face prolonged downtime, significant data loss, and severe reputational damage, all of which can lead to substantial fines and trigger director liability under NIS-2. Therefore, investing in a backup solution that aligns with these principles is a direct investment in compliance and corporate resilience.

Evaluating Backup Solutions for NIS-2 Compliance: A Comparative Framework

Choosing the best NIS-2 backup solution requires a thorough evaluation against specific criteria that address both the technical mandates of the Directive and the broader implications of data sovereignty and supply chain risk. Organisations must look beyond basic storage capabilities to consider factors that directly impact their ability to comply and mitigate director liability.

Here's a comparative framework to guide your decision-making, contrasting common approaches:

While on-premise solutions offer direct control, they come with significant operational overhead and scalability challenges. US hyperscalers provide scale and features but introduce complexities regarding data sovereignty and unpredictable costs due to egress fees. For example, moving data out of AWS S3 can incur significant egress charges, which can quickly escalate during a disaster recovery scenario. EU sovereign cloud providers are specifically designed to address these concerns, offering a balance of compliance, performance, and cost predictability.

Mitigating Supply Chain Risk and Third-Party Provider Accountability under NIS-2

NIS-2 places a strong emphasis on supply chain security, particularly in Article 21, which mandates entities to address cybersecurity risks in their supply chain and relationships with direct suppliers or service providers. This means that organisations are not only responsible for their own cybersecurity but also for ensuring that their third-party providers, including backup solution providers, adhere to robust security standards. Director liability can extend to failures in managing these third-party risks.

When selecting a backup solution, organisations must conduct thorough due diligence on their potential providers. Key considerations include:

• Provider's Security Posture: Assess the provider's own cybersecurity measures, certifications (e.g., ISO 27001, SOC 2 Type II), and incident response capabilities.
• Contractual Agreements: Ensure contracts clearly define responsibilities, service level agreements (SLAs), and data processing terms that align with GDPR and NIS-2.
• Data Residency and Sovereignty: Verify where data is stored and processed, and under which jurisdiction it falls. Providers operating exclusively within the EU/UK offer greater legal certainty and protection from extraterritorial access requests like the US CLOUD Act.
• Transparency: Choose providers that offer clear visibility into their infrastructure, security practices, and compliance frameworks.

A backup solution provider that is 'Sovereign by design' and operates exclusively within EU/UK data centres can significantly reduce the complexity and risk associated with supply chain security under NIS-2. This approach ensures that your data remains under EU/UK jurisdiction, simplifying compliance and reducing concerns for directors regarding their personal liability.

Impossible Cloud: A Sovereign and Secure NIS-2 Backup Solution for EU Enterprises

For organisations navigating the complexities of NIS-2 and the heightened stakes of director liability, Impossible Cloud offers an S3-compatible object storage solution designed for EU compliance and operational resilience. Our platform is Sovereign by design, with all data stored and operated exclusively in certified European data centres across Germany, the Netherlands, the UK, Denmark, and Poland. This commitment to EU-only infrastructure ensures that your data remains under EU/UK jurisdiction, providing robust protection against extraterritorial access demands and simplifying your NIS-2 and GDPR compliance efforts.

Impossible Cloud's architecture is built to deliver the technical and organisational measures required by NIS-2. Our Immutable Storage and Object Lock features provide critical ransomware protection, ensuring that your backup data cannot be altered, encrypted, or deleted for a defined retention period. This is a vital defence against sophisticated cyber threats and a direct answer to NIS-2's requirements for data integrity and recoverability. Furthermore, our multi-layer encryption (in transit and at rest), IAM with MFA/RBAC, and SAML/OIDC support provide comprehensive security controls, aligning with the highest industry standards.

Beyond compliance, Impossible Cloud offers high performance. Our Always-Hot object storage model ensures all data is immediately accessible, eliminating the delays and complexities associated with tiered storage solutions. This is crucial for meeting stringent RTOs and RPOs during incident recovery, directly supporting NIS-2's business continuity mandates. With full S3-API compatibility, organisations can seamlessly integrate existing backup applications like Veeam, Acronis, and MSP360, making migration a straightforward process without code rewrites. This S3-compatible object storage facilitates transition to a NIS-2 compliant backup infrastructure.

Predictable Costs and Full Control: Mitigating Financial and Operational Risks

One of the often-overlooked aspects of cloud backup solutions, particularly with hyperscalers, is the unpredictable nature of costs. Hidden egress fees, API call charges, and complex storage tiers can lead to significant budget overruns, adding another layer of risk for directors. Impossible Cloud addresses this directly with its predictable pricing model. We offer transparent costs with no egress fees, no API call costs, and no minimum storage duration. This eliminates financial surprises, allowing organisations to accurately budget for their backup and disaster recovery needs, a critical factor in responsible financial governance under NIS-2.

Our commitment to Full Control. Zero Surprises. extends to providing robust tools for managing your data. With country-level geofencing, you can precisely define where your data resides within our European network, ensuring adherence to specific national data protection requirements. This granular control, combined with 99.999999999% (11 nines) durability, provides the reliability and assurance necessary for critical backup operations. Our ISO 27001, SOC 2 Type II, and PCI DSS certifications further underscore our dedication to security and compliance, offering a trusted foundation for your NIS-2 strategy.

By choosing Impossible Cloud, organisations gain a partner that understands the unique challenges of the European regulatory landscape. We enable IT leaders and directors to confidently meet their NIS-2 obligations, protect their data, and safeguard their personal liability, benefiting from a high-performance, cost-efficient, and sovereign cloud storage solution. To learn more about our transparent pricing, visit our pricing page, or explore our customer success stories to see how other organisations are benefiting.