The NIS-2 Directive: Expanding Scope and Stricter Cybersecurity Obligations

The NIS-2 Directive marks a pivotal shift in European cybersecurity, replacing the original NIS Directive from 2016. Its primary aim is to establish a high common level of cybersecurity across the Union by expanding the scope of covered entities and introducing more stringent requirements. The directive now applies to a significantly broader range of sectors deemed 'essential' or 'important' to the economy and society, including energy, transport, banking, health, digital infrastructure, public administration, and even cloud service providers themselves.

Organisations falling under NIS-2 are mandated to implement robust cybersecurity risk management measures. These include comprehensive risk assessments, incident handling procedures, business continuity and crisis management, supply chain security, and the use of encryption and cryptographic policies. Furthermore, NIS-2 places a strong emphasis on corporate accountability, making senior management directly responsible for cybersecurity compliance. Strict incident reporting obligations are also a cornerstone, requiring initial warnings within 24 hours and detailed reports within 72 hours of becoming aware of a significant incident.

While the NIS-2 Directive focuses on the security and resilience of networks and information systems, it shares common ground with the GDPR, which protects personal data. Both regulations require documented risk analyses, robust incident response plans, and employee awareness training. However, NIS-2 adds a new layer of operational and technical responsibility, demanding continuous monitoring, audits, and active cyber defence beyond what GDPR alone requires. Member States were required to transpose NIS-2 into national law by 17 October 2024, with enforcement beginning shortly thereafter.

ISO 27001: The Foundational Standard for Secure Cloud Storage

ISO/IEC 27001 is the internationally recognised standard for Information Security Management Systems (ISMS), providing a systematic approach to managing sensitive company information so that it remains secure. Achieving ISO 27001 certification demonstrates an organisation's commitment to information security, covering the confidentiality, integrity, and availability (CIA triad) of data. For cloud storage, this certification is not merely a badge; it signifies that a provider has established and maintains a robust framework for identifying, assessing, and mitigating information security risks.

The 2022 update to ISO 27001 introduced a crucial new control, Annex A 5.23, specifically addressing 'Information security for the use of cloud services'. This control mandates that organisations define and manage information security requirements throughout the entire lifecycle of cloud services – from acquisition and use to management and exit. It requires a clear division of security responsibilities between the cloud provider and the customer, moving beyond generic supplier management to address the unique shared responsibility model inherent in cloud environments.

Key ISO 27001 controls relevant to cloud storage include implementing strong access controls based on the principle of least privilege, applying robust encryption for data both at rest and in transit, and utilising network isolation to protect cloud resources. For organisations seeking to be NIS-2 compliant, partnering with an ISO 27001 certified cloud storage provider is a critical first step. It ensures that the underlying infrastructure and operational processes adhere to globally recognised security best practices, forming a solid foundation upon which NIS-2 specific measures can be built.

Navigating NIS-2 Compliance for Cloud Storage: Key Technical and Organisational Measures

For organisations within the scope of NIS-2, cloud storage is not just a utility but a critical component of their cybersecurity posture. The directive's requirements translate into specific technical and organisational measures that must be applied to cloud storage solutions. At its core, NIS-2 demands a proactive approach to risk management, requiring entities to regularly evaluate cyber risks and implement security controls to mitigate threats.

Key technical measures for NIS-2 compliant cloud storage include:

• Encryption and Cryptographic Policies: Sensitive data must be encrypted both at rest and in transit to prevent unauthorised access. This extends to robust key management practices.
• Access Control: Implementing strong Identity and Access Management (IAM) with multi-factor authentication (MFA) and role-based access control (RBAC) is essential to ensure only authorised personnel can access data.
• Immutable Storage (Object Lock): To protect against ransomware and accidental deletion, WORM (Write-Once-Read-Many) capabilities, often referred to as Object Lock, are crucial for data integrity and availability.
• Backup and Recovery: NIS-2 mandates robust business continuity and crisis management, which includes comprehensive backup and recovery solutions to ensure resilience during cyber incidents. This necessitates reliable, offsite storage with fast recovery capabilities.
• Network Security: Measures such as network isolation and protection against malware are vital to secure cloud storage resources.

From an organisational perspective, NIS-2 places significant emphasis on supply chain security. Organisations must evaluate supplier security, ensuring vendors meet compliance standards, update contracts to include cybersecurity obligations, and implement monitoring systems to track risks. This means a cloud storage provider must demonstrate its own robust security posture and compliance, including certifications like ISO 27001, to be a suitable partner for NIS-2 regulated entities.

Comparing Cloud Storage Options for ISO 27001 and NIS-2 Compliance in the EU

Choosing the right cloud storage provider is a critical decision for any organisation, especially when navigating the stringent requirements of ISO 27001 and NIS-2 in the EU. The market offers a range of options, each with distinct characteristics that impact compliance, security, and data sovereignty. Understanding these differences is key to making an informed choice that aligns with your organisation's risk appetite and regulatory obligations.

Below is a comparison of common cloud storage approaches against key criteria relevant to ISO 27001 and NIS-2 compliance in the EU:

While hyperscalers offer vast scale, their US ownership introduces significant jurisdictional challenges for EU organisations due to the CLOUD Act. On-premise solutions offer control but come with high operational burdens and capital expenditure. EU sovereign cloud providers, by contrast, are specifically designed to address the unique compliance and sovereignty needs of the European market, offering a balanced approach to security, control, and cost-effectiveness.

Achieving Data Sovereignty and Supply Chain Resilience with EU-Based Cloud Storage

Data sovereignty is a paramount concern for European organisations, particularly under the NIS-2 Directive and GDPR. It refers to the idea that data is subject to the laws and governance structures of the nation in which it is collected and stored. For EU entities, this means ensuring data remains within EU jurisdiction, free from extraterritorial access by non-EU governments. The US CLOUD Act, for instance, allows US authorities to compel US-owned cloud providers to hand over data, regardless of where it is physically stored, creating a direct conflict with EU data protection principles.

Choosing an EU-based cloud storage provider that is sovereign by design fundamentally mitigates this risk. Such providers operate exclusively within certified European data centres, often offering country-level geofencing to ensure data stays in predefined regions under EU rules. This approach eliminates exposure to foreign government data requests, providing the legal certainty and control that European organisations require. It's not just about physical data residency; it's about jurisdictional control over your data.

Furthermore, NIS-2 places a strong emphasis on supply chain security, requiring organisations to assess and manage cyber risks across their entire value chain. Partnering with an EU-based cloud provider simplifies this aspect significantly. Their transparent, EU-centric operations and adherence to European legal frameworks mean fewer complexities in vetting third-party risks and ensuring that all sub-processors and data handling practices align with NIS-2 obligations. This focus on a localised, secure supply chain enhances overall resilience and reduces regulatory exposure for essential and important entities.

Impossible Cloud: Your Partner for ISO 27001 Cloud Storage and NIS-2 Compliance in the EU

For organisations seeking to navigate the complexities of NIS-2 and ISO 27001 compliance, particularly within the EU, Impossible Cloud offers a compelling, enterprise-ready solution. As a European provider, Impossible Cloud is sovereign by design, with data stored exclusively in ISO-certified European data centres across Germany, the Netherlands, UK, Denmark, and Poland. This commitment to EU-only operations ensures your data remains under EU jurisdiction, providing full protection from extraterritorial access demands like the US CLOUD Act.

Impossible Cloud's S3-compatible object storage is built to meet the highest security and compliance standards. It is ISO 27001, SOC 2 Type II, and PCI DSS certified, demonstrating a robust Information Security Management System that aligns perfectly with NIS-2 requirements. Key features include multi-layer encryption (in transit and at rest), Immutable Storage with Object Lock (WORM) for ransomware protection and regulatory compliance, and comprehensive IAM with MFA and RBAC. These technical controls directly address the NIS-2 mandates for data integrity, confidentiality, and availability.

Beyond security, Impossible Cloud prioritises predictability and control. Our transparent pricing model eliminates hidden costs such as egress fees, API call charges, and minimum storage durations, allowing for clear financial planning and operational stability. The 'Always-Hot' object storage architecture ensures all data is immediately accessible without tier-restore delays, supporting critical business continuity and rapid recovery objectives mandated by NIS-2. With full S3 API compatibility, organisations can seamlessly integrate existing tools and workflows, making migration straightforward and avoiding vendor lock-in. Explore Impossible Cloud's S3-compatible storage to see how it can enhance your compliance posture.

Impossible Cloud is not just a storage provider; it's a strategic partner for organisations committed to digital sovereignty and robust cybersecurity. Our platform is designed to empower IT leaders and compliance officers to meet their obligations with confidence, providing a secure, high-performance, and cost-effective foundation for their data. Read our customer success stories to understand how European organisations are leveraging Impossible Cloud for their critical data needs.