Understanding NIS-2 Article 21 and its Impact on Cloud Storage

The NIS-2 Directive significantly broadens the scope of its predecessor, NIS-1, encompassing a wider array of 'essential' and 'important' entities across 18 critical sectors, including energy, transport, health, and digital infrastructure. This expansion means that many more organisations, including cloud service providers themselves, are now directly subject to enhanced cybersecurity obligations. Article 21 is central to these obligations, mandating that entities implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks effectively.

These measures are designed to protect network and information systems from incidents and minimise their impact on service recipients and interconnected services. Key areas of focus include risk analysis and information system security, incident handling, business continuity, supply chain security, and the use of cryptography and encryption. For cloud storage, this translates into a demand for robust security features, transparent operational practices, and a clear understanding of where data resides and who can access it. The European Union Agency for Cybersecurity (ENISA) has published extensive guidelines to assist organisations in translating these legal requirements into practical operational activities.

Crucially, NIS-2 places a strong emphasis on supply chain security. Organisations must ensure that their third-party providers, including cloud storage providers, also comply with stringent cybersecurity standards. This means that merely outsourcing data storage does not absolve an organisation of its NIS-2 responsibilities; rather, it extends the need for due diligence to its entire digital supply chain. Companies must systematically check the security level of their service providers and make NIS-2 compliance requirements binding in contracts.

Key Criteria for NIS-2 Compliant Cloud Storage Selection

Selecting a cloud storage provider under the NIS-2 Directive requires a meticulous evaluation against several critical criteria. Beyond basic storage capacity and performance, organisations must assess a provider's capabilities in areas directly addressed by Article 21. Data residency is paramount; knowing the geographical location of data centres and the jurisdiction under which they operate is fundamental for EU compliance. Providers must offer clear assurances that data remains within the EU/UK, preventing exposure to extraterritorial laws.

Technical security measures are equally vital. This includes multi-layer encryption for data both in transit and at rest, robust access controls (such as Identity and Access Management (IAM) with Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC)), and the implementation of Immutable Storage or Object Lock. Immutable Storage, often referred to as Write Once Read Many (WORM) technology, is crucial for ransomware protection and ensuring data integrity, directly aligning with NIS-2's emphasis on safeguarding essential services and facilitating data recovery.

Furthermore, a provider's incident handling and business continuity capabilities are essential. This encompasses clear incident response plans, rapid data recovery mechanisms, and proven resilience against disruptions. Certifications such as ISO 27001 and SOC 2 Type II demonstrate a provider's commitment to internationally recognised security management systems and provide a baseline for trust. Finally, transparency regarding the provider's own supply chain and sub-processors is increasingly important, allowing organisations to assess and manage their third-party risks effectively as mandated by NIS-2.

The Jurisdictional Challenge: CLOUD Act and Data Sovereignty

A significant challenge for EU organisations seeking NIS-2 compliance, particularly when considering cloud storage, is the extraterritorial reach of the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act). Passed in 2018, this US federal law empowers US law enforcement to compel US-headquartered companies to provide access to data, regardless of where that data is physically stored globally.

This creates a direct conflict with European data protection principles, most notably the GDPR. Article 48 of the GDPR stipulates that court orders from third countries are only valid if based on an international agreement, such as a Mutual Legal Assistance Treaty (MLAT). The CLOUD Act, however, bypasses MLATs, placing companies in a legal dilemma: complying with a US warrant risks breaching GDPR, while refusing could lead to penalties in the US. Even if data is hosted in EU data centres, if the cloud provider is a US company, it remains subject to the CLOUD Act.

The implications for data sovereignty are profound. European organisations using US-based cloud providers may find their data accessible to US authorities without their knowledge or consent, often under non-disclosure orders. This undermines the very concept of digital sovereignty, which is crucial for NIS-2 compliance and the broader European Data Strategy. For genuine digital sovereignty, the focus must shift from merely where data is stored to who legally controls the infrastructure and which jurisdiction ultimately governs access to that data.

Cloud Storage Provider Comparison for NIS-2 Article 21 Compliance

When evaluating cloud storage providers for NIS-2 Article 21 compliance, organisations must look beyond marketing claims and scrutinise the underlying architecture, legal jurisdiction, and operational practices. The following table provides a high-level comparison of different cloud storage approaches against key NIS-2 criteria, highlighting the trade-offs and considerations for EU entities.

While US hyperscalers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) offer robust technical features and operate data centres within the EU, their ultimate legal jurisdiction remains a critical concern for NIS-2 compliance. The CLOUD Act means that even data stored in Frankfurt or Amsterdam could be subject to US government demands. Furthermore, their complex, tiered pricing models often include significant egress fees, which can lead to unpredictable costs for organisations needing to move or access their data frequently. For instance, AWS S3 charges approximately $0.09 per GB for the first 10 TB of outbound data transfer, while Azure's internet egress fees for Europe start around $0.087 per GB. Google Cloud's egress can be as high as $0.12 per GB for the first TB.

In contrast, EU sovereign providers are designed to operate exclusively under EU law, mitigating CLOUD Act risks and offering a clearer path to digital sovereignty. Many also adopt more transparent pricing structures, often eliminating egress fees, which can significantly reduce total cost of ownership and enhance budget predictability. On-premise solutions offer maximum control but come with substantial capital expenditure, maintenance, and scalability challenges that many organisations seek to avoid.

Beyond Compliance: Operational Benefits of a NIS-2-Ready Cloud Storage Partner

Choosing a cloud storage provider that is inherently NIS-2-ready extends beyond mere regulatory adherence; it unlocks significant operational advantages for EU organisations. A provider built with digital sovereignty and robust security at its core offers predictable performance, simplified compliance, and enhanced cost control. For example, Impossible Cloud offers S3-compatible object storage that is sovereign by design, ensuring data remains within EU jurisdiction and is protected from extraterritorial access. This eliminates the legal complexities and risks associated with the CLOUD Act, providing peace of mind for IT leaders and compliance officers.

Operational efficiency is greatly improved with transparent pricing models that eliminate hidden costs. Unlike many hyperscalers, Impossible Cloud operates with no egress fees, no API call costs, and no minimum storage duration. This predictable by design approach allows organisations to accurately forecast their cloud expenditure, avoiding the unexpected billing spikes often associated with data transfer and retrieval charges. Furthermore, an Always-Hot object storage model ensures all data is immediately accessible without the delays or additional fees associated with tiered storage rehydration, which is crucial for critical applications and rapid incident response as mandated by NIS-2. You can learn more about our predictable pricing and S3-compatible storage by visiting our pricing page and our S3 storage solutions.

Moreover, a truly NIS-2-ready provider will offer enterprise-grade security features as standard, rather than as premium add-ons. This includes multi-layer encryption, Immutable Storage (Object Lock) for ransomware protection, and comprehensive Identity and Access Management (IAM) with MFA and RBAC. Such features are not just compliance checkboxes; they are fundamental to building a resilient cybersecurity posture that protects against evolving threats and ensures business continuity, directly supporting the objectives of NIS-2 Article 21.

Impossible Cloud: Your Sovereign Partner for NIS-2 Article 21 Compliance

For EU organisations navigating the complexities of NIS-2 Article 21, Impossible Cloud stands as a compelling partner, offering a cloud storage solution engineered for digital sovereignty and uncompromising security. Headquartered in Germany and operating exclusively in certified European data centres (Germany, Netherlands, UK, Denmark, Poland), Impossible Cloud ensures that your data is geofenced and remains under EU/UK jurisdiction, effectively eliminating CLOUD Act exposure. This commitment to EU-only options is fundamental to achieving NIS-2 compliance without the legal ambiguities inherent in using US-based providers. Our architecture is sovereign by design, providing full control and zero surprises.

Impossible Cloud's S3-compatible object storage is built to meet and exceed the technical and organisational measures required by NIS-2. We offer 99.999999999% (11 nines) durability, multi-layer encryption (in transit and at rest), and Immutable Storage (Object Lock) for robust ransomware protection and data integrity. Our IAM capabilities with MFA and RBAC ensure granular access control, while SAML/OIDC support facilitates seamless integration with existing identity providers. These features directly address the cybersecurity risk management requirements of NIS-2 Article 21, providing a solid foundation for your compliance efforts.

Beyond compliance, Impossible Cloud delivers tangible operational benefits. Our transparent, predictable pricing model means no hidden egress fees, no API call costs, and no minimum storage duration, allowing for accurate budget forecasting. The Always-Hot object storage architecture ensures immediate data accessibility, eliminating the delays and complexities of tiered storage. This combination of robust security, predictable costs, and S3 compatibility makes Impossible Cloud an enterprise-ready EU cloud solution, enabling organisations to focus on their core business while maintaining the highest standards of cybersecurity and data sovereignty. To see how other organisations have benefited, explore our customer success stories.