Understanding the NIS-2 Directive: Scope and Core Requirements

The NIS-2 Directive, which replaced the original NIS Directive (2016), aims to establish a high common level of cybersecurity across the European Union. It significantly broadens the scope of sectors and entities covered, categorising them as either 'essential' or 'important' based on their criticality to the economy and society. Essential entities include sectors like energy, transport, banking, health, digital infrastructure, and public administration. Important entities encompass areas such as postal services, waste management, food production, and digital providers.

The directive introduces stricter requirements across four key areas: risk management, corporate accountability, reporting obligations, and business continuity. Organisations must implement robust cybersecurity risk management measures, including policies for information system security, incident handling, and supply chain security. Senior management is now directly accountable for cybersecurity compliance, with potential for fines and even temporary bans from management roles for non-compliance.

Incident reporting is a crucial component, requiring organisations to notify competent authorities or Computer Security Incident Response Teams (CSIRTs) within 24 hours of becoming aware of a significant incident, followed by detailed reports within 72 hours. NIS-2 also mandates business continuity and crisis management plans, including robust backup and disaster recovery solutions, to ensure resilience during cyber incidents. The directive's penalties for non-compliance are substantial, with essential entities facing fines of up to €10 million or 2% of global annual revenue, and important entities up to €7 million or 1.4% of global annual revenue, whichever is higher.

NIS-2 and the Imperative of Secure Data Storage and Supply Chain Resilience

A cornerstone of NIS-2 compliance is the emphasis on supply chain security. Article 21 explicitly mandates that organisations assess, monitor, and manage cyber risks across their entire value chain. This means that even small and medium-sized enterprises (SMEs) that provide products or services to NIS-2 regulated organisations must adhere to specified security standards. Organisations must establish a supply chain security policy, including criteria for supplier selection, evaluation of their cybersecurity practices, and contractual clauses detailing minimum security requirements.

For data storage, this translates into a critical need for cloud providers who can demonstrate robust security measures and a clear commitment to EU data sovereignty. The directive's focus on business continuity and incident recovery directly implicates backup and disaster recovery solutions, requiring secure, resilient, and readily accessible data. This includes implementing secure backups, disaster recovery solutions, and regular software updates across the supply chain.

The choice of a cloud storage provider is therefore not merely an IT decision but a strategic one, impacting an organisation's overall NIS-2 compliance posture. Relying on providers with opaque data handling practices or those subject to extraterritorial laws can introduce significant vulnerabilities into the supply chain, potentially leading to compliance breaches and severe penalties. The European Union Agency for Cybersecurity (ENISA) has published guidelines to help entities translate NIS-2 obligations into operational activities, including technical measures for securing IT systems and managing supply chain risks.

Evaluating Cloud Storage for NIS-2 Compliance: A Sovereign Comparison

When selecting a cloud storage provider to meet NIS-2 requirements, organisations must look beyond basic features to carefully scrutinise data residency, legal jurisdiction, and the provider's operational controls. The goal is to ensure that data remains under EU law and is protected from foreign legal access, such as that enabled by the US CLOUD Act. While major hyperscalers have established data centres within the EU, their ultimate headquarters in the US means they can still be compelled to disclose data to US authorities, regardless of where the data is physically stored.

This fundamental jurisdictional conflict creates a significant challenge for EU organisations striving for true digital sovereignty and NIS-2 compliance. A truly sovereign solution requires not only data residency within the EU but also a provider legally based and operated exclusively under EU jurisdiction. This eliminates the risk of extraterritorial data access and provides legal certainty. The EU Data Act, applicable from September 2025, further reinforces the need for data portability and interoperability, making open standards like S3 compatibility crucial for avoiding vendor lock-in.

Below is a comparison of cloud storage approaches, highlighting key criteria for NIS-2 compliance:

Essential Technical Measures for NIS-2 Compliant Cloud Storage

Beyond jurisdictional considerations, NIS-2 mandates specific technical and organisational measures for cybersecurity risk management. For cloud storage, these measures are critical for protecting data confidentiality, integrity, and availability. Key technical controls include robust encryption, stringent access management, and the implementation of Immutable Storage.

Encryption in Transit and At Rest

Data encryption is essential for NIS-2 compliance. All data, whether in transit between your systems and the cloud or at rest within the storage infrastructure, must be protected with strong encryption algorithms. This includes proper management of encryption keys, ideally with customer-managed keys for enhanced control. Encryption helps protect sensitive information from unauthorised access and data breaches, a core requirement for NIS-2's risk management.

Robust Access Controls and Identity Management

Implementing strict access controls based on the principle of least privilege is vital. This ensures that only authorised personnel and systems can access sensitive data. Identity and Access Management (IAM) frameworks, multi-factor authentication (MFA), and Role-Based Access Control (RBAC) are essential components. Regular auditing of IAM configurations is necessary to detect and rectify any potential access control risks.

Immutable Storage and Object Lock

To counter ransomware and ensure data integrity, Immutable Storage, often implemented via Object Lock, is a critical technical measure. This feature prevents data from being altered or deleted for a specified period, creating an unchangeable record. This capability is paramount for business continuity and recovery, directly supporting NIS-2's requirements for resilience against cyber incidents and ensuring data integrity.

Impossible Cloud: Your NIS-2 Ready, EU Sovereign S3 Storage Provider

For organisations navigating the complexities of NIS-2 compliance, Impossible Cloud offers an S3-compatible object storage solution designed with EU sovereignty in mind. Headquartered in Hamburg, Germany, Impossible Cloud operates exclusively in certified European data centres across Germany, the Netherlands, the UK, Denmark, and Poland. This approach ensures that your data remains within EU jurisdiction, eliminating exposure to extraterritorial laws like the US CLOUD Act.

Impossible Cloud's architecture is engineered to meet the stringent demands of NIS-2, offering multi-layer encryption for data in transit and at rest, along with robust IAM with MFA/RBAC for granular access control. Our Immutable Storage and Object Lock features provide essential ransomware protection and data integrity, ensuring that your critical backups and archives remain unalterable and secure, directly addressing NIS-2's business continuity and incident recovery requirements. This commitment to security is validated by our ISO 27001 and SOC 2 Type II certifications, demonstrating adherence to internationally recognised security standards.

Impossible Cloud also provides full S3-API compatibility, making it a drop-in replacement for existing applications, scripts, and tools without requiring costly code rewrites. This seamless integration, combined with predictable, transparent pricing—free from egress fees, API call costs, or minimum storage durations—aligns with the EU Data Act's principles of data portability and preventing vendor lock-in. Our object storage model ensures all data is immediately accessible, crucial for rapid recovery in incident scenarios. Discover more about our S3-compatible object storage.

Achieving Digital Sovereignty and Compliance with Impossible Cloud

Choosing Impossible Cloud means more than just selecting a storage provider; it's a strategic decision to strengthen your organisation's cybersecurity posture and ensure compliance with the evolving European regulatory landscape. Our geofenced storage capabilities allow you to precisely define which EU regions hold your data, providing significant control and peace of mind. This level of control is fundamental for essential and important entities seeking to meet NIS-2's strict requirements for data protection and supply chain security.

Our operational model, which includes a multi-tenant console with RBAC/MFA for partners and MSPs, enables secure and efficient management of client data. We understand the critical role of third-party risk management under NIS-2, and our transparent operations and EU-only infrastructure simplify your due diligence process. By partnering with Impossible Cloud, you gain a reliable, enterprise-ready EU cloud solution that supports comprehensive NIS-2 compliance and digital sovereignty. Explore our magazine for more insights into cloud compliance.

For organisations looking to migrate from existing cloud providers or on-premise solutions, Impossible Cloud offers a straightforward path. Our full S3 compatibility ensures that your migration is a seamless process, not a rearchitecture project. With our robust security features, transparent pricing, and strong commitment to EU data sovereignty, Impossible Cloud is a leading choice for NIS-2 compliant S3 storage. Read our case studies to see how we empower European organisations.