Understanding the NIS-2 Directive and its Expanded Scope

The NIS-2 Directive (Directive (EU) 2022/2555) represents a significant evolution from its predecessor, NIS-1, to establish a higher common level of cybersecurity across the EU. It broadens the scope of entities covered, moving beyond traditional critical infrastructure to include a wider array of sectors deemed essential or important for society and the economy. This expansion means that thousands more organisations across the EU and UK (via alignment with UK NIS Regulations 2018) are now subject to stringent cybersecurity requirements.

Organisations are categorised into 'essential' and 'important' entities. Essential entities typically operate in high-criticality sectors such as energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, and public administration. Important entities include those in sectors like postal and courier services, waste management, chemicals, food, manufacturing, and digital providers. Both categories share core cybersecurity risk management and incident reporting obligations, though essential entities face proactive supervision and higher potential penalties.

A key objective of NIS-2 is to harmonise cybersecurity regulations across Member States, enhance cooperation, and strengthen risk management and incident reporting. The directive mandates an "all-hazards" approach to cybersecurity risk management, requiring entities to implement appropriate and proportionate technical, operational, and organisational measures. These measures are designed to manage risks to network and information systems and minimise the impact of incidents on service recipients.

National Transposition and UK Alignment

While NIS-2 is an EU directive, Member States were required to transpose it into national law by 17 October 2024. This process has seen varying timelines across Europe, with some countries like Germany, Portugal, and Austria adopting national legislation, while others faced infringement procedures from the European Commission for delays. The UK, post-Brexit, is updating its own Network and Information Systems (NIS) Regulations 2018 through the Cyber Security & Resilience Bill, which is expected to align closely with NIS-2's risk-based principles, expanding scope and tightening reporting duties.

The Critical Role of Backup and Recovery in NIS-2 Compliance

At the heart of NIS-2's technical and organisational measures lies a clear mandate for robust business continuity, including comprehensive backup management and disaster recovery. Article 21 of the directive explicitly lists "business continuity, such as backup management and disaster recovery, and crisis management" as essential measures. This underscores that effective data backup and the ability to swiftly restore operations are not just good practice but a fundamental legal requirement for all in-scope entities.

Organisations must establish processes for detecting, responding to, and recovering from incidents quickly and effectively. This includes having well-defined incident response plans and the capability to restore data after cyber-attacks, human error, natural disasters, or system failures. Regular testing and documentation of backup and recovery processes are also crucial for validating their effectiveness and demonstrating compliance. This proactive approach ensures data integrity and availability, minimising downtime and financial loss.

Supply Chain Security and Third-Party Risk

NIS-2 places a significant emphasis on supply chain security, requiring entities to consider security-related aspects concerning their relationships with direct suppliers and service providers. This means that if an organisation relies on a cloud backup provider, that provider's cybersecurity posture and compliance capabilities become an extension of the organisation's own NIS-2 obligations. Due diligence in selecting third-party providers is paramount, as their vulnerabilities can directly impact the client's compliance and resilience.

Organisations must ensure that their backup solutions offer features like immutable storage (Object Lock) to protect against ransomware and accidental deletion, multi-layer encryption for data at rest and in transit, and strong access controls (IAM with MFA/RBAC). These technical safeguards are vital for meeting the directive's requirements for data protection and incident prevention, ensuring that backups themselves are secure and reliable.

Management Liability and the Stakes of Non-Compliance

One of the most significant aspects of the NIS-2 Directive is the introduction of direct obligations and personal liability for management bodies. Article 20 of NIS-2 mandates that "management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities... oversee its implementation and can be held liable for infringements by the entities of that Article." This fundamentally shifts cybersecurity from being solely an IT department concern to a board-level strategic priority.

While NIS-2 does not explicitly define who constitutes a "management body," it is widely understood to include board members and senior executives. These individuals are now personally responsible for ensuring their organisation's cyber risk posture and may be held legally accountable if they neglect their duty of care. This can involve inadequate implementation of security measures, insufficient risk assessment, or a lack of contingency plans. In some national transpositions, such as Italy's, this personal liability can even extend to temporary incapacity to perform managerial functions.

Financial and Reputational Penalties

The financial penalties for non-compliance with NIS-2 are substantial and comparable to those under GDPR. For essential entities, fines can reach up to €10 million or 2% of global annual turnover, whichever is greater. For important entities, penalties can be up to €7 million or 1.4% of global annual turnover. These fines can be imposed for failures to meet security requirements or to report incidents adequately.

Beyond financial repercussions, non-compliance can lead to severe reputational damage, business disruption, and a loss of trust from customers and partners. The directive also grants supervisory authorities a range of non-monetary enforcement powers, including binding instructions, security audit implementation orders, and public statements identifying responsible individuals. The emphasis on board-level engagement and accountability is a clear signal that cybersecurity is a critical business risk that demands active oversight from senior leadership.

Key Criteria for a NIS-2 Compliant Cloud Backup Provider Comparison

Selecting a cloud backup provider that aligns with NIS-2 requirements is a strategic decision that directly impacts an organisation's compliance and management liability. A thorough evaluation must go beyond basic storage capabilities to assess the provider's security, operational resilience, and jurisdictional alignment. The following criteria are essential for a comprehensive cloud backup provider comparison, ensuring that your chosen solution supports your NIS-2 obligations.

Evaluation Criteria for NIS-2 Compliant Cloud Backup

When evaluating providers, consider their commitment to EU data sovereignty, their security architecture, and their pricing model. The ability to demonstrate compliance through verifiable certifications and transparent operations is crucial for mitigating management liability under NIS-2.

Navigating Jurisdictional Complexities: EU Sovereignty and the CLOUD Act

The choice of cloud backup provider is inextricably linked to jurisdictional considerations, particularly for organisations operating within the EU. While many global cloud providers offer data centres located within Europe, the critical distinction lies in the legal jurisdiction under which the parent company operates. This is where the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) becomes a significant concern for EU entities.

The CLOUD Act allows US authorities to compel US-based cloud service providers to disclose data, regardless of where that data is physically stored. This means that even if a US hyperscaler (such as AWS, Azure, or Google Cloud) hosts data in an EU data centre, that data could still be subject to access by US law enforcement under the CLOUD Act. This creates a potential conflict with EU data protection laws like GDPR and the NIS-2 Directive, which emphasise data sovereignty and protection against extraterritorial access.

The Importance of EU-Only Data Residency

For digital sovereignty and to minimise CLOUD Act exposure, organisations must prioritise cloud backup providers that are not only based in the EU but also operate exclusively under EU jurisdiction. An EU sovereign provider ensures that data remains within the legal framework of the European Union, preventing US authorities from compelling access. This 'Sovereign by design' approach is fundamental for organisations seeking to fully comply with NIS-2 and GDPR, providing legal certainty for management.

Furthermore, the EU Data Act, applicable from 12 September 2025, reinforces data portability and aims to remove barriers to switching cloud services, including the phasing out of egress fees by January 2027. Choosing a provider that already aligns with these principles, offering transparent pricing without egress fees, further strengthens an organisation's compliance and avoids vendor lock-in.

Impossible Cloud: Your Partner for NIS-2 Compliant Cloud Backup

For organisations navigating the complexities of NIS-2 management liability and seeking a robust, sovereign cloud backup solution, Impossible Cloud offers an EU cloud platform designed for compliance and control. Our S3-compatible object storage is built from the ground up to address the stringent requirements of NIS-2, GDPR, and the EU Data Act, providing full control and predictability.

Impossible Cloud operates exclusively in certified European data centres across Germany, the Netherlands, the UK, Denmark, and Poland. This commitment to EU-only data residency ensures that your data remains under EU/UK jurisdiction, eliminating CLOUD Act exposure and safeguarding against extraterritorial access. Our 'Sovereign by design' approach provides the legal certainty and digital sovereignty that management bodies require to meet their NIS-2 obligations. You can learn more about our commitment to secure, sovereign storage on our S3-compatible object storage page.

Technical Measures and Cost Predictability

Our platform incorporates critical technical and organisational measures mandated by NIS-2. This includes 99.999999999% (11 nines) durability, multi-layer encryption (in transit and at rest), and Immutable Storage (Object Lock) for advanced ransomware protection and data integrity. Our Always-Hot architecture ensures all data is immediately accessible without tier-restore delays, crucial for rapid incident recovery and business continuity. We also offer comprehensive IAM with MFA/RBAC and SAML/OIDC support for robust access control, directly addressing NIS-2 security requirements.

Beyond security, Impossible Cloud delivers predictable, transparent pricing with no hidden egress fees, no API call costs, and no minimum storage duration. This aligns with the EU Data Act's push for fair switching conditions and offers significant cost savings compared to hyperscalers. Our platform is a drop-in S3 replacement, meaning existing backup applications like Veeam, Acronis, and MSP360 integrate seamlessly without code rewrites, simplifying your migration to a NIS-2 compliant solution. Explore our transparent pricing model to see how you can achieve predictable costs.

Certifications and Partner Ecosystem

Impossible Cloud holds certifications including ISO 27001, SOC 2 Type II, and PCI DSS, demonstrating our adherence to high security and compliance standards. These certifications provide verifiable evidence of our robust security posture, supporting your organisation's due diligence for NIS-2 supply chain security. Our strong partner ecosystem, including distributors like Northamber plc in the UK and api in Germany, further extends our reach and support for European businesses. For insights into how other organisations benefit, visit our customer success stories.