Understanding the Broad Reach of the NIS-2 Directive

The NIS-2 Directive, which replaced its predecessor NIS1, establishes a unified legal framework to bolster cybersecurity across 18 critical sectors within the EU. Its primary objective is to enhance the overall level of cybersecurity and resilience against increasingly sophisticated cyber threats. The directive significantly widens the scope of entities covered, categorising them as either 'essential' or 'important' based on their criticality to the economy and society.

Sectors now explicitly included range from energy, transport, banking, and health to digital infrastructure, public administration, and even waste management and food production. This expansion means that many organisations previously unaffected by NIS1 now fall under NIS-2's stringent requirements, including cloud computing service providers themselves.

Member States were required to transpose the directive into national law by 17th October 2024, with enforcement beginning from 18th October 2024. This timeline underscores the urgency for organisations to assess their current cybersecurity posture and implement necessary changes. NIS-2 mandates that each Member State adopt a national cybersecurity strategy, including policies for supply chain security, vulnerability management, and cybersecurity education.

The directive also places a strong emphasis on governance, requiring top-level management to approve cybersecurity risk-management measures and oversee their implementation, holding them liable for infringements. This shift elevates cybersecurity from a purely technical concern to a board-level strategic priority, making proactive compliance essential to avoid significant financial penalties and reputational damage.

Core Cybersecurity Requirements and Accountability Under NIS-2

NIS-2 mandates a comprehensive 'all-hazards' approach to cybersecurity risk management, requiring entities to implement appropriate and proportionate technical, operational, and organisational measures. These measures are designed to manage risks to network and information systems and minimise the impact of incidents on service recipients. Key requirements include:

• Risk Analysis and Information System Security Policies: Organisations must conduct thorough risk analyses and establish robust security policies.
• Incident Handling: This covers prevention, detection, response, and recovery from cybersecurity incidents.
• Business Continuity and Crisis Management: Entities must have plans for operational resilience and rapid recovery during disruptions, including disaster recovery solutions and real-time data backups.
• Supply Chain Security: A critical new focus, requiring assessment and management of risks associated with direct suppliers and service providers.
• Security in Network and Information Systems Acquisition, Development, and Maintenance: Ensuring security is embedded throughout the lifecycle of IT systems.
• Policies and Procedures to Assess Effectiveness: Regular evaluations, audits, and penetration testing are required to ensure continuous compliance.
• Cryptography and Access Control: Implementing encryption for data at rest and in transit, alongside strong access control measures like Multi-Factor Authentication (MFA).

A significant aspect of NIS-2 is its strict incident reporting obligations. Organisations must notify competent authorities or Computer Security Incident Response Teams (CSIRTs) of any significant incident without undue delay, and in any event within 24 hours of becoming aware of it. A detailed report must follow within 72 hours, and a final report within one month of handling the incident. Failure to comply with these requirements can lead to substantial financial penalties: up to €10 million or 2% of global annual turnover for 'essential entities', and up to €7 million or 1.4% for 'important entities', whichever is greater. Furthermore, senior management can be held personally liable, potentially facing temporary bans from managerial functions.

Cloud Services and the NIS-2 Supply Chain Imperative

Cloud services are cloud services are not merely IT tools; they are fundamental components of an organisation's operational infrastructure. NIS-2 explicitly recognises this, placing a strong emphasis on supply chain security. The directive mandates that entities must address cybersecurity risks in their supply chains and relationships with direct suppliers or service providers, including cloud providers.

This means that organisations cannot simply outsource their cybersecurity responsibilities to a cloud provider. Instead, they must systematically check the security level and protective measures of their service providers, making NIS-2 and compliance requirements binding in contracts. ENISA's guidelines suggest that a supply chain security policy should include supplier selection criteria, evaluation of their cybersecurity practices, and analysis of the resilience of the ICT products and services provided.

The 'all-hazards' approach of NIS-2 extends to cloud computing, requiring contingency plans that account for potential failures of devices, zones, or even entire regions. Organisations using cloud services should also prepare an exit plan, detailing how they would withdraw from a service or system in both planned and emergency situations. This proactive stance ensures business continuity and minimises the impact of potential disruptions originating from third-party dependencies.

For digital providers, including cloud compute, SaaS, and online marketplaces, NIS-2 demands real-time compliance and deep supply chain oversight. This includes assessing all suppliers for NIS-2 aligned controls before onboarding and contract renewal, enforcing breach notification and risk disclosure terms in contracts, and automating supplier oversight. The directive effectively makes cybersecurity a shared responsibility that extends across the entire value chain, compelling organisations to scrutinise their cloud partners more closely than ever before.

Key Criteria for NIS-2 Compliant Cloud Provider Selection

Selecting a cloud provider under the NIS-2 Directive requires a strategic approach that goes beyond traditional cost-benefit analyses. Organisations must evaluate potential partners against stringent cybersecurity, legal, and operational criteria to ensure compliance and enhance overall digital resilience. The choice of cloud provider directly impacts an entity's ability to meet NIS-2 obligations, particularly concerning data sovereignty, incident response, and supply chain security.

A critical consideration is data residency and sovereignty. While GDPR does not strictly mandate data to stay within the EU, many organisations opt for EU-only data residency as a compliance simplification, especially given the extraterritorial reach of laws like the US CLOUD Act. The CLOUD Act allows US authorities to compel US-based service providers to provide access to data stored abroad, regardless of its physical location, creating a potential conflict with EU data protection principles.

The EU Data Act, which became fully applicable in September 2025, further reshapes the cloud landscape by mandating cloud switching procedures, eliminating vendor lock-in barriers, and prohibiting egress fees from January 2027. This directive aims to create a fairer data economy, making it easier for users to switch providers and fostering greater interoperability. When evaluating cloud providers, consider the following comparison:

This structured evaluation highlights the critical differences that impact NIS-2 compliance. Organisations must carefully consider how each provider type aligns with their specific risk profile and regulatory obligations.

Impossible Cloud: A Sovereign Solution for NIS-2 Risk Management

For organisations navigating the complexities of NIS-2 risk management, Impossible Cloud offers a compelling solution designed with European digital sovereignty and compliance at its core. As an EU-based provider, Impossible Cloud operates exclusively in certified European data centres across Germany, the Netherlands, the UK, Denmark, and Poland. This commitment ensures that your data remains within EU/UK jurisdiction, providing robust protection against extraterritorial access demands, such as those under the US CLOUD Act. Our 'Sovereign by design' approach means legal certainty for your critical data assets.

Impossible Cloud's S3-compatible object storage is engineered to meet and exceed the technical and organisational measures required by NIS-2. We provide multi-layer encryption for data both in transit and at rest, ensuring confidentiality and integrity. Our Immutable Storage (Object Lock) feature offers Write Once, Read Many (WORM) protection, safeguarding your data against ransomware and accidental deletion, a vital component of NIS-2's business continuity and incident handling requirements. Robust Identity and Access Management (IAM) with Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC) ensures that only authorised personnel can access sensitive systems and data.

Furthermore, Impossible Cloud holds key certifications, including ISO 27001, SOC 2 Type II, and PCI DSS, demonstrating our adherence to internationally recognised security standards. These certifications provide a verifiable foundation for your own NIS-2 compliance efforts, particularly concerning supply chain security and the assessment of third-party providers. Our architecture is built for resilience, eliminating single points of failure and offering multi-AZ replication to ensure high availability and durability (99.999999999%).

The full S3-API compatibility of Impossible Cloud's object storage makes it a seamless 'drop-in replacement' for existing applications, scripts, and tools. This means organisations can migrate their data without complex code rewrites, avoiding vendor lock-in and helping with compliance with the EU Data Act's emphasis on data portability. Learn more about our S3-compatible object storage.

Achieving Predictable Security and Costs with Impossible Cloud

Beyond compliance, Impossible Cloud is committed to delivering operational resilience and cost predictability, two factors crucial for effective NIS-2 risk management. Our 'Always-Hot' object storage model ensures that all your data is immediately accessible without the delays or additional fees associated with tiered storage models. This architecture supports critical business continuity and disaster recovery plans, enabling rapid data retrieval and minimising downtime in the event of an incident, a direct benefit for meeting NIS-2's incident handling and recovery objectives.

One of the most significant advantages for organisations is our transparent and predictable pricing model. Impossible Cloud eliminates hidden costs such as egress fees, API call charges, and minimum storage durations. This predictable by design approach allows IT leaders and procurement teams to accurately forecast storage expenses, avoiding the 'bill shock' often associated with hyperscaler cloud providers. This financial clarity supports long-term strategic planning and resource allocation for cybersecurity investments, aligning with NIS-2's emphasis on robust risk management without budget surprises. You can explore our transparent pricing model at Impossible Cloud Pricing.

Impossible Cloud's commitment to digital sovereignty extends to our operational practices. With European teams and contracts, we offer local support in European time zones, ensuring responsive assistance for your compliance and operational needs. Our multi-tenant console with RBAC/MFA, automation via API/CLI, and comprehensive reporting capabilities further empower organisations to maintain full control over their data and infrastructure, simplifying audit processes and demonstrating adherence to NIS-2's governance requirements. For instance, the DIPF Leibniz Institute, a leading European research institution, uses Impossible Cloud for its critical data needs, ensuring both compliance and performance. Read their story on our customer success page.

By partnering with Impossible Cloud, organisations can confidently address their NIS-2 obligations, secure their digital supply chain, and achieve a high level of cybersecurity resilience. We provide the infrastructure, security features, and operational transparency necessary to meet regulatory demands while delivering the performance and cost predictability modern European enterprises require. It's about having 'Full Control. Zero Surprises.' in your cloud strategy.