Understanding the NIS-2 Directive: Scope and Core Obligations

The NIS-2 Directive, which replaced the original NIS Directive on 17 October 2024, aims to achieve a higher common level of cybersecurity across the European Union. It significantly broadens the scope of entities covered, categorising them into 'essential' and 'important' based on their criticality to society and the economy. Essential entities include sectors such as energy, transport, banking, healthcare, digital infrastructure (including cloud computing service providers), and public administration. Important entities encompass areas like postal and courier services, waste management, food production, manufacturing, and digital providers.

The directive mandates a series of stringent cybersecurity risk management measures. These include comprehensive risk assessments, incident handling, business continuity and disaster recovery, supply chain security, encryption, access control, and multi-factor authentication (MFA). Organisations must also implement robust incident reporting obligations, with initial notifications required within 24 hours of becoming aware of a significant incident, followed by a detailed report within 72 hours, and a comprehensive final report within one month.

Crucially, NIS-2 places accountability for cybersecurity failures squarely on the management bodies of essential and important entities. Executives are required to approve and oversee the implementation of cybersecurity risk-management measures and may face personal liability for infringements. This emphasis on governance underscores the strategic importance of cybersecurity, moving it from a purely technical concern to a board-level priority. The directive's goal is to foster a proactive approach to cybersecurity, ensuring that organisations are not only prepared for threats but also resilient in the face of incidents.

The Criticality of Supply Chain Security Under NIS-2

One of the most significant enhancements introduced by NIS-2 is its explicit focus on supply chain security. Article 21 of the directive mandates that organisations must assess, monitor, and manage cyber risks across their entire value chain. This means that the security posture of third-party service providers, including cloud vendors, is no longer an optional consideration but a legal obligation. The European Union Agency for Cybersecurity (ENISA) highlights supply chain attacks as one of the fastest-growing threats, making supplier risk a compliance priority.

For organisations to be truly NIS-2 supply chain compliant, they must implement a robust supply chain security policy. This policy should include stringent criteria for supplier selection, a thorough evaluation of their cybersecurity practices, and an analysis of the resilience of the ICT products and services they provide. Furthermore, contracts with suppliers must incorporate detailed clauses outlining minimum security requirements, such as adherence to specific ICT standards, commitments regarding personnel expertise and certifications, and clear procedures for rapid incident notification.

The implications extend beyond direct suppliers to include fourth-party risks, meaning organisations must consider the security of their suppliers' suppliers. This multi-tiered approach necessitates continuous monitoring of supplier risk and the ability to detect vulnerabilities before they can be exploited. Ultimately, NIS-2 aims to create a systemic vision of cybersecurity, recognising that the resilience of an individual organisation is intrinsically linked to the strength of its entire supply chain. This makes the selection of cloud vendors with verifiable NIS-2 supply chain compliance a cornerstone of an organisation's overall cybersecurity strategy.

Key Compliance Challenges for Cloud Adoption in the EU

Adopting cloud services offers immense benefits in terms of scalability, flexibility, and cost-efficiency, but it also introduces unique challenges when striving for NIS-2 compliance in the EU. A primary concern is data residency and jurisdiction. While many global cloud providers offer data centres within the EU, the critical question often revolves around the legal jurisdiction under which the data ultimately falls. The US CLOUD Act, for instance, allows US authorities to compel US-based cloud service providers to provide access to data, even if stored in EU data centres, without requiring cooperation between governments or judicial review in the EU.

This extraterritorial access poses a direct conflict with EU data protection laws like GDPR, which stipulate that personal data may only be transferred to or processed in third countries if an adequate level of protection is guaranteed. For organisations subject to NIS-2, this legal uncertainty in the supply chain can create significant compliance gaps, as they are ultimately accountable for the security and sovereignty of their data. The complexity of data processing agreements and the lack of full transparency regarding sub-processors further complicate the assessment of true data sovereignty and supply chain risk.

Beyond legal jurisdiction, technical compliance also presents hurdles. While hyperscalers like AWS, Azure, and Google Cloud offer a vast array of security tools and certifications, configuring these to meet specific NIS-2 requirements can be complex and requires deep expertise. Organisations must ensure that measures such as encryption (in transit and at rest), robust access controls, immutable storage, and comprehensive incident response capabilities are not only available but correctly implemented and continuously monitored. The shared responsibility model in the cloud often leads to confusion, with organisations sometimes mistakenly assuming that the provider handles all aspects of security and compliance, including their specific NIS-2 obligations.

Evaluating Cloud Vendors for NIS-2 Supply Chain Compliance: A Comparison

Selecting a cloud vendor that genuinely supports NIS-2 supply chain compliance requires a rigorous evaluation beyond headline features. Organisations must scrutinise a vendor's approach to data sovereignty, security measures, transparency, and contractual commitments. The goal is to mitigate third-party risk and ensure that the chosen provider aligns with the stringent requirements of the NIS-2 Directive, particularly concerning the protection of critical network and information systems.

A key aspect of this evaluation involves understanding the legal jurisdiction governing the cloud service. While many providers have data centres in the EU, their corporate headquarters or ultimate control may reside in countries with conflicting legal frameworks, such as the US CLOUD Act. This can expose EU data to potential extraterritorial access, undermining digital sovereignty. Furthermore, the level of transparency regarding sub-processors and the ability to enforce contractual security obligations are vital for managing supply chain risk effectively.

Organisations should also look for certifications like ISO 27001 and SOC 2 Type II, which demonstrate a commitment to information security management and can provide a strong foundation for NIS-2 compliance. However, it's important to recognise that these certifications, while helpful, are not a substitute for direct NIS-2 alignment, especially concerning specific incident reporting timelines and supply chain audit rights. The table below outlines critical evaluation criteria for cloud vendors in the context of NIS-2 supply chain compliance:

Impossible Cloud: A Sovereign Solution for NIS-2 Supply Chain Compliance in the EU

For organisations seeking to achieve robust NIS-2 supply chain compliant cloud vendors EU, Impossible Cloud offers a compelling solution built on principles of digital sovereignty and predictable performance. Headquartered in Germany and operating exclusively in certified European data centres (Germany, Netherlands, UK, Denmark, Poland), Impossible Cloud ensures that your data remains under EU jurisdiction, eliminating the risks associated with extraterritorial access laws like the US CLOUD Act. This 'Sovereign by design' approach is fundamental to meeting NIS-2's stringent requirements for data protection and supply chain integrity.

Impossible Cloud's S3-compatible object storage is engineered to address the core technical measures mandated by NIS-2. It provides multi-layer encryption for data in transit and at rest, ensuring the confidentiality and integrity of your critical information. Immutable Storage (Object Lock) offers robust ransomware protection and data integrity, a vital component for business continuity and disaster recovery plans. With comprehensive IAM (Identity and Access Management) featuring MFA and RBAC, organisations maintain granular control over data access, aligning with NIS-2's emphasis on strong access management. These features are not add-ons but are integral to the platform, simplifying compliance efforts.

Furthermore, Impossible Cloud's commitment to transparency extends to its operational model and pricing. With no egress fees, no API call costs, and no minimum storage duration, organisations benefit from predictable costs, allowing for better budgeting and resource allocation without hidden surprises. This 'Predictable by design' philosophy supports long-term planning for cybersecurity investments. Our adherence to international standards such as ISO 27001, SOC 2 Type II, and PCI DSS, alongside being GDPR-ready, provides a strong, verifiable foundation for NIS-2 compliance, demonstrating a systematic approach to information security management. You can learn more about our commitment to security and compliance on our S3-compatible object storage page.

Achieving Predictable Security and Control with Impossible Cloud

Beyond foundational compliance, Impossible Cloud empowers organisations to achieve a higher level of predictable security and operational control, crucial for navigating the complexities of NIS-2. Our Always-Hot object storage model ensures all data is immediately accessible without the delays or additional fees associated with tiered storage models. This consistent performance is vital for rapid incident response and maintaining business continuity, directly supporting NIS-2's operational resilience objectives. The architecture is designed to eliminate single points of failure, providing 99.999999999% (11 nines) durability, a testament to its resilience against disruptions.

For organisations with existing infrastructure, Impossible Cloud offers full S3-API compatibility, making it a true drop-in replacement. This means existing applications, scripts, and tools can seamlessly integrate without requiring costly code rewrites, accelerating migration and reducing the operational burden of achieving NIS-2 compliance. This ease of integration is particularly beneficial for MSPs and channel partners looking to build profitable Backup-as-a-Service (BaaS) offerings, leveraging our platform's robust security and predictable pricing to serve their own NIS-2-impacted clients. Our multi-tenant console with RBAC/MFA further streamlines management for service providers.

Impossible Cloud's focus on EU-only operations and geofenced storage options provides explicit control over data residency, a critical factor for NIS-2 supply chain compliance. This commitment to digital sovereignty, combined with transparent contractual terms and a clear, EU-based support structure, offers the peace of mind that your data is protected not just technically, but legally. By choosing Impossible Cloud, organisations can confidently demonstrate their adherence to NIS-2 requirements, secure their supply chain, and maintain full control over their most valuable asset: their data. To explore how Impossible Cloud can support your NIS-2 compliance journey, talk to an expert today.