NIS2 2026: What's New for European Companies' Cloud Infrastructure?

If your company operates in one of Europe's critical sectors and hasn't yet assessed the impact of the NIS2 Directive on its cloud infrastructure, now is the time to do so.

The NIS2 Directive — Network and Information Security 2 — came into force in October 2024 and imposes concrete obligations and significant penalties on thousands of European organizations that have never before been subject to such stringent cybersecurity regulations.

What is NIS2 and how is it different from NIS1?

The first NIS Directive, in 2016, had a limited scope—it primarily covered operators of essential services such as energy, transport, and healthcare, and large digital service providers. Many companies, despite operating in critical sectors, were excluded or subject to minimal obligations.

NIS2 changes all of this in three fundamental ways.

Much broader scope. NIS2 now covers 18 sectors, divided into "essential entities" and "important entities." Thousands of organizations that had never been regulated by NIS1 are now subject to specific obligations.

More stringent requirements. It's no longer enough to simply declare that you have security measures in place—you need to demonstrate it with documentation, audits, and certified procedures.

Management accountability. NIS2 introduces direct personal liability for company management for the cybersecurity measures adopted. The CEO and Board of Directors can be held personally liable in the event of a serious breach.

Who is affected by NIS2

NIS2 divides subject organizations into two categories with slightly different obligations.

Essential entities — subject to the most stringent obligations: Energy (electricity, gas, oil, hydrogen), transportation (air, rail, maritime, road), banking and finance, healthcare, drinking water and wastewater, digital infrastructure (IXPs, DNS, TLDs, cloud providers, data centers, CDN networks), central government, space.

Significant entities — slightly less stringent but still significant obligations: Postal and courier services, waste management, chemical production and distribution, food production and distribution, manufacturing (medical devices, electronics, machinery, vehicles), digital service providers (online marketplaces, search engines, social networks), research.

Size criteria. In general, NIS2 applies to organizations with more than 50 employees or more than €10 million in revenue in the sectors listed above. For some critical sectors such as energy and healthcare, there are no size thresholds.

The concrete obligations of NIS2 for cloud infrastructures

NIS2 does not prescribe specific technologies but defines functional requirements that IT infrastructures must meet. Here are the main ones that directly impact cloud infrastructures.

Cyber risk management. Organizations must implement technical and organizational measures appropriate to the risk. For cloud infrastructures, this means periodic risk assessments, system hardening, vulnerability management, and systematic patching.

Supply chain security. NIS2 extends obligations to suppliers and technology partners. If your cloud infrastructure is managed by an external provider, you must ensure they also comply with NIS2 requirements. This is one of the most critical points for companies using American hyperscalers—the supply chain includes entities subject to the US Cloud Act.

Incident reporting. In the event of a significant security incident, organizations must notify the competent authority within 24 hours of discovery for preliminary notification and within 72 hours for full notification. A detailed final report must be submitted within one month.

Business continuity. Organizations must have tested and documented business continuity and disaster recovery plans, with defined and periodically reviewed RTOs and RPOs.

Encryption and access control. NIS2 requires the use of encryption to protect data in transit and at rest, and multi-factor authentication systems for access to critical systems.

Training and awareness. Personnel managing critical systems must receive periodic cybersecurity training. Management must demonstrate adequate risk awareness.

Penalties: What you risk if you don't comply

NIS2 introduces a significantly more severe penalty system than NIS1.

For essential entities, the maximum fines are €10 million or 2% of annual global turnover, whichever is higher. For important entities, the maximum is €7 million or 1.4% of annual global turnover.

But the most impactful change isn't the financial sanctions—it's the personal liability of management. NIS2 allows national authorities to temporarily ban executives and directors from performing managerial functions in the event of serious violations. This provision has radically changed the focus of European boards of directors on cybersecurity.

NIS2 and the Cloud: The Three Most Common Scenarios

Scenario 1 — Infrastructure on a US hyperscaler This is the most critical scenario from a NIS2 perspective. US hyperscalers (AWS, Azure, Google Cloud) are subject to the US Cloud Act, which creates a structural conflict with NIS2 requirements for supply chain security. Furthermore, the shared responsibility typical of hyperscalers leaves the client company with the responsibility for managing many aspects of security that NIS2 requires to be documented and certified.

Scenario 2 — Outdated On-Premise Infrastructure Many companies in critical industries still operate legacy on-premises infrastructures with outdated systems, lacking vulnerability management, and undocumented incident response procedures. NIS2 requires a significant upgrade of these infrastructures.

Scenario 3 — Open-source cloud with managed services This scenario is most aligned with NIS2. An infrastructure based on OpenStack or Proxmox VE in European data centers, managed by an ISO 27001-certified provider with a 24/7 SIEM/SOC, documented incident response procedures, and a complete audit trail natively meets most NIS2 requirements.

How to adapt to NIS2: the practical path

Adapting to NIS2 is not done overnight, but rather by following a process structured into four phases.

Phase 1 — NIS2 Assessment (2-4 weeks) The first step is to determine whether your organization falls within the NIS2 scope and in which category. Then, assess the gap between the current situation and regulatory requirements. The assessment produces a prioritized list of interventions with estimated costs and timeframes.

Phase 2 — Infrastructure Adaptation (1-3 months) Common interventions include implementing SIEM for security event correlation, deploying vulnerability management systems, hardening cloud systems, implementing MFA on all critical systems, and updating backup and disaster recovery procedures with documented RTOs and RPOs.

Phase 3 — Documentation and Procedures (1-2 months) NIS2 requires formal documentation of the measures taken. This includes updated security policies, incident response procedures with defined roles and responsibilities, tested business continuity plans, an updated risk register, and contracts with technology vendors aligned with NIS2 requirements.

Phase 4 — Continuous Monitoring NIS2 is not a one-time project but an ongoing process. It requires periodic vulnerability assessments, testing of incident response plans, annual staff training, and updated documentation.

Why open-source cloud simplifies NIS2 compliance

Open-source cloud infrastructures have a structural advantage over American hyperscalers in terms of NIS2 compliance.

Code transparency. With OpenStack and Kubernetes, the code is public and auditable. There are no hidden backdoors, opaque proprietary components, or vendor dependencies that could be subject to disclosure obligations to foreign authorities.

Complete control of the supply chain. With an open-source infrastructure managed by a European provider, the technology supply chain is entirely under European jurisdiction. No component is subject to the US Cloud Act.

SIEM and native audit trails. OpenStack and Kubernetes infrastructures generate detailed logs of all operations. With a properly configured SIEM, you can document every access, every change, and every security event—exactly what NIS2 requires to demonstrate compliance.

Certified incident response. A provider with a 24/7 NOC/SOC and documented and tested incident response procedures natively meets NIS2 requirements for incident notification and management times.

Epic Edge's Role in NIS2 Compliance

Epic Edge supports NIS2-enabled organizations at three levels.

Compliant infrastructure. We deploy open-source cloud infrastructure on OpenStack, Proxmox VE, and Kubernetes in European data centers, with end-to-end encryption, BYOK/HSM, MFA, and a full audit trail. The infrastructure is natively designed to meet NIS2 technical requirements.

24/7 ManagedServices withSIEM/SOC . Our NOC/SOC team monitors infrastructures 24/7 with SIEM for security event correlation, real-time alerting, certified incident response procedures, and compliance reporting for internal and external audits.

Documentation and compliance. We provide the necessary documentation to demonstrate NIS2 compliance—security policies, incident response procedures, vulnerability assessment reports, audit trails, and periodic management reporting.

Conclusion: NIS2 is not a problem, it's an opportunity

Companies that comply with NIS2 aren't just avoiding fines. They're building a more resilient, more secure, and more competitive infrastructure.

For European companies working with enterprise clients or in public administration, NIS2 compliance is becoming a requirement for tenders and calls for bids. Those who are already compliant have a tangible competitive advantage over those who are still lagging behind.

2026 is the year in which European national authorities will begin their first inspections and apply their first sanctions. Don't wait until you're in the crosshairs to begin the compliance process.

Is your cloud infrastructure NIS2 compliant?

Epic Edge offers a NIS2 compliance assessment for your cloud infrastructure. Within 5 business days, you'll receive a detailed report with a gap analysis and compliance plan.

→ Request the NIS2 assessment