The EU NIS2 Directive has been enforceable since October 17, 2024. If your company runs on AWS, Azure, or GCP and falls under its scope, you need a clear checklist of what to fix — and a way to verify it automatically. This guide covers both.
Who is affected by NIS2?
NIS2 applies to any company operating in the EU with either:
- 50+ employees or €10M+ annual revenue, AND
- Operations in a covered sector: energy, transport, healthcare, water, digital infrastructure, ICT services, banking, financial market infrastructure, or manufacturing of critical products.
Unlike NIS1, NIS2 also covers important entities (medium-sized companies) — not just operators of essential services. This means tens of thousands of European companies are newly in scope.
What NIS2 requires (Article 21)
Article 21 mandates a risk-based approach to security. For cloud infrastructure, this translates into 8 concrete categories:
1. IAM & Access Control
AWS: MFA on all IAM users (especially root), no wildcard * permissions, access keys rotated within 90 days, no hardcoded credentials in Lambda or EC2 user data.
Azure: MFA enforced via Conditional Access, no over-privileged roles, managed identities instead of service principal secrets.
GCP: MFA on all accounts, no primitive roles (Owner/Editor) on production projects, Workload Identity Federation instead of service account keys.
2. Encryption at Rest
AWS: S3 SSE-KMS, RDS storage encryption, EBS encrypted volumes, DynamoDB encryption, secrets in Secrets Manager (not env vars).
Azure: Azure Storage with CMK, SQL TDE, Key Vault for secrets, disk encryption sets.
GCP: GCS CMEK, Cloud SQL encryption, Secret Manager for credentials, CMEK on Persistent Disks.
3. Encryption in Transit
AWS: S3 bucket policies enforce HTTPS-only, rds.force_ssl enabled, ELB/ALB TLS 1.2+ listeners, CloudFront HTTPS redirect.
Azure: Secure transfer required on Storage Accounts, TLS minimum version 1.2, HTTPS-only on App Service.
GCP: Cloud Storage uniform bucket-level access + HTTPS, Cloud SQL SSL enforcement, load balancer HTTPS redirect.
4. Network Security
AWS: No security groups open to 0.0.0.0/0 on SSH (22) or RDP (3389), VPC Flow Logs enabled, RDS not publicly accessible.
Azure: NSG rules reviewed (no 0.0.0.0/0 on sensitive ports), NSG Flow Logs enabled, Azure SQL not accessible from internet.
GCP: VPC firewall rules — no 0.0.0.0/0 on SSH/RDP, VPC Flow Logs enabled, Cloud SQL no public IP without authorized networks.
5. Logging & Monitoring
AWS: CloudTrail multi-region with log file validation + KMS encryption, GuardDuty enabled, Config rules, log retention ≥ 12 months.
Azure: Azure Monitor + Activity Log retention ≥ 12 months, Microsoft Defender for Cloud enabled, diagnostic settings on all resources.
GCP: Cloud Audit Logs (Admin Activity + Data Access) enabled, Security Command Center enabled, log retention ≥ 12 months via log sinks.
6. Incident Response (Article 23)
NIS2 requires reporting significant incidents within 24 hours (initial warning) and 72 hours (full notification). This means:
- CloudWatch / Azure Monitor / GCP Cloud Monitoring alarms for critical events (root/admin login, policy changes, failed auth)
- Automated alerts on GuardDuty / Defender / SCC findings routed to PagerDuty or Slack
- Documented incident classification and escalation process
7. Supply Chain Security
AWS: Cross-account roles scoped down, IAM Access Analyzer, ECR image scanning.
Azure: Third-party access via Entra ID with limited scope, Microsoft Defender for Containers.
GCP: Artifact Registry vulnerability scanning, VPC Service Controls for data exfiltration prevention, Binary Authorization for GKE.
8. Business Continuity
AWS: RDS automated backups ≥7 days, Multi-AZ for production databases, S3 versioning on critical buckets.
Azure: Azure SQL geo-redundant backup, Availability Zones for VMs and databases, Recovery Services Vault.
GCP: Cloud SQL automated backups + point-in-time recovery, multi-region storage for critical data, GKE regional clusters.
NIS2 penalties for non-compliance
Under Article 34, NIS2 imposes maximum fines of:
- Essential entities: up to €10 million or 2% of global annual turnover
- Important entities: up to €7 million or 1.4% of global annual turnover
Management boards can also be held personally liable, and temporary bans from management functions are possible for repeated violations.
How to automate NIS2 compliance checks
Manual audits against this checklist take weeks — and go stale the moment someone creates a new resource. Automated scanning solves both problems.
ConformScan runs 270+ NIS2-mapped checks against your live AWS, Azure, and GCP infrastructure in under 2 minutes. You get:
- A prioritized list of findings with SLA countdowns (3 → 14 → 30 days)
- Terraform and CLI remediation code for every finding
- A PDF report ready for your auditor or DPO
- Cross-framework view: NIS2 findings that also affect DORA, GDPR, BSI C5
- Scheduled daily scans so you catch drift before your auditor does
Summary
NIS2 compliance on AWS, Azure, and GCP is not a one-time project — it is a continuous process. The 8 categories above cover the core technical requirements across all three major cloud providers. Automate the verification via conformscan.com, fix the gaps, and keep evidence for your auditor. The cost of a scan is far lower than the cost of a fine.
Top comments (0)