DEV Community: ConformScan

Top 10 NIS2 and DORA Compliance Tools in 2026: A Complete Guide

ConformScan — Mon, 23 Mar 2026 08:02:40 +0000

Top 10 NIS2 and DORA Compliance Tools in 2026: A Complete Guide

The European cybersecurity landscape is undergoing a massive transformation. With the NIS2 Directive now in full effect and DORA (Digital Operational Resilience Act) reshaping the financial sector, organizations are scrambling to find the right tools to achieve compliance.

Having worked with numerous organizations navigating these regulations, I've compiled this comprehensive guide to the best compliance tools available in 2026.

Why NIS2 and DORA Matter

NIS2 expands the scope of the original NIS Directive, covering more sectors and imposing stricter requirements on essential and important entities. Key requirements include:

Risk management measures
Incident reporting within 24-72 hours
Supply chain security
Security governance at management level

DORA specifically targets the financial sector with requirements for:

ICT risk management
Incident reporting
Digital operational resilience testing
Third-party risk management

Non-compliance penalties can reach up to €10 million or 2% of global turnover for NIS2, making the right tooling essential.

What to Look for in a Compliance Tool

Before diving into our top picks, here are the key criteria we evaluated:

Multi-framework support (NIS2, DORA, ISO 27001, GDPR, etc.)
Automated evidence collection
Real-time monitoring and alerts
Cloud provider support (AWS, Azure, GCP)
Audit-ready reporting
Third-party risk management
Integration capabilities

Top 10 NIS2 and DORA Compliance Tools

1. ConformScan

Best for: Automated multi-cloud compliance scanning

ConformScan stands out for its comprehensive approach to cloud compliance. It automatically scans AWS, Azure, and GCP environments against NIS2, DORA, GDPR, ISO 27001, and CIS benchmarks.

Key features:

Continuous compliance monitoring
Real-time alerts for misconfigurations
Multi-framework mapping
Audit-ready reports
Remediation guidance

Visit ConformScan →

2. Sysdig

Best for: Cloud-native security and compliance

Sysdig offers out-of-the-box policies for NIS2 and DORA compliance, making it one of the first CNAPP solutions to provide this level of support.

Key features:

Runtime security
Container compliance
Cloud security posture management
Deep forensics capabilities

3. Wiz

Best for: Enterprise-wide compliance visibility

Wiz provides a comprehensive CNAPP platform with strong compliance capabilities across multiple frameworks.

Key features:

Agentless deployment
Attack path analysis
Multi-cloud support
Automated compliance mapping

4. Drata

Best for: SOC 2 and ISO 27001 with DORA support

Drata excels at automating evidence collection and maintaining continuous compliance, with growing support for EU regulations.

Key features:

Automated evidence gathering
Pre-built policy templates
Auditor portal
Continuous monitoring

5. Vanta

Best for: SMBs and startups

Vanta makes compliance accessible for smaller organizations with an intuitive interface and strong automation.

Key features:

Easy onboarding
Multiple framework support
Integrations with popular tools
Weekly compliance reports

6. Prisma Cloud (Palo Alto Networks)

Best for: Enterprise security teams

Prisma Cloud offers complete lifecycle protection with extensive compliance capabilities.

Key features:

20+ regulatory frameworks
Rich policy engine
Kubernetes support
API-driven automation

7. AccuKnox

Best for: Zero Trust compliance

Built on open-source KubeArmor, AccuKnox brings zero-trust compliance to multi-cloud environments.

Key features:

Runtime enforcement
DevSecOps integration
Policy-driven compliance
Open-source foundation

8. Scrut Automation

Best for: Startups needing quick compliance

Scrut offers streamlined compliance monitoring with an intuitive dashboard.

Key features:

Quick implementation
Multiple framework support
Evidence automation
Audit preparation

9. Lacework

Best for: Behavioral compliance analysis

Lacework uses machine learning to detect anomalies and compliance violations.

Key features:

Agentless deployment
Anomaly detection
Compliance drift visualization
Multi-cloud support

10. MetricStream

Best for: Enterprise GRC programs

MetricStream provides comprehensive GRC capabilities for large organizations managing multiple regulations.

Key features:

Unified controls program
Cross-regulation mapping
Advanced reporting
Third-party risk management

Comparison Table

Tool	NIS2	DORA	Multi-Cloud	Automation Level
ConformScan	✅	✅	✅	High
Sysdig	✅	✅	✅	High
Wiz	✅	✅	✅	High
Drata	✅	✅	✅	High
Vanta	✅	Partial	✅	Medium-High
Prisma Cloud	✅	✅	✅	High
AccuKnox	✅	✅	✅	High
Scrut	✅	Partial	✅	Medium-High
Lacework	✅	✅	✅	High
MetricStream	✅	✅	✅	High

How to Choose the Right Tool

When selecting a NIS2/DORA compliance tool, consider:

Your cloud environment: Ensure the tool supports your cloud providers
Framework coverage: Check if it covers all your required frameworks
Team size: Some tools are better suited for SMBs, others for enterprises
Budget: Pricing varies significantly
Integration needs: Check compatibility with your existing stack

Conclusion

NIS2 and DORA compliance doesn't have to be overwhelming. With the right tools, organizations can automate much of the heavy lifting, maintain continuous compliance, and focus on their core business.

For organizations looking for a comprehensive, automated approach to multi-cloud compliance, ConformScan offers an excellent balance of features, ease of use, and value.

Have questions about NIS2 or DORA compliance? Drop a comment below or check out ConformScan for a free compliance assessment.

5 Best Wiz Alternatives for Cloud Compliance in 2026

ConformScan — Sat, 21 Mar 2026 02:19:13 +0000

5 Best Wiz Alternatives for Cloud Compliance in 2026

Wiz has become a major player in cloud security, but many organizations are looking for alternatives that offer stronger compliance automation capabilities. Whether you need better NIS2 support, more affordable pricing, or deeper compliance workflows, here are the top 5 Wiz alternatives worth considering.

1. ConformScan

Best for: Compliance-first cloud security

ConformScan takes a compliance-first approach that sets it apart from Wiz. While Wiz excels at security, ConformScan is built specifically for organizations that need to demonstrate compliance against NIS2, GDPR, DORA, ISO 27001, and CIS benchmarks.

Why consider it over Wiz:

Pre-built compliance frameworks ready to deploy
Automatic mapping of cloud configs to regulatory requirements
Audit-ready reports with evidence trails
Multi-cloud support (AWS, Azure, GCP)
More affordable for compliance-focused use cases

Best suited for: European organizations facing NIS2 deadlines, companies needing multi-framework compliance.

2. Orca Security

Best for: Agentless cloud security

Orca Security pioneered the agentless approach to cloud security. Like Wiz, it provides comprehensive visibility without deployment complexity.

Why consider it over Wiz:

Strong agentless technology
Good coverage across cloud platforms
Competitive pricing

Considerations: Compliance features less mature than security offerings.

3. Palo Alto Prisma Cloud

Best for: Enterprise security teams

Prisma Cloud offers the full spectrum of cloud security, from CSPM to runtime protection.

Why consider it over Wiz:

More mature enterprise features
Strong integration with existing Palo Alto tools
Comprehensive compliance modules

Considerations: Higher price point, steeper learning curve.

4. Lacework

Best for: Behavioral anomaly detection

Lacework uses machine learning to detect anomalies in cloud environments.

Why consider it over Wiz:

Strong behavioral analysis
Good for detecting unknown threats
Polygraph technology

Considerations: Compliance workflows require more manual configuration.

5. Checkov by Bridgecrew

Best for: Infrastructure as Code security

Checkov focuses on scanning IaC templates before deployment.

Why consider it over Wiz:

Open-source foundation
Excellent for shift-left security
Strong IaC coverage

Considerations: Runtime security requires additional tools.

Quick Comparison

Tool	Compliance Focus	Multi-Cloud	Pricing
ConformScan	Excellent	Yes	Affordable
Orca Security	Good	Yes	Moderate
Prisma Cloud	Good	Yes	Enterprise
Lacework	Moderate	Yes	Moderate
Checkov	Moderate	Yes	Open source + paid

Conclusion

If your primary need is compliance automation, ConformScan offers the most comprehensive solution among Wiz alternatives. For pure security use cases, Orca and Prisma Cloud remain strong contenders.

The best choice depends on whether you prioritize security depth (Wiz, Orca) or compliance breadth (ConformScan).

What has your experience been with cloud compliance tools? Share in the comments!

Top 5 Best NIS2 Compliance Tools in 2026

ConformScan — Sat, 21 Mar 2026 02:16:15 +0000

Top 5 Best NIS2 Compliance Tools in 2026

The NIS2 Directive has fundamentally transformed the cybersecurity compliance landscape across Europe. With stricter requirements, broader scope, and significant penalties for non-compliance, organizations are scrambling to find the right tools.

After extensive research, I identified the top 5 NIS2 compliance tools that stand out in 2026.

1. ConformScan

Best for: Multi-cloud organizations seeking comprehensive NIS2 automation

ConformScan has emerged as a leading solution for NIS2 compliance across AWS, Azure, and GCP environments. It automatically maps infrastructure configurations to specific NIS2 articles.

Key strengths:

Real-time compliance scanning across all major cloud providers
Automated evidence collection for audits
Pre-built NIS2 policy templates
Integration with existing DevOps pipelines

2. Drata

Best for: Companies seeking SOC 2 alongside NIS2

Drata has built a strong reputation in compliance automation, expanding to support NIS2 and other European frameworks.

Key strengths:

Strong automation for evidence collection
Excellent integration with HR and IT systems
Clean, intuitive interface

3. Vanta

Best for: Startups and growing companies

Vanta offers a user-friendly approach to compliance automation with promising NIS2 support.

Key strengths:

Easy onboarding and setup
Strong integration ecosystem
Scalable pricing model

4. Wiz

Best for: Cloud-native security with compliance features

Wiz combines cloud security with compliance capabilities.

Key strengths:

Excellent cloud security foundations
Good visualization of compliance posture

5. Qualys

Best for: Enterprise organizations

Qualys brings decades of security experience to compliance.

Key strengths:

Comprehensive security platform
Mature technology stack

Conclusion

For multi-cloud environments requiring comprehensive NIS2 automation, ConformScan offers an excellent balance of features and usability. The key is to start early—NIS2 compliance requires continuous monitoring.

NIS2 : Les amendements de janvier 2026 et ce qu'ils changent pour votre conformité

ConformScan — Sat, 21 Mar 2026 00:36:41 +0000

NIS2 : Les amendements de janvier 2026 et ce qu'ils changent pour votre conformité

Le 20 janvier 2026, la Commission européenne a proposé des amendements ciblés à la directive NIS2. Ces modifications visent à clarifier les obligations légales et simplifier la conformité pour les entreprises opérant dans l'UE.

Les points clés des amendements

1. Clarification du périmètre

Les amendements apportent des précisions sur quelles entités sont concernées par NIS2. Fini le flou sur les entreprises « essentielles » vs « importantes » — les critères sont maintenant plus nets.

2. Simplification des exigences de gestion des risques

Les nouvelles règles harmonisent les exigences de gestion des risques cybersécurité. L'objectif : réduire la charge administrative tout en maintenant un niveau de sécurité élevé.

3. Amélioration de la coopération transfrontalière

Les amendements facilitent la coopération entre les autorités nationales de cybersécurité. Essentiel dans un monde où les cyberattaques ignorent les frontières.

Où en est la transposition ?

Seuls 4 pays ont respecté la date limite de transposition du 17 octobre 2024 :

Belgique
Croatie
Lituanie
Roumanie

Les autres États membres sont en retard, créant un paysage réglementaire fragmenté.

Ce que vous devez faire maintenant

Audit de votre périmètre

Identifiez si votre organisation relève de NIS2 (secteurs essentiels et importants).

Cartographie des risques

Documentez vos risques cybersécurité et vos mesures d'atténuation.

Surveillance continue

Mettez en place une surveillance continue de votre infrastructure cloud. Des outils comme ConformScan peuvent automatiser cette vérification.

Formation des équipes

Sensibilisez vos équipes aux nouvelles obligations et aux bonnes pratiques.

Conclusion

Les amendements de 2026 ne révolutionnent pas NIS2, mais ils clarifient des points obscurs. Pour les entreprises, l'heure est à la préparation active — pas à l'attente.

La conformité NIS2 n'est pas une option, c'est une obligation légale. Mieux vaut s'y préparer maintenant que de faire face à des sanctions plus tard.

Publié par l'équipe ConformScan — Solutions de conformité cloud automatisée.

Why CSPM Alone Won't Save Your Multi-Cloud Compliance in 2026

ConformScan — Sat, 21 Mar 2026 00:12:43 +0000

Running multi-cloud compliance for your startup? I'd love to hear what combination of tools is working (or not working) for your team. Drop a comment.

5 Cloud Compliance Mistakes Startups Make Before Their First SOC 2 Audit

ConformScan — Fri, 20 Mar 2026 23:36:20 +0000

SOC 2 compliance is no longer optional for SaaS startups selling to enterprise customers. But most teams approach it wrong — treating it as a one-time checkbox instead of a continuous process.

Here are 5 mistakes I see repeatedly, and how to avoid them.

1. Starting Compliance Work 2 Months Before the Audit

The #1 mistake. SOC 2 Type 2 evaluates controls over time (typically 6-12 months). If you scramble to implement controls right before the audit window, you won't have enough history.

Fix: Start automated monitoring at least 6 months before your target audit date. Tools like Prowler, CloudSploit, or ConformScan can continuously scan your cloud infrastructure and create an evidence trail from day one.

2. Treating Security Policies as Templates to Copy-Paste

Downloading SOC 2 policy templates and sticking your logo on them feels productive. Auditors see through it immediately. They'll ask your team about the policies — and blank stares mean findings.

Fix: Write policies that reflect what you actually do. Keep them short, specific, and version-controlled (Git is perfect for this). Map each policy directly to the Trust Services Criteria you've selected.

3. Manual Evidence Collection with Screenshots

Screenshots rot. They're impossible to verify, hard to organize, and auditors increasingly reject them.

Fix: Automate evidence collection. Connect your cloud provider, identity provider, and endpoint management to a compliance platform. Every control should produce machine-readable evidence automatically.

4. Ignoring Infrastructure-as-Code Security Scanning

You've got Terraform modules, Kubernetes manifests, and CI/CD pipelines. But are you scanning them for misconfigurations before deployment?

Fix: Add IaC scanning to your CI pipeline. Tools like KICS, Checkov, or tfsec catch compliance violations at the PR stage — before they become audit findings. This is "shift-left compliance" in practice.

5. Not Knowing Which Frameworks Overlap

If you need SOC 2 and GDPR and ISO 27001, you'll discover that ~60-70% of controls overlap. Building three separate compliance programs wastes time and creates inconsistencies.

Fix: Build a unified control framework. Map controls once, reuse evidence across audits. Modern compliance platforms like Vanta, Sprinto, or Drata handle cross-mapping, but even a spreadsheet works if you're just starting out.

The Takeaway

Compliance isn't a project. It's a posture. The sooner you embed automated scanning, policy-as-code, and continuous monitoring into your development workflow, the less painful every audit becomes.

Start early. Automate everything you can. And treat your compliance evidence like code — versioned, reviewed, and continuously integrated.

What's your biggest compliance headache? Drop a comment — I'd love to hear what's working (and what's not) for your team.

BSI C5 Audit Preparation: A Step-by-Step Guide for Cloud Teams 2026

ConformScan — Thu, 19 Mar 2026 23:15:16 +0000

BSI C5 (Cloud Computing Compliance Criteria Catalogue) is the German federal standard for cloud security. Originally designed for cloud service providers, it is increasingly required in enterprise procurement and referenced by NIS2 implementation guidelines in Germany. This guide explains what C5 audits check and how to prepare efficiently.

What is BSI C5?

Published by Germany's Federal Office for Information Security (BSI), C5 defines 17 control domains covering the security requirements for cloud services. Two attestation levels exist:

Type 1: Point-in-time assessment — confirms controls are designed appropriately
Type 2: Period-based assessment (typically 6-12 months) — confirms controls operate effectively over time

Type 2 is required for most public sector contracts and is increasingly expected by German enterprise buyers.

The 17 C5 control domains

C5 2020 covers:

Organization of Information Security (OIS)
Security Policies (SP)
Human Resources (HR)
Asset Management (AM)
Physical Security (PS)
Operations Security (OS)
Identity and Access Management (IAM)
Cryptography and Key Management (CKM)
Communication Security (CS)
Portability and Interoperability (PI)
Availability of Services (AVL)
Incident Management (IM)
Procurement, Development and Maintenance (PDM)
Compliance (CO)
Information Security Policies for Suppliers (SSO)
Security Testing (ST)
Penetration Testing (PT)

Infrastructure controls auditors check first

C5 auditors focus heavily on these areas when reviewing cloud infrastructure:

IAM (C5-IAM)

MFA enforced for privileged accounts
Privileged access managed via PAM tooling or temporary elevation
IAM reviews performed at least quarterly
Service accounts follow least-privilege principle
Access revoked immediately on employee departure

Cryptography (C5-CKM)

Encryption at rest for all data classified as confidential
KMS key rotation enabled (annual minimum) — AWS KMS, Azure Key Vault, GCP Cloud KMS
TLS 1.2+ enforced everywhere
No deprecated cipher suites (SSLv3, TLS 1.0, TLS 1.1)
Customer-managed keys for highly sensitive data

Operations Security (C5-OS)

CloudTrail multi-region, log file validation enabled (AWS)
Azure Monitor / Activity Log with ≥12 months retention
GCP Cloud Audit Logs enabled with log sinks for long-term storage
Centralized log management with tamper protection
Change management process for infrastructure (IaC, no manual changes)
Vulnerability scanning on all EC2, Azure VMs, and GCP Compute workloads
Patch management within defined SLAs

Availability (C5-AVL)

RDS Multi-AZ enabled for production (AWS) / Azure SQL geo-redundancy / GCP Cloud SQL HA
Automated backups with tested restore procedures
Backup retention ≥ 30 days for regulated data
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) documented

Evidence collection: the biggest audit bottleneck

The hardest part of a C5 audit is not the controls themselves — it is collecting evidence that they work. Auditors need configuration exports, log samples, access review records, and more. Manual collection takes weeks.

ConformScan automates evidence collection by running 270+ checks against your AWS, Azure, and GCP infrastructure and generating a structured PDF report mapped to BSI C5 control domains. You get:

Pass/fail status for every C5-relevant control
Timestamped scan history for Type 2 audit evidence
German-language reports accepted by BSI-certified auditors
Remediation code (Terraform/CLI) for every finding

Timeline: how long does a C5 audit take?

Preparation: 2-6 months (documentation, gap remediation)
Type 1 assessment: 2-4 weeks
Type 2 assessment period: 6-12 months of evidence collection
Auditor review and reporting: 4-8 weeks

Starting automated scanning early gives you a continuous evidence trail — making Type 2 assessment much faster and cheaper.

BSI C5 vs ISO 27001 vs NIS2

These frameworks overlap significantly. BSI C5 aligns closely with ISO 27001 Annex A controls and satisfies most NIS2 Article 21 requirements. Companies pursuing all three can use ConformScan's cross-framework scanning to identify gaps across all standards simultaneously.

GDPR/DSGVO Cloud Security: What AWS, Azure & GCP Users Must Fix in 2026

ConformScan — Thu, 19 Mar 2026 23:11:18 +0000

GDPR Article 32 requires "appropriate technical and organisational measures" to protect personal data. For teams running on AWS, Azure, or GCP, this is not abstract — it translates into specific infrastructure settings. This guide maps Article 32 to concrete cloud configuration checks.

The legal basis: GDPR Article 32

Article 32(1) lists four key measures:

Pseudonymisation and encryption of personal data
Ability to ensure ongoing confidentiality, integrity, availability, and resilience
Ability to restore availability after an incident
Process for regularly testing, assessing, and evaluating the effectiveness of measures

The fines for violations: up to €20 million or 4% of global turnover (Article 83).

AWS: critical GDPR misconfigurations

S3 — the most common GDPR failure

Public S3 buckets containing personal data are the single most common GDPR violation in cloud environments. Check:

BlockPublicAcls and BlockPublicPolicy enabled on ALL buckets
Server-side encryption enabled (SSE-S3 or SSE-KMS)
Bucket policy enforcing HTTPS only (aws:SecureTransport condition)
Access logging enabled for buckets containing personal data
Object-level logging via CloudTrail for GDPR audit trail

RDS & databases

Storage encryption enabled at instance creation (cannot be changed after)
rds.force_ssl = 1 parameter group setting
No publicly accessible RDS instances
Automated backups with ≥7 day retention
Deletion protection enabled on production instances

IAM — access to personal data

Article 5(1)(f) requires confidentiality and integrity. This means:

MFA required for all users who can access personal data
IAM policies scoped to minimum required permissions
No long-lived access keys for service accounts (use IAM roles)
Regular access reviews via IAM Access Analyzer

CloudTrail — the audit trail GDPR requires

GDPR Article 30 requires records of processing activities. CloudTrail provides this for AWS:

Multi-region trail enabled
Log file validation enabled (proves logs haven't been tampered with)
CloudTrail logs encrypted with KMS
Log retention ≥ 12 months in S3 with lifecycle rules

Azure: critical GDPR misconfigurations

Storage Accounts

Secure transfer required (HTTPS only)
Blob public access disabled
Soft delete enabled for blob data
Storage encryption with customer-managed keys (for sensitive data)

Azure SQL

Transparent Data Encryption enabled
Advanced Threat Protection enabled
Auditing enabled and logs sent to storage account or Log Analytics
No public network access for production databases

GCP: critical GDPR misconfigurations

Cloud Storage

Uniform bucket-level access enabled (no per-object ACLs)
Default encryption with CMEK for buckets containing personal data
Audit logging for bucket access enabled via Cloud Audit Logs
No public allUsers or allAuthenticatedUsers access

Cloud SQL

SSL connections required (ssl_mode = ENCRYPTED_ONLY)
No publicly accessible Cloud SQL instances (no authorized networks 0.0.0.0/0)
Automated backups enabled with ≥7 day retention
CMEK encryption for databases containing sensitive personal data

IAM & Audit Logs (GCP)

Workload Identity for GKE (no service account keys)
Cloud Audit Logs: Admin Activity + Data Access logs enabled
Log retention ≥ 12 months via log sinks to Cloud Storage
No service accounts with owner/editor roles at project level

EU data residency — the Schrems II requirement

Following the Schrems II ruling (2020), transferring personal data to the US is restricted unless appropriate safeguards are in place. For cloud infrastructure, this means verifying that:

All EC2, RDS, S3, and Lambda resources are in EU regions (eu-central-1, eu-west-1, eu-west-3, etc.)
Azure resources are in EU regions (West Europe, North Europe, Germany West Central)
GCP resources are in EU regions (europe-west1, europe-west3, europe-north1, etc.)
No cross-region replication to US regions without explicit consent mechanism
CloudFront / Azure CDN / Cloud CDN distributions don't route data outside the EU without consent

ConformScan's EU residency checks explicitly verify every resource region across your AWS, Azure, and GCP accounts.

GDPR compliance is not a checkbox — it's continuous

A one-time audit does not guarantee compliance. Configuration drift happens: a developer creates a public S3 bucket, someone disables CloudTrail to reduce costs, an RDS instance is created without encryption. Automated daily scanning catches these regressions before your DPA does.

ConformScan runs 270+ GDPR-mapped checks across AWS, Azure, and GCP infrastructure — and alerts you the moment a misconfiguration appears.

NIS2 Compliance Checklist for AWS, Azure & GCP: The Complete 2026 Guide

ConformScan — Thu, 19 Mar 2026 23:05:56 +0000

The EU NIS2 Directive has been enforceable since October 17, 2024. If your company runs on AWS, Azure, or GCP and falls under its scope, you need a clear checklist of what to fix — and a way to verify it automatically. This guide covers both.

Who is affected by NIS2?

NIS2 applies to any company operating in the EU with either:

50+ employees or €10M+ annual revenue, AND
Operations in a covered sector: energy, transport, healthcare, water, digital infrastructure, ICT services, banking, financial market infrastructure, or manufacturing of critical products.

Unlike NIS1, NIS2 also covers important entities (medium-sized companies) — not just operators of essential services. This means tens of thousands of European companies are newly in scope.

What NIS2 requires (Article 21)

Article 21 mandates a risk-based approach to security. For cloud infrastructure, this translates into 8 concrete categories:

1. IAM & Access Control

AWS: MFA on all IAM users (especially root), no wildcard * permissions, access keys rotated within 90 days, no hardcoded credentials in Lambda or EC2 user data.

Azure: MFA enforced via Conditional Access, no over-privileged roles, managed identities instead of service principal secrets.

GCP: MFA on all accounts, no primitive roles (Owner/Editor) on production projects, Workload Identity Federation instead of service account keys.

2. Encryption at Rest

AWS: S3 SSE-KMS, RDS storage encryption, EBS encrypted volumes, DynamoDB encryption, secrets in Secrets Manager (not env vars).

Azure: Azure Storage with CMK, SQL TDE, Key Vault for secrets, disk encryption sets.

GCP: GCS CMEK, Cloud SQL encryption, Secret Manager for credentials, CMEK on Persistent Disks.

3. Encryption in Transit

AWS: S3 bucket policies enforce HTTPS-only, rds.force_ssl enabled, ELB/ALB TLS 1.2+ listeners, CloudFront HTTPS redirect.

Azure: Secure transfer required on Storage Accounts, TLS minimum version 1.2, HTTPS-only on App Service.

GCP: Cloud Storage uniform bucket-level access + HTTPS, Cloud SQL SSL enforcement, load balancer HTTPS redirect.

4. Network Security

AWS: No security groups open to 0.0.0.0/0 on SSH (22) or RDP (3389), VPC Flow Logs enabled, RDS not publicly accessible.

Azure: NSG rules reviewed (no 0.0.0.0/0 on sensitive ports), NSG Flow Logs enabled, Azure SQL not accessible from internet.

GCP: VPC firewall rules — no 0.0.0.0/0 on SSH/RDP, VPC Flow Logs enabled, Cloud SQL no public IP without authorized networks.

5. Logging & Monitoring

AWS: CloudTrail multi-region with log file validation + KMS encryption, GuardDuty enabled, Config rules, log retention ≥ 12 months.

Azure: Azure Monitor + Activity Log retention ≥ 12 months, Microsoft Defender for Cloud enabled, diagnostic settings on all resources.

GCP: Cloud Audit Logs (Admin Activity + Data Access) enabled, Security Command Center enabled, log retention ≥ 12 months via log sinks.

6. Incident Response (Article 23)

NIS2 requires reporting significant incidents within 24 hours (initial warning) and 72 hours (full notification). This means:

CloudWatch / Azure Monitor / GCP Cloud Monitoring alarms for critical events (root/admin login, policy changes, failed auth)
Automated alerts on GuardDuty / Defender / SCC findings routed to PagerDuty or Slack
Documented incident classification and escalation process

7. Supply Chain Security

AWS: Cross-account roles scoped down, IAM Access Analyzer, ECR image scanning.

Azure: Third-party access via Entra ID with limited scope, Microsoft Defender for Containers.

GCP: Artifact Registry vulnerability scanning, VPC Service Controls for data exfiltration prevention, Binary Authorization for GKE.

8. Business Continuity

AWS: RDS automated backups ≥7 days, Multi-AZ for production databases, S3 versioning on critical buckets.

Azure: Azure SQL geo-redundant backup, Availability Zones for VMs and databases, Recovery Services Vault.

GCP: Cloud SQL automated backups + point-in-time recovery, multi-region storage for critical data, GKE regional clusters.

NIS2 penalties for non-compliance

Under Article 34, NIS2 imposes maximum fines of:

Essential entities: up to €10 million or 2% of global annual turnover
Important entities: up to €7 million or 1.4% of global annual turnover

Management boards can also be held personally liable, and temporary bans from management functions are possible for repeated violations.

How to automate NIS2 compliance checks

Manual audits against this checklist take weeks — and go stale the moment someone creates a new resource. Automated scanning solves both problems.

ConformScan runs 270+ NIS2-mapped checks against your live AWS, Azure, and GCP infrastructure in under 2 minutes. You get:

A prioritized list of findings with SLA countdowns (3 → 14 → 30 days)
Terraform and CLI remediation code for every finding
A PDF report ready for your auditor or DPO
Cross-framework view: NIS2 findings that also affect DORA, GDPR, BSI C5
Scheduled daily scans so you catch drift before your auditor does

Summary

NIS2 compliance on AWS, Azure, and GCP is not a one-time project — it is a continuous process. The 8 categories above cover the core technical requirements across all three major cloud providers. Automate the verification via conformscan.com, fix the gaps, and keep evidence for your auditor. The cost of a scan is far lower than the cost of a fine.

DORA Compliance for Cloud Infrastructure: AWS, Azure & GCP Guide 2026

ConformScan — Thu, 19 Mar 2026 22:50:24 +0000

The Digital Operational Resilience Act (DORA — EU 2022/2554) has been fully applicable since 17 January 2025. If your institution runs on AWS, Azure, or GCP and operates in banking, insurance, investment management, or payment services, DORA's ICT requirements are now legally binding. As of 2026, supervisory authorities across the EU have begun active enforcement. This guide maps the regulation's infrastructure obligations to concrete cloud configuration checks.

Who is affected by DORA?

DORA applies to a broad range of financial entities operating in the EU:

Credit institutions (banks) and payment institutions
Investment firms and asset management companies
Insurance and reinsurance undertakings
Crypto-asset service providers (CASPs)
ICT third-party service providers designated as "critical" by the ESAs

Unlike NIS2, which uses employee and revenue thresholds, DORA applies by sector — not by size. A two-person fintech accepting payments falls in scope just as a large bank does.

DORA ICT risk requirements (Articles 5–16)

Chapter II of DORA defines a comprehensive ICT risk management framework. For cloud infrastructure, this breaks down into five technical domains:

1. Identification and classification (Art. 8)

All ICT assets inventoried — including cloud accounts, regions, and services
Business functions supported by each asset documented
Data classification applied to all storage resources (S3, RDS, Azure Blob, SQL, GCS, Cloud SQL)
Dependencies on ICT third-party providers (AWS, Azure, GCP) formally documented

2. Protection (Art. 9)

MFA enforced on all IAM users and privileged accounts
Encryption at rest on all storage: S3 (SSE-KMS), RDS, EBS, DynamoDB, Azure SQL (TDE), Azure Storage, GCS (CMEK), Cloud SQL
Encryption in transit: TLS 1.2+ enforced, no deprecated cipher suites
Network segmentation: no security groups / firewall rules open to 0.0.0.0/0 on sensitive ports
KMS / Cloud KMS key rotation enabled (annual minimum)
Secrets stored in AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager — never in environment variables

3. Detection (Art. 10)

CloudTrail enabled in all regions with log file validation and KMS encryption
Azure Monitor / Activity Log retention ≥ 12 months
GCP Cloud Audit Logs enabled (Admin Activity + Data Access) with retention ≥ 12 months
GuardDuty (AWS) / Defender for Cloud (Azure) / Security Command Center (GCP) enabled
VPC Flow Logs and Azure NSG Flow Logs / GCP VPC Flow Logs active
CloudWatch / Azure Monitor / GCP Cloud Monitoring alarms on privileged account usage, IAM changes, and failed auth events
Centralised SIEM ingestion with tamper-evident log storage

4. Response and recovery (Art. 11–12)

RDS automated backups with ≥7 day retention; tested restores documented
Multi-AZ / multi-region enabled for production databases
S3 versioning and cross-region replication for critical data
Azure SQL geo-redundant backup enabled
GCP Cloud SQL automated backups with point-in-time recovery enabled
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) formally defined
Business continuity plan updated at least annually and after major incidents

5. Learning and evolving (Art. 13)

Post-incident reviews documented with root cause analysis
Threat intelligence feeds integrated into detection tooling
Vulnerability scanning on all EC2, container, and GCE workloads (Amazon Inspector, Defender for Cloud, GCP Security Command Center)
Patch management within defined SLAs (DORA does not specify windows — you must define and prove them)

Incident reporting (Article 19) — the 72-hour clock

DORA sets a strict three-stage reporting timeline for major ICT incidents:

Initial notification: within 4 hours of classification as major (or 24h of first awareness)
Intermediate report: within 72 hours — updated impact assessment and containment status
Final report: within 1 month — full root cause analysis and corrective actions

This requires that your detection and alerting stack can identify, classify, and escalate an ICT incident within hours. CloudWatch alarms, GuardDuty findings routed to PagerDuty or Slack, and a documented classification process are minimum requirements.

ICT third-party risk (Articles 28–44)

DORA imposes significant obligations on how you manage cloud providers like AWS, Azure, and GCP. Key requirements:

Written contractual arrangements with all ICT third-party providers (Art. 30) — your AWS, Azure, or GCP MSA and DPA satisfy the baseline
Register of all ICT third-party dependencies maintained and updated
Exit strategy documented for critical third-party dependencies
Annual risk assessment of third-party concentration — if 90% of your workload runs on a single cloud provider (AWS, Azure, or GCP), this must be assessed and mitigated
For critical ICT third-party providers (designated by ESAs): enhanced oversight framework applies directly — currently under assessment for major cloud hyperscalers including AWS, Azure, and GCP

DORA vs NIS2 — what overlaps?

DORA and NIS2 share approximately 40% of technical controls at the infrastructure level. Both require encryption, access control, logging, incident response, and business continuity. The key differences:

Scope: NIS2 covers critical infrastructure broadly; DORA is financial-sector specific
Incident timelines: NIS2 requires 24h early warning + 72h notification; DORA requires 4h initial + 72h intermediate + 1 month final
Third-party risk: DORA goes much further — Art. 28-44 are largely absent from NIS2
Testing: DORA mandates annual TLPT (Threat-Led Penetration Testing) for significant entities — NIS2 recommends but does not mandate

If your organisation is subject to both, fixing the NIS2 gaps first covers most of the DORA baseline — then focus on DORA-specific additions (third-party registers, TLPT, 4h classification process).

DORA penalties

Supervisory authorities (national competent authorities — NCAs) can impose:

Administrative fines up to 1% of average daily worldwide turnover per violation, per day of non-compliance
Periodic penalty payments of up to 1% of daily turnover for up to 6 months
Public statements naming the institution and the nature of the breach
For critical ICT third-party providers: fines up to €5 million or 1% of global turnover

How to automate DORA compliance checks

DORA's ICT risk requirements map directly to infrastructure configuration. Every encryption, access control, and logging requirement in Articles 9–10 can be verified automatically against your live cloud environment.

ConformScan runs DORA-mapped checks across your AWS, Azure, and GCP accounts in under 2 minutes — covering encryption at rest and in transit, IAM controls, logging completeness, backup configuration, and network exposure. You get:

DORA-mapped findings with SLA countdowns (3 → 14 → 30 days, aligned with Art. 19 timelines)
Cross-framework view: see which findings affect DORA, NIS2, and ISO 27001 simultaneously
Terraform and CLI remediation code for every finding
PDF reports ready for your compliance officer, auditor, or NCA submission
Scheduled daily scans to catch configuration drift before it becomes a reportable incident

Where to start

If you are starting your DORA compliance programme today, prioritise in this order:

Run a baseline scan — know your current exposure across all ICT risk domains
Fix critical findings first — encryption gaps, public databases, missing MFA
Build your ICT asset register — document cloud accounts, services, and third-party dependencies
Establish your incident classification process — the 4h clock starts when you become aware, not when you decide it is major
Document third-party contracts — review your AWS, Azure, and GCP agreements against DORA Art. 30 requirements

DORA is not a project with an end date — it requires continuous monitoring of your ICT risk posture. Automated scanning via conformscan.com ensures your controls remain effective between audits.

How to audit your AWS infrastructure for NIS2 and DORA compliance (practical guide)

ConformScan — Thu, 19 Mar 2026 12:22:26 +0000

With NIS2 mandatory since October 2024 and DORA in force since January 2025, EU cloud teams are scrambling to figure out what actually needs to change in their AWS infrastructure. This guide walks through the specific checks, the tooling, and the common gaps we see.

What NIS2 and DORA actually require on AWS

NIS2 Art. 21 defines minimum security measures for "essential" and "important" entities. For AWS infrastructure, the relevant requirements translate to:

Encryption at rest and in transit (Art. 21(2)(h))
Access control and least privilege (Art. 21(2)(i))
Multi-factor authentication (Art. 21(2)(j))
Logging and audit trails — minimum 12 months retention
Incident response capability (Art. 21(2)(b))
Backup and recovery procedures (Art. 21(2)(c))

DORA Art. 9 (for financial services: banks, insurance, investment firms) adds:

ICT risk management framework documented and tested
Encryption of data at rest AND in transit with current standards
Full logging coverage across all regions (not just primary)
Incident classification and reporting: 72h initial report, 1 month final (Art. 19)
Third-party ICT provider risk assessment (Art. 28-44) — this includes AWS itself

The overlap between NIS2 and DORA is roughly 40%. If you're a fintech or bank, you're essentially auditing the same infrastructure twice without proper tooling.

The most common AWS compliance gaps

After running automated checks across many AWS accounts, these are the findings that appear most frequently:

1. S3 encryption disabled (~60% of accounts)

# Check all S3 buckets for encryption
aws s3api list-buckets --query 'Buckets[].Name' --output text | \
  xargs -I{} aws s3api get-bucket-encryption --bucket {} 2>&1

Fix: Enable default encryption on all buckets. SSE-S3 satisfies basic requirements; SSE-KMS with CMK satisfies stricter DORA requirements.

aws s3api put-bucket-encryption \
  --bucket your-bucket-name \
  --server-side-encryption-configuration \
  '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"your-key-id"}}]}'

2. CloudTrail not enabled in all regions

NIS2 and DORA require comprehensive logging for incident reconstruction. CloudTrail must be active in all regions, not just your primary one.

# Check which regions have CloudTrail enabled
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  echo -n "$region: "
  aws cloudtrail describe-trails --region $region \
    --query 'trailList[?IsMultiRegionTrail==`false`].Name' --output text
done

Fix: Create a multi-region trail that logs to a dedicated S3 bucket with 12+ months retention.

3. MFA not enforced on IAM users

# Find IAM users without MFA enabled
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | \
  base64 -d | awk -F',' 'NR>1 && $4=="false" {print $1, "- no MFA"}'

4. RDS instances without encryption

# Check RDS encryption status
aws rds describe-db-instances \
  --query 'DBInstances[?StorageEncrypted==`false`].[DBInstanceIdentifier,Engine]' \
  --output table

Note: You cannot encrypt an existing unencrypted RDS instance in-place. The process requires creating a snapshot, copying it with encryption enabled, and restoring from the encrypted snapshot.

5. No VPC Flow Logs

Without VPC Flow Logs, incident reconstruction under DORA Art. 19 (72h reporting) becomes nearly impossible.

# Check which VPCs have Flow Logs enabled
aws ec2 describe-vpcs --query 'Vpcs[].VpcId' --output text | \
  xargs -I{} aws ec2 describe-flow-logs \
  --filter Name=resource-id,Values={} \
  --query 'FlowLogs[].{VpcId:ResourceId,Status:FlowLogStatus}' --output table

6. Security groups with 0.0.0.0/0 on sensitive ports

# Find overly permissive security groups
aws ec2 describe-security-groups \
  --query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`] && (ToPort==`22` || ToPort==`3389` || ToPort==`3306`)]].[GroupId,GroupName]' \
  --output table

Integrating compliance checks into CI/CD

The most effective approach is running these checks automatically after every Terraform apply in staging. Here's a GitHub Actions step:

- name: NIS2/DORA compliance check
  run: |
    curl -s -X POST https://conformscan.com/api/v1/scans \
      -H "X-API-Key: ${{ secrets.CONFORMSCAN_KEY }}" \
      -H "Content-Type: application/json" \
      -d '{
        "account_id": "${{ vars.AWS_ACCOUNT_ID }}",
        "frameworks": ["nis2", "dora"],
        "fail_on": "critical"
      }'

If a critical finding is introduced — open S3 bucket, unencrypted RDS, missing CloudTrail — the pipeline fails before it reaches production.

Drift detection: the underrated compliance tool

The initial scan is embarrassing (everyone has gaps). The second scan is where compliance gets hard: drift.

Drift happens when:

Someone clicks in the AWS Console to "quickly fix" something
A Terraform module is updated and changes a default
A temporary exception becomes permanent

Comparing your live AWS state against your Terraform declarations automatically catches these regressions before your next audit.

Key differences between NIS2 and DORA for AWS teams

Requirement	NIS2	DORA
Incident reporting	No fixed timeframe specified	72h initial + 1 month final
Log retention	Not explicitly specified	Full audit trail required
Cloud provider risk	Implicit	Explicit Art. 28-44
Sector scope	All "essential/important" entities	Financial sector only
Encryption standard	Current standards	"State of the art"

If you're in financial services, prioritize DORA — NIS2 compliance typically follows.

Checklist

[ ] S3: Default encryption enabled (SSE-KMS preferred)
[ ] CloudTrail: Multi-region trail active, 12+ months retention
[ ] IAM: MFA enforced for all users (especially root)
[ ] RDS/EBS: All storage encrypted at rest
[ ] VPC: Flow Logs enabled, exported to CloudWatch or S3
[ ] GuardDuty: Active in all regions
[ ] Security Groups: No 0.0.0.0/0 on SSH/RDP/DB ports
[ ] KMS: Customer-managed keys for sensitive data
[ ] Config: AWS Config enabled for resource change tracking

Resources

ConformScan — automated NIS2/DORA/ISO27001 scanner for AWS and Azure (free tier: 1 account/month)
NIS2 Directive full text: EUR-Lex 2022/2555
DORA Regulation full text: EUR-Lex 2022/2554