Both GDPR and NIS2 specify technical security requirements in principle-based language. This guide maps those principles to concrete network security controls — what each requirement means technically, and which controls satisfy it.
This is a technical guide, not legal advice.
GDPR Article 32: Technical Requirements
Article 32 requires "appropriate technical and organizational measures" and specifically mentions:
| GDPR Article 32 requirement | Technical interpretation |
|---|---|
| Pseudonymization and encryption of personal data | Encryption in transit (TLS/IPsec) and at rest (disk encryption) |
| Confidentiality, integrity, availability, resilience | Network segmentation, redundancy, access control |
| Ability to restore availability | Failover, backup, tested recovery procedures |
| Regular testing and evaluation | Vulnerability scanning, penetration testing, log review |
Encryption in transit: IPsec VPN implementation
# StrongSwan IKEv2 — encrypts remote worker traffic
conn gdpr-remote-access
keyexchange=ikev2
left=%any
leftcert=server.crt
leftsubnet=0.0.0.0/0 # Full tunnel — all remote traffic encrypted
right=%any
rightsourceip=10.8.0.0/24
ike=aes256-sha256-ecp256!
esp=aes256-sha256!
auto=add
This satisfies encryption in transit for remote workers. Encryption at rest (full-disk encryption, database encryption) is a separate control at the endpoint/server layer.
Network segmentation: zone-based firewall
# Zone isolation: separate VLAN for servers holding personal data
# Default deny between zones
iptables -I FORWARD -i eth1.servers -o eth1.workstations -j DROP
iptables -I FORWARD -i eth1.workstations -o eth1.servers -j DROP
# Explicit permit: specific application only
iptables -A FORWARD -i eth1.workstations -d 192.168.10.5 -p tcp --dport 443 -j ACCEPT
Zone segmentation limits the blast radius of a compromise. An attacker who compromises a workstation cannot directly reach database servers in a different zone.
NIS2 Article 21: Ten Mandatory Cybersecurity Measures
For in-scope organizations, Article 21 specifies ten mandatory measures. The network-relevant ones:
Access control and identity management
# Squid LDAP authentication — restrict proxy access to authenticated users
auth_param basic program /usr/lib/squid/basic_ldap_auth \
-b dc=example,dc=com -f '(&(sAMAccountName=%s))' -h ldap.example.com
auth_param basic children 10
auth_param basic realm Network Access
acl authenticated proxy_auth REQUIRED
http_access deny !authenticated
Network segmentation (same as GDPR above)
NIS2 is more explicit: it requires documented network segmentation policies, not just technical controls. The iptables rules above need accompanying documentation describing the segmentation design and rationale.
Encryption
Same controls as GDPR — IPsec for remote access, TLS for internal service communication, certificate management.
Incident detection and response
# iptables logging for anomaly detection
iptables -A FORWARD -j LOG --log-prefix "FORWARD: " --log-level 4
# Review logs for:
# - Unusual outbound connection volumes
# - Connections to unexpected external IPs
# - Internal zone crossing attempts not matching permit rules
NIS2 requires incident reporting within 24 hours. This is an organizational process, not a technical control — but logs from the gateway provide the evidence needed to determine what happened and when.
Malware protection
# ICAP antivirus — gateway malware scanning
icap_enable on
icap_service av_service reqmod_precache bypass=0 icap://127.0.0.1:1344/squid_clamav
adaptation_service_set request_services av_service
adaptation_access request_services allow all
bypass=0 means: if the ICAP service is unavailable, deny the request rather than allowing unscanned content through. This is the correct setting for a compliance posture.
What a network appliance does NOT cover for compliance
Critical controls outside the network layer:
- Encryption at rest: implement at the OS level (LUKS, BitLocker) or database level
- MFA: implement at the application layer (identity provider, TOTP)
- Data breach notification (72h GDPR / 24h NIS2): organizational process, documented procedures
- Business continuity: backup testing, recovery time objectives, documented procedures
- Supply chain security: vendor risk assessments, contractual requirements
A gateway UTM satisfies the network security technical controls. The compliance posture requires these additional layers on top.
CacheGuard as implementation
CacheGuard implements the gateway-layer technical controls above — zone firewall, IPsec VPN, gateway antivirus (ClamAV via ICAP with bypass=0), URL filtering, SSL inspection, WAF (ModSecurity + OWASP CRS), and traffic logging — in a single pre-integrated appliance.
→ https://www.cacheguard.com/network-security-compliance-gdpr-nis2/
Originally published on the CacheGuard Blog. CacheGuard is free and open source — GitHub.
Top comments (0)