Skip to content

NIS2 Directive (EU 2022/2555)

Best for: Entities the EU classifies as 'essential' or 'important' in 18 sectors, including energy, transport, banking, health, digital infrastructure, ICT service management, public administration, and critical manufacturing. The size threshold is generally 50+ employees or EUR 10M+ turnover. Sole providers of critical services may be caught regardless of size. Non-EU entities providing DNS, cloud, CDN, or managed security within the EU are also in scope.

Mandatory?Mandatory for essential/important entities in 18 EU sectors
Who validates?National competent authority (EU member state) · No self-assessment
RenewalOngoing; no fixed audit cycle
ScopeEssential and important entities in energy, transport, health, digital infrastructure, etc.

🏛 European Parliament and Council of the European Union. National competent authorities (e.g., BSI in Germany, ANSSI in France, ACN in Italy) enforce at the member state level. ENISA coordinates cross-border cooperation. · NIS2 Directive (EU 2022/2555, Oct 2024) Official source →

Get Started

module "..." {
  source  = "nis2.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

  • What Compliance.tf automates

    • Encryption at Rest: Checks encryption configuration on Athena workgroups, backup recovery points, API Gateway stage caches, and Bedrock invocation logs in S3 and CloudWatch. Validates that KMS keys are in use where required.
    • Encryption in Transit: Validates ACM certificate key lengths (minimum 2048-bit RSA), certificate transparency logging, and SSL certificate attachment on API Gateway stages.
    • Logging and Monitoring: Verifies logging is enabled on API Gateway stages, AppSync GraphQL APIs, Athena workgroups, and Bedrock model invocations. Flags services where logging is disabled or misconfigured.
    • Backup and Business Continuity: Confirms backup plans, vaults, and report plans exist in each configured region, and that recovery points are encrypted.
    • Access Control and Session Management: Enforces AppStream fleet timeout thresholds (idle disconnect at 600s, session disconnect at 300s, max duration at 36000s) and the IMDSv2 requirement on Auto Scaling launch configurations.
    • Incident Reporting Readiness: Validates that AWS accounts have a security alternate contact registered and that primary contact details are current.

  • What you handle

    • Encryption at Rest: Defining and documenting your encryption policy per Article 21(2)(e). Key rotation schedules, key access reviews, and mapping encryption coverage to all in-scope systems beyond AWS.
    • Encryption in Transit: TLS policy decisions (minimum version enforcement), certificate lifecycle management for non-ACM certificates, and documenting approved cipher suites.
    • Logging and Monitoring: Centralized log aggregation, SIEM integration, alert tuning, and building the incident detection workflows needed to meet Article 23 reporting timelines. Retention period configuration and log integrity verification.
    • Backup and Business Continuity: Disaster recovery testing, recovery time objective (RTO) and recovery point objective (RPO) documentation, and the broader business continuity plan required by Article 21(2)(c).
    • Access Control and Session Management: MFA enforcement policies, identity governance, privileged access management, and access review processes per Article 21(2)(i) and (j). Role-based access control documentation across all environments.
    • Incident Reporting Readiness: The full incident response plan, CSIRT notification procedures, the 24-hour early warning and 72-hour notification workflows required by Article 23, and staff training on reporting obligations.

Controls by Category

Access Control and Session Management (Article 21(2)(i)(j)) (3 controls)

IMDSv1 on EC2 instances and overly permissive session durations are the most common access control findings here, and both are straightforward to catch in automated scans. Article 21(2)(i) and (j) require documented access control policies and MFA enforcement, so assessors will also ask for evidence of access reviews and authentication configuration that no scan can verify on its own.

AppStream fleet idle disconnect timeout should be set to less than or equal to 10 mins AppStream fleet max user duration should be set to less than 10 hours AppStream fleet session disconnect timeout should be set to less than or equal to 5 mins

Cryptography and Encryption (Article 21(2)(e)) (5 controls)

Backup data stored without encryption is one of the most consistent findings in this category and directly contradicts Article 21(2)(e). Beyond backups, assessors examine certificate configurations for weak key lengths or expiry issues and verify that data stores are encrypted both at rest and in transit.

RSA certificates managed by ACM should use a key length of at least 2,048 bits compliance.tf module ACM certificates should have transparency logging enabled compliance.tf module API Gateway stage should uses SSL certificate API Gateway stage cache encryption at rest should be enabled Athena workgroups should be encrypted at rest

Logging, Monitoring, and Incident Detection (Article 21(2)(b)) (3 controls)

Article 23's 24-hour early warning window means detection gaps are not just a hygiene issue, they are a compliance failure. Assessors will want to see logging enabled across all relevant services and confirm that logs feed into a SIEM or equivalent capability. Gaps at the API and application layer show up repeatedly.

API Gateway stage logging should be enabled AppSync graphql API logging should be enabled compliance.tf module Athena workgroups should have logging enabled
Additional Controls (91)

AWS CloudTrail (4)

At least one enabled trail should be present in a region CloudTrail trails should be integrated with CloudWatch logs CloudTrail trail logs should be encrypted with KMS CMK CloudTrail trail log file validation should be enabled

AWS CodeBuild (3)

CodeBuild projects should have logging enabled CodeBuild project S3 logs should be encrypted CodeBuild report group exports should be encrypted at rest

AWS Database Migration Service (2)

DMS endpoints for MongoDB should have an authentication mechanism enabled DMS endpoints for Redis OSS should have TLS enabled

AWS IAM (9)

Ensure IAM password policy requires a minimum length of 14 or greater Ensure IAM password policy requires at least one lowercase letter Ensure IAM password policy requires at least one number Ensure IAM password policy requires at least one symbol Ensure IAM password policy requires at least one uppercase letter Ensure IAM password policy prevents password reuse Password policies for IAM users should have strong configurations with minimum length of 8 or greater IAM password policies for users should have strong configurations Ensure IAM password policy expires passwords within 90 days or less

AWS KMS (1)

KMS CMK rotation should be enabled compliance.tf module

AWS Step Functions (1)

Step Function state machines should have logging turned on compliance.tf module

AWS WAF (1)

AWS WAF rules should have CloudWatch metrics enabled

Amazon CloudFront (2)

CloudFront distributions should require encryption in transit compliance.tf module CloudFront distributions access logs should be enabled compliance.tf module

Amazon CloudWatch (1)

Log group retention period should be at least 365 days compliance.tf module

Amazon DocumentDB (1)

AWS DocumentDB clusters should have an adequate backup retention period

Amazon DynamoDB Accelerator (2)

DynamoDB Accelerator (DAX) clusters should be encrypted at rest DynamoDB Accelerator clusters should be encrypted in transit

Amazon EC2 (7)

EC2 Client VPN endpoints should have client connection logging enabled EC2 instance detailed monitoring should be enabled compliance.tf module EC2 instances should have IAM profile attached compliance.tf module EC2 instances should use IMDSv2 compliance.tf module Ensure IAM instance roles are used for AWS resource access from instances compliance.tf module EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2) compliance.tf module AWS EC2 launch templates should not assign public IPs to network interfaces compliance.tf module

Amazon EFS (2)

EFS access points should enforce a root directory EFS access points should enforce a user identity

Amazon EKS (1)

EKS clusters should have control plane audit logging enabled compliance.tf module

Amazon ElastiCache (2)

ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater compliance.tf module ElastiCache for Redis replication groups should be encrypted in transit compliance.tf module

Amazon Kinesis (1)

Kinesis streams should have an adequate data retention period

Amazon MQ (1)

Active MQ brokers should stream audit logs to CloudWatch

Amazon MSK (1)

MSK clusters should be encrypted in transit among broker nodes compliance.tf module

Amazon Neptune (4)

Neptune DB clusters should publish audit logs to CloudWatch Logs Neptune DB clusters should have automated backups enabled Neptune DB clusters should be configured to copy tags to snapshots Neptune DB clusters should have IAM database authentication enabled

Amazon OpenSearch Service (3)

OpenSearch domains should have audit logging enabled. compliance.tf module OpenSearch domains cognito authentication should be enabled for kibana compliance.tf module OpenSearch domains logs to AWS CloudWatch Logs compliance.tf module

Amazon RDS (14)

RDS Aurora clusters should have backtracking enabled compliance.tf module Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs compliance.tf module RDS DB clusters should be configured to copy tags to snapshots compliance.tf module IAM authentication should be configured for RDS clusters compliance.tf module RDS DB instance and cluster enhanced monitoring should be enabled compliance.tf module RDS DB instance backup should be enabled compliance.tf module RDS DB instances backup retention period should be greater than or equal to 7 compliance.tf module RDS DB instances should be integrated with CloudWatch logs compliance.tf module RDS DB instances should be configured to copy tags to snapshots compliance.tf module RDS DB instances should have iam authentication enabled compliance.tf module Database logging should be enabled compliance.tf module RDS for MariaDB DB instances should publish logs to CloudWatch Logs compliance.tf module RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs compliance.tf module RDS for SQL Server DB instances should publish logs to CloudWatch Logs compliance.tf module

Amazon Redshift (3)

AWS Redshift audit logging should be enabled compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module

Amazon Route 53 (1)

Route53 domains privacy protection should be enabled

Amazon S3 (6)

S3 bucket default encryption should be enabled with KMS compliance.tf module S3 buckets should have lifecycle policies configured compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket MFA delete should be enabled compliance.tf module S3 buckets object logging should be enabled S3 buckets with versioning enabled should have lifecycle policies configured compliance.tf module

Amazon SageMaker (1)

SageMaker models should have network isolation enabled

Amazon VPC (1)

VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888 compliance.tf module

Elastic Load Balancing (2)

ELB application and classic load balancer logging should be enabled compliance.tf module ELB network load balancers should have TLS listener security policy configured compliance.tf module

Other (14)

Cognito identity pools should not allow unauthenticated identities DataSync tasks should have logging enabled Elasticsearch domains should have audit logging enabled Elasticsearch domains should have cognito authentication enabled Elasticsearch domain should send logs to CloudWatch FSx for OpenZFS file systems should be configured to copy tags to backups and volumes compliance.tf module FSx for Lustre file systems should be configured to copy tags to backups compliance.tf module Access logging should be configured for API Gateway V2 Stages compliance.tf module Glue jobs bookmarks encryption should be enabled Glue jobs CloudWatch logs encryption should be enabled MSK Connect connectors should be encrypted in transit Network Firewall firewalls should have deletion protection enabled compliance.tf module The default stateless action for Network Firewall policies should be drop or forward for fragmented packets compliance.tf module The default stateless action for Network Firewall policies should be drop or forward for full packets compliance.tf module

  • NIST CSF v2.0 — 🟢 High overlap (65%)

    NIS2 Article 21 risk management measures map closely to NIST CSF functions (Identify, Protect, Detect, Respond, Recover). Organizations already aligned to NIST CSF will find significant overlap, particularly in incident response and business continuity. NIST CSF lacks the regulatory enforcement and incident reporting timelines that NIS2 mandates.

  • ISO/IEC 27001:2022 — 🟢 High overlap (70%)

    ISO 27001:2022 Annex A controls cover most of Article 21's technical requirements. Several member states accept ISO 27001 certification as partial evidence of NIS2 compliance. The gap is in NIS2-specific obligations: incident reporting to national authorities, supply chain risk management with named critical suppliers, and governance requirements placing liability on management bodies.

  • GDPR — ⚪ Low overlap (25%)

    GDPR Article 32 (security of processing) partially overlaps with NIS2 Article 21 on technical measures, and both require breach notification. GDPR focuses on personal data protection while NIS2 covers all network and information system security. Incidents may trigger reporting obligations under both regimes simultaneously, with different timelines and different authorities.

Frequently Asked Questions

Does NIS2 apply to my organization if we are based outside the EU?

Yes, if you provide services listed in Annexes I or II within the EU. Article 26 specifically requires non-EU entities providing DNS services, TLD name registries, domain name registration, cloud computing, data centre services, CDN, managed services, managed security services, or online marketplaces/search engines/social platforms within the EU to designate an EU representative. If you serve EU customers in these categories, you are in scope regardless of where you are incorporated.

What are the penalties for non-compliance?

Essential entities face fines up to EUR 10 million or 2% of global annual turnover, whichever is higher. Important entities face fines up to EUR 7 million or 1.4% of global annual turnover. Article 32 also allows member states to impose temporary bans on management body members of essential entities for repeated non-compliance. Individual member states may set additional penalties in their transposition laws.

How does NIS2 differ from the original NIS Directive?

NIS2 expands scope from roughly 7 sectors to 18, covering an estimated 160,000+ entities across the EU compared to a few thousand under NIS1. It replaces the 'operators of essential services' and 'digital service providers' categories with 'essential' and 'important' entities, determined by sector and size thresholds rather than member state designation. It introduces personal accountability for management bodies (Article 20), mandatory supply chain risk management (Article 21(2)(d)), and harmonized incident reporting timelines (24h/72h/1 month) under Article 23. The enforcement regime is significantly stricter.

Is there a formal NIS2 certification process?

No single certification audit demonstrates compliance. Article 24 allows the European Commission to require essential and important entities to use certified ICT products or services under the EU Cybersecurity Act (Regulation 2019/881), but this is not yet broadly mandated. Member states may accept existing certifications (ISO 27001, SOC 2) as supporting evidence during supervision. Compliance is ultimately assessed by national competent authorities through their own supervisory processes.

What does the 24-hour incident reporting requirement actually entail?

Article 23(4)(a) requires an 'early warning' to the national CSIRT or competent authority within 24 hours of becoming aware of a significant incident. This early warning must indicate whether the incident is suspected to involve unlawful or malicious acts and whether it could have cross- border impact. It does not need to be a complete root cause analysis. Within 72 hours, a full incident notification with severity assessment and indicators of compromise is required. A final report is due within one month. 'Significant incident' is defined in Article 23(3) as causing substantial operational disruption or financial loss, or affecting other persons by causing considerable material or non-material damage.