compliance.tf
Compliance FrameworksCore Frameworks

NIS2 Directive (EU 2022/2555)

Best for: Entities the EU classifies as 'essential' or 'important' in 18 sectors, including energy, transport, banking, health, digital infrastructure, ICT service management, public administration, and critical manufacturing. The size threshold is generally 50+ employees or EUR 10M+ turnover. Sole providers of critical services may be caught regardless of size. Non-EU entities providing DNS, cloud, CDN, or managed security within the EU are also in scope.

Mandatory?Mandatory for essential/important entities in 18 EU sectors
Who validates?National competent authority (EU member state) ยท No self-assessment
RenewalOngoing; no fixed audit cycle
ScopeEssential and important entities in energy, transport, health, digital infrastructure, etc.

๐Ÿ› European Parliament and Council of the European Union. National competent authorities (e.g., BSI in Germany, ANSSI in France, ACN in Italy) enforce at the member state level. ENISA coordinates cross-border cooperation. ยท NIS2 Directive (EU 2022/2555, Oct 2024) Official source โ†’

Get Started

module "..." {
  source  = "nis2.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates

  • Encryption at Rest: Checks encryption configuration on Athena workgroups, backup recovery points, API Gateway stage caches, and Bedrock invocation logs in S3 and CloudWatch. Validates that KMS keys are in use where required.
  • Encryption in Transit: Validates ACM certificate key lengths (minimum 2048-bit RSA), certificate transparency logging, and SSL certificate attachment on API Gateway stages.
  • Logging and Monitoring: Verifies logging is enabled on API Gateway stages, AppSync GraphQL APIs, Athena workgroups, and Bedrock model invocations. Flags services where logging is disabled or misconfigured.
  • Backup and Business Continuity: Confirms backup plans, vaults, and report plans exist in each configured region, and that recovery points are encrypted.
  • Access Control and Session Management: Enforces AppStream fleet timeout thresholds (idle disconnect at 600s, session disconnect at 300s, max duration at 36000s) and the IMDSv2 requirement on Auto Scaling launch configurations.
  • Incident Reporting Readiness: Validates that AWS accounts have a security alternate contact registered and that primary contact details are current.

What you handle

  • Encryption at Rest: Defining and documenting your encryption policy per Article 21(2)(e). Key rotation schedules, key access reviews, and mapping encryption coverage to all in-scope systems beyond AWS.
  • Encryption in Transit: TLS policy decisions (minimum version enforcement), certificate lifecycle management for non-ACM certificates, and documenting approved cipher suites.
  • Logging and Monitoring: Centralized log aggregation, SIEM integration, alert tuning, and building the incident detection workflows needed to meet Article 23 reporting timelines. Retention period configuration and log integrity verification.
  • Backup and Business Continuity: Disaster recovery testing, recovery time objective (RTO) and recovery point objective (RPO) documentation, and the broader business continuity plan required by Article 21(2)(c).
  • Access Control and Session Management: MFA enforcement policies, identity governance, privileged access management, and access review processes per Article 21(2)(i) and (j). Role-based access control documentation across all environments.
  • Incident Reporting Readiness: The full incident response plan, CSIRT notification procedures, the 24-hour early warning and 72-hour notification workflows required by Article 23, and staff training on reporting obligations.

Controls by Category

Access Control and Session Management (Article 21(2)(i)(j)) (3 controls)

IMDSv1 on EC2 instances and overly permissive session durations are the most common access control findings here, and both are straightforward to catch in automated scans. Article 21(2)(i) and (j) require documented access control policies and MFA enforcement, so assessors will also ask for evidence of access reviews and authentication configuration that no scan can verify on its own.

AppStream fleets should have idle disconnect timeout set to 10 minutes or lessAppStream fleets should limit maximum user duration to 10 hours or lessAppStream fleets should have session disconnect timeout set to 5 minutes or less

Cryptography and Encryption (Article 21(2)(e)) (5 controls)

Backup data stored without encryption is one of the most consistent findings in this category and directly contradicts Article 21(2)(e). Beyond backups, assessors examine certificate configurations for weak key lengths or expiry issues and verify that data stores are encrypted both at rest and in transit.

ACM RSA certificates should use a key length of at least 2,048 bitscompliance.tf moduleACM certificates should have transparency logging enabledcompliance.tf moduleAPI Gateway stages should not use client SSL certificatesAPI Gateway stages should have cache encryption at rest enabledAthena workgroups should be encrypted at rest

Logging, Monitoring, and Incident Detection (Article 21(2)(b)) (3 controls)

Article 23's 24-hour early warning window means detection gaps are not just a hygiene issue, they are a compliance failure. Assessors will want to see logging enabled across all relevant services and confirm that logs feed into a SIEM or equivalent capability. Gaps at the API and application layer show up repeatedly.

API Gateway stages should have logging enabledAppSync GraphQL APIs should have field-level logging enabledcompliance.tf moduleAthena workgroups should have logging enabled
Additional Controls (91)

AWS CloudTrail (4)

CloudTrail trails should have at least one enabled trail present in a regionCloudTrail trails should be integrated with CloudWatch logsCloudTrail trails should have logs encrypted using a customer managed KMS keyCloudTrail trails should have log file validation enabled

AWS CodeBuild (3)

CodeBuild projects should have logging enabledCodeBuild projects should have S3 logs encryptedCodeBuild report group exports should be encrypted at rest

AWS Database Migration Service (2)

DMS endpoints for MongoDB should have an authentication mechanism enabledDMS endpoints for Redis OSS should have TLS enabled

AWS IAM (9)

IAM password policies should have minimum length set to 14 or greaterIAM password policies should require at least one lowercase letterIAM password policies should require at least one numberIAM password policies should require at least one symbolIAM password policies should require at least one uppercase letterIAM password policies should prevent password reuseIAM password policies should have strong configurations with minimum length of 8 or greaterIAM password policies should have strong configurationsIAM password policies should expire passwords within 90 days or less

AWS KMS (1)

KMS CMK rotation should be enabledcompliance.tf module

AWS Step Functions (1)

Step Functions state machines should have logging enabledcompliance.tf module

AWS WAF (1)

WAFv2 rules should have CloudWatch metrics enabled

Amazon CloudFront (2)

CloudFront distributions should require encryption in transitcompliance.tf moduleCloudFront distributions access logs should be enabledcompliance.tf module

Amazon CloudWatch (1)

CloudWatch log groups should have retention period of at least 365 dayscompliance.tf module

Amazon DocumentDB (1)

DocumentDB clusters should have an adequate backup retention period

Amazon DynamoDB Accelerator (2)

DynamoDB Accelerator (DAX) clusters should be encrypted at restDynamoDB Accelerator clusters should be encrypted in transit

Amazon EC2 (7)

EC2 Client VPN endpoints should have client connection logging enabledEC2 instances should have detailed monitoring enabledcompliance.tf moduleEC2 instances should have IAM profile attachedcompliance.tf moduleEC2 instances should use IMDSv2compliance.tf moduleEC2 instances should use IAM instance roles for AWS resource accesscompliance.tf moduleEC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)compliance.tf moduleEC2 launch templates should not assign public IPs to network interfacescompliance.tf module

Amazon EFS (2)

EFS access points should enforce a root directoryEFS access points should enforce a user identity

Amazon EKS (1)

EKS clusters should have control plane audit logging enabledcompliance.tf module

Amazon ElastiCache (2)

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greatercompliance.tf moduleElastiCache for Redis replication groups should be encrypted in transitcompliance.tf module

Amazon Kinesis (1)

Kinesis streams should have an adequate data retention period

Amazon MQ (1)

MQ brokers should have audit log streaming to CloudWatch enabled

Amazon MSK (1)

MSK clusters should be encrypted in transit among broker nodescompliance.tf module

Amazon Neptune (4)

Neptune DB clusters should publish audit logs to CloudWatch LogsNeptune DB clusters should have automated backups enabledNeptune DB clusters should be configured to copy tags to snapshotsNeptune DB clusters should have IAM database authentication enabled

Amazon OpenSearch Service (3)

OpenSearch domains should have audit logging enabledcompliance.tf moduleOpenSearch domains should have Cognito authentication enabled for Kibanacompliance.tf moduleOpenSearch domains should have logging to CloudWatch Logs enabledcompliance.tf module

Amazon RDS (14)

RDS Aurora clusters should have backtracking enabledcompliance.tf moduleAurora PostgreSQL DB clusters should publish logs to CloudWatch Logscompliance.tf moduleRDS DB clusters should be configured to copy tags to snapshotscompliance.tf moduleRDS DB clusters should have IAM authentication configuredcompliance.tf moduleRDS DB instances and clusters should have enhanced monitoring enabledcompliance.tf moduleRDS DB instance backup should be enabledcompliance.tf moduleRDS DB instances backup retention period should be greater than or equal to 7compliance.tf moduleRDS DB instances should be integrated with CloudWatch logscompliance.tf moduleRDS DB instances should be configured to copy tags to snapshotscompliance.tf moduleRDS DB instances should have iam authentication enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS for MariaDB DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS for PostgreSQL DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS for SQL Server DB instances should publish logs to CloudWatch Logscompliance.tf module

Amazon Redshift (3)

Redshift clusters should have audit logging enabledcompliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf module

Amazon Route 53 (1)

Route 53 domains should have privacy protection enabled

Amazon S3 (6)

S3 buckets should have default encryption enabled using KMScompliance.tf moduleS3 buckets should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should have MFA delete enabledcompliance.tf moduleS3 buckets should have object logging enabledS3 buckets with versioning enabled should have lifecycle policies configuredcompliance.tf module

Amazon SageMaker (1)

SageMaker models should have network isolation enabled

Amazon VPC (1)

VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888compliance.tf module

Elastic Load Balancing (2)

ELB application and classic load balancer logging should be enabledcompliance.tf moduleELB network load balancers should have TLS listener security policy configuredcompliance.tf module

Other (14)

Cognito identity pools should not allow unauthenticated identitiesDataSync tasks should have logging enabledElasticsearch domains should have audit logging enabledElasticsearch domains should have cognito authentication enabledElasticsearch domain should send logs to CloudWatchFSx for OpenZFS file systems should be configured to copy tags to backups and volumescompliance.tf moduleFSx for Lustre file systems should be configured to copy tags to backupscompliance.tf moduleAPI Gateway V2 stages should have access logging configuredcompliance.tf moduleGlue jobs bookmarks encryption should be enabledGlue jobs CloudWatch logs encryption should be enabledMSK Connect connectors should be encrypted in transitNetwork Firewall firewalls should have deletion protection enabledcompliance.tf moduleNetwork Firewall policies should have default stateless action set to drop or forward for fragmented packetscompliance.tf moduleNetwork Firewall policies should have default stateless action set to drop or forward for full packetscompliance.tf module

Related Frameworks

NIST CSF v2.0 โ€” ๐ŸŸข High overlap (65%)

NIS2 Article 21 risk management measures map closely to NIST CSF functions (Identify, Protect, Detect, Respond, Recover). Organizations already aligned to NIST CSF will find significant overlap, particularly in incident response and business continuity. NIST CSF lacks the regulatory enforcement and incident reporting timelines that NIS2 mandates.

ISO/IEC 27001:2022 โ€” ๐ŸŸข High overlap (70%)

ISO 27001:2022 Annex A controls cover most of Article 21's technical requirements. Several member states accept ISO 27001 certification as partial evidence of NIS2 compliance. The gap is in NIS2-specific obligations: incident reporting to national authorities, supply chain risk management with named critical suppliers, and governance requirements placing liability on management bodies.

GDPR โ€” โšช Low overlap (25%)

GDPR Article 32 (security of processing) partially overlaps with NIS2 Article 21 on technical measures, and both require breach notification. GDPR focuses on personal data protection while NIS2 covers all network and information system security. Incidents may trigger reporting obligations under both regimes simultaneously, with different timelines and different authorities.

Frequently Asked Questions

Does NIS2 apply to my organization if we are based outside the EU?
Yes, if you provide services listed in Annexes I or II within the EU. Article 26 specifically requires non-EU entities providing DNS services, TLD name registries, domain name registration, cloud computing, data centre services, CDN, managed services, managed security services, or online marketplaces/search engines/social platforms within the EU to designate an EU representative. If you serve EU customers in these categories, you are in scope regardless of where you are incorporated.
What are the penalties for non-compliance?
Essential entities face fines up to EUR 10 million or 2% of global annual turnover, whichever is higher. Important entities face fines up to EUR 7 million or 1.4% of global annual turnover. Article 32 also allows member states to impose temporary bans on management body members of essential entities for repeated non-compliance. Individual member states may set additional penalties in their transposition laws.
How does NIS2 differ from the original NIS Directive?
NIS2 expands scope from roughly 7 sectors to 18, covering an estimated 160,000+ entities across the EU compared to a few thousand under NIS1. It replaces the 'operators of essential services' and 'digital service providers' categories with 'essential' and 'important' entities, determined by sector and size thresholds rather than member state designation. It introduces personal accountability for management bodies (Article 20), mandatory supply chain risk management (Article 21(2)(d)), and harmonized incident reporting timelines (24h/72h/1 month) under Article 23. The enforcement regime is significantly stricter.
Is there a formal NIS2 certification process?
No single certification audit demonstrates compliance. Article 24 allows the European Commission to require essential and important entities to use certified ICT products or services under the EU Cybersecurity Act (Regulation 2019/881), but this is not yet broadly mandated. Member states may accept existing certifications (ISO 27001, SOC 2) as supporting evidence during supervision. Compliance is ultimately assessed by national competent authorities through their own supervisory processes.
What does the 24-hour incident reporting requirement actually entail?
Article 23(4)(a) requires an 'early warning' to the national CSIRT or competent authority within 24 hours of becoming aware of a significant incident. This early warning must indicate whether the incident is suspected to involve unlawful or malicious acts and whether it could have cross-border impact. It does not need to be a complete root cause analysis. Within 72 hours, a full incident notification with severity assessment and indicators of compromise is required. A final report is due within one month. 'Significant incident' is defined in Article 23(3) as causing substantial operational disruption or financial loss, or affecting other persons by causing considerable material or non-material damage.

GDPR

Previous Page

NIST SP 800-53 Rev 5

Next Page

On this page

Get StartedWhat Compliance.tf Covers vs. What You HandleControls by CategoryAccess Control and Session Management (Article 21(2)(i)(j)) (3)Cryptography and Encryption (Article 21(2)(e)) (5)Logging, Monitoring, and Incident Detection (Article 21(2)(b)) (3)Related FrameworksFrequently Asked Questions

Ask AI about this

Help improve this page