compliance.tf
Sign inStart Free Trial

NIS2 Compliant Terraform Modules
Enforced Before terraform apply

Article 21 requires technical measures for cryptography, access control, incident handling, and network security. These modules enforce those measures before terraform apply.

NIS2 applies to essential and important entities operating in the EU — energy, transport, healthcare, digital infrastructure, ICT services, and more. Enforcement began October 2024. Non-compliance fines reach €10M or 2% of global annual turnover for essential entities.

251

Controls

10

Clauses

34

AWS Modules

Start Free TrialView All Controls

No credit card or AWS account needed to start.

From the team behind terraform-aws-modules. 2B+ provisions worldwide.

IAM · RDS · CloudTrail · CloudWatch Logs · VPC · EC2SOC 2 Type II CertifiedAvailable on AWS Marketplace

Three Steps to NIS2 Compliant Infrastructure

For terraform-aws-modules users, migration is a one-line change. Same workflow, same interface. Bringing your own modules? We can make those compliant too. Join the beta.

1

Change One Line

main.tf
module "s3" {
- source = "registry.terraform.io/..."
+ source = "nis2.compliance.tf/..."
 
  bucket = "awesome-docs"
}
2

Run Terraform Commands

terminal
$ terraform init
Initializing modules...
- module.s3 in nis2.compliance.tf/...
Terraform has been successfully initialized!
$ terraform apply
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
3

Compliance Enforced

Art. 21(2)(e) · Default Encryption
Art. 21(2)(e) · KMS Encryption
Art. 21(2)(g) · Logging Enabled
Art. 21(2)(d) · Public Access Blocked
Art. 21(2)(d) · Block Public Read
Art. 21(2)(d) · Block Public Write
Art. 21(2)(e) · SSL Requests Only
Art. 21(2)(c) · Versioning Enabled

Every compliance requirement you define is enforced automatically. Nothing to scan, nothing to remediate.

Controls Enforced for NIS2

251 controls across 10 clauses

Enforced (102)Detected (149)
  • AWS accounts should have security contact information provided
  • CloudWatch log groups should have retention period of at least 365 days
  • IAM password policies should have strong configurations
  • IAM groups, users, and roles should not have any inline policies
  • IAM password policies should expire passwords within 90 days or less
  • IAM roles should not have AdministratorAccess policy attached
  • IAM Security Audit roles should be created to conduct security audits
  • IAM support roles should be created to manage incidents with AWS Support
  • IAM user access keys should be rotated at least every 90 days
  • IAM users should have restricted access to AWSCloudShellFullAccess
  • IAM user should not have any inline or attached policies
  • IAM policies should be attached only to groups or roles
  • Kinesis streams should have an adequate data retention period
  • Route 53 domains should have privacy protection enabled
  • S3 buckets should have logging enabled
  • Secrets Manager secret resource policies should not allow public access
  • Secrets Manager secrets should have automatic rotation enabled
  • Secrets Manager secrets should be rotated within a specified number of days
  • Secrets Manager secrets should be rotated within specific number of days
  • Secrets Manager secrets should be rotated as per the rotation schedule
  • SSM Incidents replication sets should be ACTIVE and have at least one response plan

View full control documentation with implementation details

View NIS2 reference documentation

NIS2 Scope: What We Handle vs. What You Own

compliance.tf handles the infrastructure configuration layer for NIS2. Here is what it covers and what stays with your team.

compliance.tf Enforces for NIS2

  • Article 21 technical cybersecurity measures (cryptography, access, logging, network)
  • NIS2 implementing regulation control mapping with Article 21 references
  • Deployment-time evidence generation via AWS-native tools
  • Upstream module updates (terraform-aws-modules kept in sync)
  • Exception management with audit trail
  • Control documentation and NIS2 mapping matrices

See which modules are covered

View NIS2 reference documentation

Your Team Still Handles for NIS2

  • Risk analysis and information system security policies (Art. 21(2)(a))
  • Incident handling and reporting to CSIRTs (Art. 21(2)(b), Art. 23)
  • Business continuity and crisis management (Art. 21(2)(c) — beyond backup config)
  • Supply chain security assessments (Art. 21(2)(d) — supplier relationships)
  • Cybersecurity training and basic cyber hygiene (Art. 21(2)(g))
  • Human resources security and access control policies (Art. 21(2)(i))
  • Registration with national competent authorities (Art. 3)

compliance.tf handles the Article 21 technical measures that map to AWS resource configuration. Organizational requirements like incident reporting, supply chain assessments, and management body oversight remain your team's responsibility.

Operational Rules (lifecycle blocks, tagging, instance restrictions) are also applied alongside NIS2 compliance controls.

NIS2 Audit Evidence — Built Into Your Workflow

Your auditor does not need to trust compliance.tf. Evidence comes from AWS-native tools they already accept.

Evidence your auditor already trusts

Every compliance.tf module enforces controls at deploy time. When AWS Config, Security Hub, or Audit Manager evaluates your resources, they report clean findings because the controls are built into the modules, not bolted on after the fact.

  • AWS Config rules validate resource configuration continuously
  • Security Hub aggregates findings across accounts and regions
  • Audit Manager generates assessment reports mapped to NIS2
  • Downloadable control mapping matrices for your auditor
evidence.json
{
  "framework": "NIS2",
  "clause": "Art. 21(2)(e)",
  "control": "s3_bucket_default_encryption_enabled",
  "status": "COMPLIANT",
  "source": "AWS Config",
  "resource": "arn:aws:s3:::awesome-docs",
  "evaluated": "2026-03-04T10:30:00Z"
}

Prevention vs. Detection for NIS2

compliance.tf prevents non-compliant deployments. Scanning tools detect them after the fact. Most mature programs use both.

DimensionIaC Scanning
Checkov / Trivy / Prowler		Compliance.tf
Prevents non-compliant configs before terraform applyNo (post-plan scan)Yes
Maps controls to framework clause IDsPartialYes
Produces auditor-accepted evidence (AWS-native)Scan reports onlyYes
Exception management with audit trailSuppression rulesYes
Same interface as terraform-aws-modulesN/AYes
Keeps pace with upstream module updatesN/AYes
Catches runtime drift / console changesYesNo
Covers non-Terraform resourcesYesNo
Internal engineering timeMediumLow

We recommend keeping scanning tools active alongside compliance.tf for defense in depth. The scanner validates what compliance.tf already enforces.

Detailed: compliance.tf vs Checkov/Trivy →Detailed: compliance.tf vs OPA/Sentinel →All comparisons →

NIS2 Compliance Questions

Which NIS2 requirements does this cover?

compliance.tf enforces the technical cybersecurity measures from Article 21(2): cryptography and encryption (Art. 21(2)(e)), access control (Art. 21(2)(d)), logging and incident detection (Art. 21(2)(g)), and backup/business continuity infrastructure (Art. 21(2)(c)). These are the requirements that translate directly to AWS resource configuration.

Does NIS2 apply to my organisation?

NIS2 applies to entities in 18 critical sectors operating in the EU. Essential entities include energy, transport, banking, health, digital infrastructure, and public administration. Important entities include postal services, waste management, manufacturing, food, chemicals, and digital providers. If you have 50+ employees or €10M+ turnover and operate in a covered sector, NIS2 likely applies.

How does NIS2 relate to ISO 27001?

NIS2 Article 25 explicitly recognises international standards like ISO 27001 as a way to demonstrate compliance. Many NIS2 technical requirements map directly to ISO 27001 Annex A controls. compliance.tf modules are mapped to both frameworks, so adopting them helps with both NIS2 compliance and ISO 27001 certification simultaneously.

How is this different from Checkov, Trivy, or Prowler?

Those tools are detective controls. They scan infrastructure after you write it and report findings you fix manually. compliance.tf is a preventive control. The modules themselves cannot produce non-compliant resources. There is nothing to scan, nothing to remediate. Most teams keep their scanners running alongside compliance.tf for defense in depth.

Can I adopt this gradually, or is it all-or-nothing?

Fully incremental. Start with one module in one environment. Your existing modules continue working untouched. If you use Terragrunt or Terramate to orchestrate your runs, nothing changes — you’re only swapping the module source line. There is no global policy agent to deploy, no wrapper binary, no sidecar. Each module source line is independent.

Will my auditor accept this as evidence?

Your auditor does not need to trust compliance.tf directly. Evidence comes from AWS-native tools they already accept: AWS Config, Security Hub, and Audit Manager. We enforce controls at deploy time so those AWS tools always report clean findings.

What if I want to switch back or compliance.tf shuts down?

Our modules are standard Terraform. They work with Terraform, OpenTofu, Terragrunt, Terramate, and any tool that speaks the Terraform module protocol. Every module is a drop-in replacement for its upstream terraform-aws-modules equivalent with the same variables and outputs. Change your module source line back, run terraform init. Your infrastructure does not change. No lock-in, no proprietary state.

From Our Blog

Make Non-Compliant Terraform Impossible

Replace scanning with built-in compliance controls

Start Deploying NIS2-Compliant Infrastructure

$1,000/year for all 34 modules, all frameworks. 30-day free trial.

Start Free TrialContact Sales

No credit card required. Switch back at any time.

Stay Informed About New Features

Join the mailing list for releases, new modules, and roadmap updates. No spam. Unsubscribe anytime.

Not convinced yet or dying for a feature we don't have? Send us an email — we really want to hear your feedback!