Who should read this: Cloud providers, data centre operators, DNS service providers, CDN providers, managed service providers, their security teams, and procurement teams assessing these vendors.
Digital infrastructure is the backbone of the European economy. Cloud services, data centres, DNS, content delivery networks (CDNs)—these services are embedded in almost every organisation’s operations. If one fails or is compromised, cascading impacts ripple across the continent.
NIS2 recognises this. Digital infrastructure is in Annex II as essential to scope. Moreover, Article 21(5) directs the Commission to issue implementing acts specifically for digital infrastructure providers, laying down detailed technical requirements.
This sector is the most harmonised under NIS2. The rules are more specific than for other sectors, and they apply uniformly across all Member States.
This guide explains NIS2’s application to digital infrastructure: who is in scope, what the specific requirements are, and what implementation looks like.
Digital Infrastructure Scope: Who Is In?
Annex II covers nine types of digital infrastructure providers:
Cloud Computing Service Providers
“Cloud computing service provider” covers any organisation providing cloud services (infrastructure-as-a-service, platform-as-a-service, software-as-a-service). This includes:
Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform, and other hyperscale public cloud providers.
Private cloud providers offering services to enterprises.
Hybrid cloud providers.
Multi-cloud management platforms.
Any organisation at scale providing cloud services into the EU is in scope.
Data Centre Service Providers
Data centre operators who provide hosting, colocation, or compute services. This includes:
Hyperscale data centre operators.
Regional and local data centre providers.
Managed hosting providers.
The size threshold applies: if you are a medium-sized or larger data centre operator (250+ employees or EUR 50 million+ turnover), you are in scope.
DNS Service Providers
DNS (Domain Name System) service providers—organisations providing DNS authoritative services, DNS recursive resolution services, or DNS filtering services. This includes:
Public DNS resolvers (e.g., Cloudflare 1.1.1.1, Google 8.8.8.8).
Enterprise DNS service providers.
DNS security providers offering DNS-based filtering or threat intelligence.
Top-Level Domain (TLD) Registries
Organisations operating TLD registries (e.g., the registry for .com, .eu, .de domains). These are critical to the functioning of the internet.
Content Delivery Network (CDN) Providers
CDNs that cache and distribute content globally. Providers like Akamai, Cloudflare, Fastly, and others are in scope.
Managed Service Providers
Organisations providing managed IT services, managed security services, or managed support to other organisations. This includes:
Managed IT service providers (MSPs) that provide endpoint management, server management, etc.
Managed security service providers (MSSPs) providing security monitoring, incident response, etc.
Managed backup providers.
Cloud management service providers.
Online Marketplace Providers
Organisations operating online marketplaces where third-party sellers list goods or services. This includes:
Amazon Marketplace, eBay, Alibaba (and similar platforms).
Vertically-specific marketplaces.
Online Search Engine Providers
Search engines including Google, Bing, and other search services.
Social Networking Service Platforms
Social media platforms like Facebook, Instagram, TikTok, LinkedIn, and similar services providing social networking.
Trust Service Providers
Trust service providers under eIDAS Regulation (EU 910/2014), including:
Certification authorities (CAs) issuing digital certificates.
Electronic timestamping service providers.
Electronic seal providers.
qualified electronic signature providers.
Size and Scope
For Annex II providers, the size threshold is 250+ employees or EUR 50 million+ turnover. However, for larger Annex II entities (hyperscale cloud providers, major search engines, large social platforms), Article 3(1)(c) specifies turnover thresholds above which they are automatically essential. These thresholds are high (typically billions of euros) and apply only to the largest providers.
Most mid-market cloud, CDN, or managed service providers will be important entities unless they are very large.
Implementing Acts: The Detailed Technical Requirements
Article 21(5) is critical for digital infrastructure:
“The Commission shall adopt implementing acts laying down the technical and the methodological requirements of the measures referred to in paragraph 2 with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers.”
By 17 October 2024, the Commission was to issue implementing acts specifying exactly what each digital infrastructure category must do to comply with the ten Article 21(2) measures.
These implementing acts are critical because they translate the ten abstract measures into concrete, sector-specific requirements.
For example:
For cloud providers, implementing acts specify backup and disaster recovery requirements (how many backups, where stored, recovery time objectives).
For DNS providers, they specify DDoS mitigation requirements, redundancy, monitoring, and incident response timelines.
For CDNs, they specify availability targets, incident response capability, and supply chain security for upstream providers.
If you are a digital infrastructure provider, you must read the implementing acts for your category. They are binding and supersede any generic interpretation of Article 21(2).
As of writing, implementing acts have been published for several categories. Check the European Commission website and your national regulator for the latest implementing acts applicable to you.
ENISA Registry and Oversight
The European Union Agency for Cybersecurity (ENISA) maintains a registry of essential digital infrastructure entities. This registry serves several purposes:
Transparency: ENISA publishes a list of essential digital infrastructure entities so the public and regulators know who is subject to heightened security requirements.
Oversight: ENISA provides independent technical assessments and guidance.
Cooperation: ENISA coordinates with national regulators and the Cooperation Group on digital infrastructure security.
Digital infrastructure providers should expect to be registered by ENISA if they qualify as essential. Being registered means ENISA and regulators have detailed information about your operations.
Jurisdiction and Service-Based Requirements
A critical aspect of digital infrastructure regulation is service-based classification. Your classification depends not on where you are headquartered, but on what services you provide in the EU.
Example: A US-based cloud provider with significant EU customers is in scope for NIS2 and must comply with NIS2 requirements for services delivered to EU customers.
This is extraterritorial: NIS2 applies to your EU-relevant services even if your headquarters is outside the EU.
However, Article 22 of NIS2 allows some flexibility for non-EU entities. They can designate a representative in the EU to handle regulatory communication. But this does not reduce your security obligations.
Digital Infrastructure Implementation Challenges
Digital infrastructure providers face unique compliance challenges:
Multi-Tenancy and Data Isolation
Cloud providers host many customers on shared infrastructure. You must ensure that one customer’s systems and data cannot be accessed by another customer. This is a fundamental security requirement, but it is technically complex.
Article 21 measures must address multi-tenancy risks:
Logical and physical isolation of customer data.
Encryption of customer data at rest and in transit.
Access controls ensuring customers access only their own data.
Regular security testing of isolation controls.
High-Volume Service
CDNs, DNS providers, and large cloud providers handle enormous traffic volumes. A security incident at these providers affects millions or billions of users. Your incident response capability must scale.
Your Article 21(2)(b) incident handling requirement must specify:
How you detect incidents affecting global service.
How you assess impact across millions of users.
How you communicate incidents to customers globally within required timelines.
How you remediate globally-distributed systems quickly.
Distributed Architecture
Digital infrastructure is geographically distributed. You may have data centres in multiple countries, failover systems, caches in dozens of locations. Managing security across this distributed footprint is complex.
Article 21(2)(c) business continuity requirements mean:
You must maintain backups and disaster recovery systems in multiple geographic locations.
If a major data centre is compromised or destroyed, you must be able to failover to alternate locations seamlessly.
Recovery time objectives must be very tight (seconds or minutes for critical services).
Supply Chain Criticality
Digital infrastructure providers depend on critical suppliers: hardware manufacturers, software vendors, telecommunications providers, security vendors. If a supplier is compromised, you are compromised.
Article 21(2)(d) supply chain security is essential. You must:
Assess all critical suppliers (hardware vendors, software vendors, telecom providers).
Contractually require them to meet security standards.
Monitor their security practices and patch releases.
Have contingency plans if a critical supplier is breached.
Threat Landscape
Digital infrastructure is a primary target for:
State-sponsored attackers: Governments target cloud providers, DNS, and other infrastructure to gain visibility into communications and data.
Ransomware gangs: Digital infrastructure providers are lucrative ransom targets.
Hacktivists: Attackers target digital platforms to make political statements.
Competitors: Competitors seek to disrupt services or gain competitive intelligence.
Your threat model must reflect this reality. Your security measures must deter and defend against sophisticated, well-resourced attackers.
Specific Requirements by Provider Type
Different digital infrastructure categories have somewhat different requirements:
Cloud Providers
Specific requirements include:
Data isolation: Ensure customers cannot access each other’s data.
Backup and disaster recovery: Regular backups stored in multiple geographic locations; recovery time objectives typically measured in hours or less.
Encryption: Encryption in transit (TLS) and at rest (AES-256) are expected as baseline.
Access controls: Privileged access management for administration, multi-factor authentication for sensitive operations.
Availability: High availability architecture with geographic redundancy.
Supply chain security: Assess hardware suppliers, software vendors, telecommunications providers.
Incident response: Rapid detection and notification of incidents affecting customer data or service.
DNS Providers
Specific requirements include:
Availability: DNS must be continuously available. Downtime causes internet service disruption globally. Your recovery time objectives are seconds.
DDoS mitigation: DNS is frequently targeted by DDoS attacks. You must have mitigation capability.
Redundancy: DNS must be distributed geographically with automatic failover.
Integrity: DNS records must not be compromised. Poisoning a DNS record could redirect users to phishing sites.
Monitoring: Real-time monitoring of DNS query patterns to detect attacks or anomalies.
Incident response: Very rapid incident response (minutes) to restore service.
CDN Providers
Specific requirements include:
Availability: Content must be cached and available globally. Downtime affects customers’ end-users worldwide.
Cache integrity: Cached content must not be compromised or poisoned.
DDoS mitigation: CDNs are targets for DDoS attacks. Mitigation is essential.
Origin security: The origin servers that provide content to the CDN must be secure.
Encryption: End-to-end encryption from origin to end-user.
Geographic failover: If one cache location fails, traffic automatically reroutes to others.
Managed Service Providers
Specific requirements include:
Access control: MSPs have extensive access to customer systems. Tight access controls and multi-factor authentication are essential.
Monitoring: MSPs must monitor customer systems for attacks and anomalies.
Privilege escalation prevention: MSPs must prevent attackers from using compromised accounts to escalate privileges.
Supply chain: MSPs depend on third-party tools and cloud services. These suppliers must be assessed.
Incident response: When customer systems are breached, MSPs must detect and respond quickly.
Online Marketplace Providers
Specific requirements include:
Seller vetting: Marketplaces must vet sellers to prevent fraudulent or malicious sellers from using the platform.
Payment security: Payment processing must be secure, and customer payment information must be protected.
User account security: Accounts must require strong authentication.
Fraud detection: Marketplaces must detect and prevent fraud.
Search Engines
Specific requirements include:
Search result integrity: Search results must not be poisoned with malicious sites or misinformation.
User data protection: Search queries and user behaviour must be protected.
Advertising security: Advertisements must not be compromised with malware.
DDoS mitigation: Search engines are high-value DDoS targets.
Social Media Platforms
Specific requirements include:
User account security: Require strong passwords, multi-factor authentication, and account recovery procedures.
Content security: Prevent malicious actors from posting malware or phishing content.
Threat detection: Detect accounts engaged in coordinated inauthentic behaviour or spreading misinformation.
User data protection: Personal data and messaging must be protected.
Law enforcement cooperation: Cooperate with law enforcement on criminal investigations.
Incident Reporting for Digital Infrastructure
Digital infrastructure has special incident reporting provisions.
Article 23(11) authorizes the Commission to adopt implementing acts specifying which incidents are “significant” for digital infrastructure providers. The reason: an incident affecting a cloud provider or DNS provider could have widespread impact, affecting millions of users and other organisations. The threshold for significance must reflect this.
Implementing acts will specify what incidents are significant for each category (e.g., for DNS providers, outage affecting X% of queries; for cloud providers, downtime affecting X% of customer instances).
Digital infrastructure providers must track significance against these implementing acts, not just against the generic Article 23(3) definition.
Cooperation and Oversight
Digital infrastructure is subject to special oversight:
ENISA maintains the registry and provides technical guidance.
The Cooperation Group coordinates security assessments across digital infrastructure providers.
Member State regulators supervise essential digital infrastructure providers intensively.
Expect closer regulatory interaction if you are an essential digital infrastructure provider. This is appropriate given the sector’s importance.
Compliance Roadmap for Digital Infrastructure Providers
Immediate steps:
Confirm your NIS2 classification (which Annex II category, essential vs important status).
Review implementing acts for your category.
Conduct risk assessment specific to your services.
Map current practices against Article 21(2) and sector-specific implementing acts.
Identify gaps.
Develop implementation plan for gaps (prioritize high-risk items).
Establish incident response capability with rapid detection and notification.
Engage board in cybersecurity governance.
Conduct security assessments (penetration testing, vulnerability scanning) of your services.
Assess all critical suppliers.
Maintain evidence of compliance (policies, assessments, test results, training records).
Key Takeaways
-
Digital infrastructure (cloud, data centres, DNS, CDNs, managed services, online marketplaces, search engines, social media, trust services) is in Annex II; all providers at scale (250+ employees or EUR 50 million+ turnover) are in scope; implementing acts specify detailed technical requirements for each category.
-
Implementing acts, issued by October 2024, translate the ten Article 21(2) measures into concrete, sector-specific requirements; digital infrastructure providers must read and comply with implementing acts applicable to their category.
-
Multi-tenancy, high-volume service, distributed architecture, and sophisticated threat landscape create unique challenges; cloud providers must isolate customer data and maintain backups globally; DNS providers must maintain continuous availability; CDNs must have global redundancy and DDoS mitigation.
-
ENISA maintains a registry of essential digital infrastructure entities; regulators supervise essential digital infrastructure providers intensively; expect proactive audits, security assessments, and requests for information.
-
Incident reporting thresholds for digital infrastructure may differ from generic thresholds; implementing acts specify what is significant for each category; digital infrastructure incidents can affect millions of users and other organisations, justifying heightened reporting requirements.
-
Digital infrastructure is the most harmonised sector under NIS2; rules are more specific and more uniform across Member States than in other sectors; this provides clarity but also leaves less room for flexibility or proportionality arguments.
