NIS 2

NIS 2 is the successor to the original NIS Directive, representing a major step up in the EU's cybersecurity legal framework. Building on its predecessor, NIS 2 introduces broader sectoral coverage, stricter security requirements, and higher penalties for non-compliance. The full text of the NIS 2 Directive is available in the Official Journal of the EU. Additionally, the EU Agency for Cybersecurity (“ENISA”) provides guidance and resources for entities seeking to align with the directive’s objectives.

NIS 2 applies to “essential" and "important" entities across 18 sectors. These include "Highly Critical" sectors (e.g., energy, transport, banking, health, water, and digital infrastructure) and "Other Critical" sectors (e.g., postal services, waste management, food, and manufacturing). For the full list of sectors covered, see Annex 1 and Annex 2 of the NIS Directive.

Yes, Cloudflare is in scope for NIS 2 as a digital infrastructure provider. Cloudflare had previously registered as an “Operator of Essential Services” and “Digital Service Provider” under the original NIS Directive.

Entities are classified based on their size and importance to the economy and society. While the two categories of regulated entities under the law – essential and important – are subject to the same security and incident reporting requirements, essential entities face more proactive and stringent supervision by national authorities.

Yes. NIS 2 applies to any entity that provides "essential" or "important" services within the EU, regardless of where the company is headquartered. Furthermore, because NIS 2 mandates supply chain risk management, many NIS 2 regulated companies in and outside of the EU will now require their global vendors and service providers to demonstrate NIS 2-aligned security standards as a condition of doing business.

Article 21 of the Directive mandates that regulated entities take "appropriate and proportionate technical, operational, and organizational measures" to manage cybersecurity risks. These include:

• Policies on risk analysis and information system security.
• Incident handling (prevention, detection, and response).
• Business continuity and crisis management.
• Supply chain security, including risks concerning the relationship between each entity and its direct suppliers.
• Security in network and information systems acquisition, development, and maintenance.
• Policies and procedures to assess the effectiveness of cybersecurity risk management measures.
• The use of cryptography and encryption.

Yes, Article 21 specifically mandates that entities address supply chain security, including the relationship between the entity and its direct suppliers. Cloudflare assists here by providing transparent security documentation (such as compliance reports) and tools like the Data Localization Suite, which helps customers manage the legal and geographical risks associated with data processing and service providers.

NIS 2 introduces significant "teeth" through a tiered fine structure based on an entity’s classification:

• Essential Entities: Maximum fines of at least €10 million or 2% of total worldwide annual turnover, whichever is higher.
• Important Entities: Maximum fines of at least €7 million or 1.4% of total worldwide annual turnover, whichever is higher.

In addition, NIS 2 introduces a shift in management accountability. Under Article 20, a regulated company’s "management bodies" (e.g, c-suite and boards) are now directly responsible for supervising the implementation of cybersecurity risk-management measures. Executives can be held personally liable for gross negligence following a security breach. For Essential entities, national authorities may even have the power to temporarily ban individuals from holding managerial positions.

Cloudflare provides self-service access to our latest ISO 27001, ISO 27701, and SOC 2 Type II reports through our Trust Hub. These documents serve as foundational evidence for your "Supply Chain Security" requirements under NIS 2 Article 21.

For a deeper dive, you can also download our NIS 2 Compliance Whitepaper, which highlights ways in which Cloudflare products can support NIS 2 regulated customers.