The EU NIS2 Directive has been enforceable since October 17, 2024. If your company runs on AWS and falls under its scope, you need a clear checklist of what to fix — and a way to verify it automatically. This guide covers both.
Who is affected by NIS2?
NIS2 applies to any company operating in the EU with either:
- 50+ employees or €10M+ annual revenue, AND
- Operations in a covered sector: energy, transport, healthcare, water, digital infrastructure, ICT services, banking, financial market infrastructure, or manufacturing of critical products.
Unlike NIS1, NIS2 also covers important entities (medium-sized companies) — not just operators of essential services. This means tens of thousands of European companies are newly in scope.
What NIS2 requires (Article 21)
Article 21 mandates a risk-based approach to security. For cloud infrastructure, this translates into 8 concrete categories:
1. IAM & Access Control
- MFA enforced on all IAM users (especially root)
- No use of root account for daily operations
- Least-privilege IAM policies — no wildcard
*permissions - Access keys rotated within 90 days
- No hardcoded credentials in Lambda or EC2 user data
2. Encryption at Rest
- S3 buckets: server-side encryption enabled (SSE-S3 or SSE-KMS)
- RDS instances: storage encryption enabled
- EBS volumes: encrypted at creation
- DynamoDB: encryption at rest enabled
- Secrets stored in AWS Secrets Manager or SSM Parameter Store (not environment variables)
3. Encryption in Transit
- S3 bucket policies enforce HTTPS-only (deny HTTP)
- RDS:
rds.force_sslparameter enabled - Load balancers use TLS 1.2+ listeners only
- CloudFront distributions enforce HTTPS redirect
4. Network Security
- No security groups open to
0.0.0.0/0on port 22 (SSH) or 3389 (RDP) - VPC Flow Logs enabled in all regions
- Public subnets only for resources that explicitly require internet access
- RDS not publicly accessible
5. Logging & Monitoring
- CloudTrail enabled in all regions, log file validation on
- CloudTrail logs encrypted with KMS
- GuardDuty enabled
- Config rules enabled for continuous compliance monitoring
- Log retention ≥ 12 months (NIS2 recommendation)
6. Incident Response (Article 23)
NIS2 requires reporting significant incidents to national authorities within 24 hours (initial warning) and 72 hours (full notification). Infrastructure-wise this means:
- CloudWatch alarms for critical events (root login, policy changes, failed auth)
- SNS notifications configured for GuardDuty findings
- Automated remediation rules where possible (Config + SSM)
7. Supply Chain Security
- Cross-account roles reviewed and scoped down
- Third-party access audited via IAM Access Analyzer
- ECR images scanned for vulnerabilities
- Lambda layers and dependencies from trusted sources only
8. Business Continuity
- RDS automated backups enabled with ≥7 day retention
- Multi-AZ deployments for production databases
- S3 versioning enabled on critical buckets
- Disaster recovery procedures documented and tested
NIS2 penalties for non-compliance
Under Article 34, NIS2 imposes maximum fines of:
- Essential entities: up to €10 million or 2% of global annual turnover
- Important entities: up to €7 million or 1.4% of global annual turnover
Management boards can also be held personally liable, and temporary bans from management functions are possible for repeated violations.
How to automate NIS2 compliance checks
Manual audits against this checklist take weeks — and go stale the moment someone creates a new resource. Automated scanning solves both problems.
ConformScan runs all 193+ NIS2-mapped checks against your live AWS infrastructure in under 2 minutes. You get:
- A prioritized list of findings with SLA countdowns (3 → 14 → 30 days)
- Terraform and CLI remediation code for every finding
- A PDF report ready for your auditor or DPO
- Scheduled daily scans so you know immediately when drift occurs
Summary
NIS2 compliance on AWS is not a one-time project — it is a continuous process. The 8 categories above cover the core technical requirements. Automate the verification, fix the gaps, and keep evidence for your auditor. The cost of a scan is far lower than the cost of a fine.
Ready to check your infrastructure?
1 free scan/month · No credit card · Results in under 2 minutes · Hosted in Germany