Cloud service providers — whether IaaS, PaaS, or SaaS meeting the directive's definition — are explicitly included in NIS2 Annex I as essential entities under the digital infrastructure sector. This places cloud providers in the same tier as banks, hospitals, and energy companies. The obligations are substantial and the supervision is proactive.
Which Cloud Services Are In Scope?
NIS2 Annex I includes "cloud computing services" under digital infrastructure. The directive defines this by reference to the standard EU definition (Regulation 2018/1807):
IaaS (Infrastructure as a Service): Providing virtualised computing, storage, and network resources. AWS, Azure, GCP, OVHcloud, Hetzner at scale.
PaaS (Platform as a Service): Providing a development and deployment environment for applications. AWS Elastic Beanstalk, Azure App Service, Heroku at scale.
SaaS (Software as a Service): Providing software applications over a network. This is the most contested category — not every SaaS company is a cloud service provider under NIS2. The directive targets SaaS providers at scale where service disruption would have significant societal impact.
The scale question for SaaS: The directive applies to medium and large enterprises. For SaaS, the question is whether the service qualifies as a "cloud computing service" under the relevant EU regulation. Most small-to-mid-sized B2B SaaS companies are better characterised as deployers of cloud services, not cloud service providers themselves.
Test: Is your SaaS service something that, if disrupted, would cause significant operational disruption to a large number of businesses or individuals in the EU? If yes — you are likely a cloud service provider under NIS2. If no — you may be important but not directly classified as cloud infrastructure.
NIS2 Obligations for Cloud Service Providers
As essential entities, cloud service providers face the full Article 21 security stack plus specific sector requirements:
Availability and Resilience
Cloud services are relied upon for critical operations. NIS2 expects:
- Geographic redundancy: Availability zones and regions to ensure service continuity
- Disaster recovery: Recovery time objectives for all service tiers, with tested failover
- Capacity planning: Systems must be resilient to demand surges and DDoS attacks
- SLA commitments aligned with NIS2: Contractual availability commitments to customers must reflect NIS2-required resilience
Security Architecture
- Zero-trust architecture: Access to internal systems and customer data based on continuous verification, not network position
- Tenant isolation: Customer environments must be cryptographically isolated — one tenant cannot access another's data or resources
- Data residency controls: EU customers require data residency in EU regions; NIS2 adds regulatory force to this expectation
- Encryption: All customer data encrypted at rest and in transit with documented key management
Access Control and Identity
- MFA everywhere: All internal administrative access and all customer IAM must support MFA
- Privileged access management: Strict controls on who can access production systems and customer environments
- Root/superadmin account protection: Cloud providers must have exceptional controls on the highest-privilege accounts
Vulnerability Management and Patching
- Patch velocity for shared infrastructure: Vulnerabilities in shared hypervisors, container runtimes, and storage systems must be patched rapidly — these affect all tenants simultaneously
- CVE monitoring: Active monitoring for new vulnerabilities in the cloud provider's stack
- Customer notification: When vulnerabilities in the shared platform affect customer workloads, timely notification is required
Incident Reporting for Cloud Providers
Cloud provider incidents have outsized impact — a major cloud outage can affect thousands of in-scope NIS2 customers simultaneously. This elevates the reporting obligation:
- 24-hour early warning for significant incidents affecting services
- 72-hour detailed notification to national CSIRT
- Customer notification for incidents affecting their workloads — NIS2 customers have their own reporting obligations that depend on your incident timeline
Coordinate customer notification carefully. Enterprise customers who are NIS2 essential entities have a 24-hour early warning obligation of their own. If your incident affects their operations, they need your notification immediately to meet their own obligation.
The Shared Responsibility Model and NIS2
Cloud providers and their customers share security responsibility in a model that maps to NIS2:
Cloud provider responsible for:
- Physical security of data centres
- Host OS and hypervisor security
- Network controls for cloud infrastructure
- Customer data isolation
- Availability and resilience of the platform
Customer responsible for:
- Security of their workloads, applications, and data on the cloud
- Identity and access management for their accounts
- Data classification and encryption of their data (beyond provider-level encryption)
- Network configuration within their cloud account
This division must be clearly documented in cloud service agreements. NIS2 customers need to understand which security obligations are theirs and which are the cloud provider's.
Contractual Requirements from NIS2 Customers
Enterprise customers who are NIS2 essential or important entities will require specific provisions in cloud service agreements:
- Security incident notification within 24 hours
- Data residency guarantees
- Audit rights
- Sub-processor disclosure
- Minimum security standard commitments (ISO 27001 or equivalent)
- Service level agreements aligned with customer resilience requirements
Cloud providers that do not accommodate these requirements will be disadvantaged in enterprise sales to NIS2-regulated customers.