NIS2

NIS2 for Data Centres

4 min readUpdated 3 June 2026

Data centres are explicitly named in NIS2 Annex I as essential entities under the digital infrastructure sector. This means data centre operators face the most demanding NIS2 obligations — proactive supervision, regular audits, and the highest penalty tier. If you operate a data centre, colocation facility, or hyperscale cloud infrastructure, NIS2 compliance is not optional and the requirements are specific.

NIS2 Scope for Data Centres

NIS2 Article 6 defines "data centre service" and Annex I includes it under the digital infrastructure sector. The definition covers:

  • Colocation data centres providing physical space, power, cooling, and connectivity for customer-owned equipment
  • Purpose-built cloud infrastructure owned and operated by the provider
  • Edge data centres serving specific geographic regions

Size threshold: For the digital infrastructure sector, including data centre services, the standard size threshold (over 50 employees, over €10 million turnover) applies, but member states can designate specific facilities as essential regardless of size. Any data centre that provides services that are critical to a member state's digital infrastructure may be designated directly.

Security Requirements for Data Centre Operators

NIS2 Article 21 security requirements, applied to data centre operations:

Physical Security

Data centres have specific physical security requirements under NIS2:

  • Perimeter security (fencing, barriers, security staffing)
  • Access control to all secure zones — multi-factor authentication for physical access
  • CCTV monitoring of all access points and critical areas
  • Man-trap entry systems for high-security areas
  • Visitor management procedures with escort requirements
  • Environmental controls — fire suppression, flood detection, temperature monitoring

Power and Environmental Resilience

  • Uninterruptible power supply (UPS) systems for all critical infrastructure
  • Generator backup with tested switchover procedures
  • Dual utility feeds from separate substations (for Tier III+ facilities)
  • Documented power capacity planning
  • Regular generator testing with documented results

Network and Connectivity Security

  • Redundant internet connectivity from diverse providers
  • DDoS protection and traffic filtering at the network perimeter
  • Network monitoring and anomaly detection
  • Documented internet exchange connectivity (IXP connections) and peering policies
  • Secure remote access controls for management networks

Software and System Security

  • Patch management for all data centre management systems (DCIM, BMS, power monitoring)
  • Vulnerability scanning of all IP-accessible systems
  • Privileged access management for data centre management platforms
  • Audit logging of all administrative access to critical systems

Incident Reporting for Data Centres

Data centre operators are subject to the full NIS2 incident reporting regime:

  • 24-hour early warning for significant incidents (major power failures, network outages, physical security breaches, fire or environmental events)
  • 72-hour notification to national CSIRT
  • 30-day final report

What counts as a significant incident for data centres:

  • Extended outage affecting a significant number of customers
  • Physical security breach — unauthorised access to secure areas
  • Major environmental incident (fire, flooding, power failure beyond normal resilience)
  • Cyberattack on management systems
  • Loss of customer data or confidentiality breach

Supply Chain and Third-Party Risk

Data centre operators depend on a complex supply chain: hardware vendors, power infrastructure providers, cooling system suppliers, network providers, and software vendors for DCIM and BMS platforms.

NIS2 requires:

  • Risk assessment of all critical suppliers
  • Security requirements in supplier contracts
  • Monitoring of supplier security practices
  • Management of supplier changes with security impact assessment

Hardware supply chain security is a specific concern for data centres — the security of servers and networking equipment from supply chain to installation is relevant to both NIS2 and DORA (for financial sector customers).

CSRD Intersection: Data Centre Sustainability Reporting

NIS2 compliance for data centres now intersects with CSRD sustainability reporting obligations. Large data centres face:

CSRD / EED (Energy Efficiency Directive): Data centres above certain capacity thresholds must report on energy use, power usage effectiveness (PUE), water consumption, and carbon emissions under the EU Energy Efficiency Directive. This reporting intersects with CSRD for large operators.

Security vs sustainability tension: NIS2 resilience requirements (redundant power, multiple cooling systems) can conflict with energy efficiency goals. Document how resilience requirements are balanced with sustainability targets.

Customer Contractual Obligations

Enterprise customers who are themselves NIS2 essential or important entities will require data centre operators to:

  • Demonstrate NIS2 compliance (ISO 27001, SOC 2 Type II, or equivalent)
  • Provide incident notification within 24 hours of any event affecting their hosted services
  • Allow audit rights under NIS2 supply chain provisions
  • Certify supply chain security practices for their infrastructure

Data centre SLAs increasingly include NIS2 security provisions as standard. Review your standard agreements against customer expectations.

ComplyOne determines your NIS2 entity classification and generates the required security documentation.

Check your NIS2 compliance →

Related guides

Does NIS2 Apply to My Company?

NIS2 — the EU's revised Network and Information Security Directive — expanded its scope dramatically compared to its predecessor.

NIS2 Entity Classification: Essential vs Important

NIS2 divides in-scope entities into two categories: essential entities and important entities.

NIS2 Incident Reporting: Timelines Explained

NIS2 introduces a multi-stage incident reporting framework that is more demanding than NIS1.

View all guides in this module