Home Services Industries Approach Industries Resources Blog Contact
Back to Industries Annex I, Essential Entity

NIS2 for Digital Infrastructure

IXPs, DNS, TLDs, data centers, cloud, CDNs, trust services, and electronic communications. The plumbing of the European internet is in scope by design.

Key facts for digital infrastructure

  • Digital infrastructure providers sit under Annex I, typically as essential entities.
  • DNS, TLD, trust services, and electronic communications providers are in scope regardless of size.
  • NIS2 overlaps with eIDAS, GDPR, the CER Directive, and the European Electronic Communications Code.
  • Cloud shared-responsibility duties are explicit under Article 21 transparency expectations.
  • DDoS resilience, supply chain security, and incident reporting are the three most frequent audit focus areas.

Sub-sector scope

NIS2 Annex I for digital infrastructure is detailed. In-scope entity types include:

  • Internet exchange point (IXP) providers.
  • DNS service providers, including authoritative and recursive services offered to third parties. In scope regardless of size.
  • Top-level domain (TLD) name registries. In scope regardless of size.
  • Cloud computing service providers, covering IaaS, PaaS, and SaaS.
  • Data center service providers, for colocation and similar services.
  • Content delivery network (CDN) providers.
  • Trust service providers under eIDAS, both qualified and non-qualified. In scope regardless of size.
  • Providers of public electronic communications networks and publicly available electronic communications services. In scope regardless of size.

NIS2 also treats managed service providers (MSPs) and managed security service providers (MSSPs) as a related category under Annex I. These providers are in scope when they meet the size thresholds or are designated critical.

Top cyber risks for digital infrastructure

DDoS and volumetric attacks

DNS, IXP, CDN, and electronic communications operators sit directly in the DDoS crosshairs. Large volumetric and application layer attacks are a weekly reality. Article 21 continuity duties demand documented capacity planning and tested mitigation arrangements, not only a good marketing page.

Supply chain compromise

The sector is tightly interconnected. A compromise at a network equipment vendor, a DNS management tool, or a certificate authority can propagate across many operators. Article 21 supply chain duties require structured assessment of critical third parties and contract-level obligations on them.

Cloud shared-responsibility gaps

Customers assume their provider handles more than the provider actually handles. Misconfigured storage, exposed management APIs, and leaked credentials remain the dominant failure modes for cloud incidents. Providers are now expected to publish controls clearly enough for customers to meet Article 21 for their own share.

Insider risk and privileged access

Engineers with root across hundreds of customer environments are a high-value target. Expect scrutiny of privileged access management, session recording, just-in-time access, and separation of duties.

Trust anchor incidents

Trust service providers carry a special risk profile: an incident affecting issuance or revocation can cascade into millions of user-facing experiences. NIS2 overlays eIDAS obligations with horizontal cybersecurity duties and shared reporting channels.

Regulatory interplay

NIS2 does not sit alone. For digital infrastructure providers the most relevant intersections are:

  • eIDAS Regulation. Qualified trust service providers retain eIDAS duties, now supplemented by NIS2 Article 21 and Article 23.
  • European Electronic Communications Code (EECC). Public electronic communications providers already face sector incident reporting under the EECC. NIS2 reporting may apply in parallel.
  • GDPR. Data centers, cloud, and CDN providers acting as processors should align NIS2 incident reporting with GDPR Article 33 notifications to controllers.
  • CER Directive. Large data center operators and electronic communications providers may fall in scope for physical resilience as well.
  • DORA. Financial entity customers subject to DORA will demand NIS2-aligned evidence from their critical ICT third parties. Expect contract and audit pressure.

A 30-day, 90-day, and 12-month roadmap

First 30 days: clarity

  • Confirm scope per legal entity, including multi-country operations, and register with the national competent authority.
  • Map existing certifications and controls (ISO 27001, SOC 2, ISO 22301, CSA STAR) to Article 21.
  • Inventory customer-facing services and map dependencies on third parties, including upstream transit, DNS providers, and certificate authorities.
  • Confirm the 24, 72, and one-month reporting chain: who files, who approves, who liaises with customers.

Days 30 to 90: stabilise

  • Publish a management body-approved information security policy and complete mandatory board training.
  • Close key quick wins: MFA on all privileged interfaces, reduction of standing privileged access, and hardened administrative jump paths.
  • Run a DDoS tabletop and a supply chain compromise tabletop.
  • Refresh customer-facing trust collateral (CAIQ, whitepapers) to reflect NIS2 obligations and shared-responsibility expectations.

Months 4 to 12: sustain

  • Mature supply chain security: tiered third-party assessments, contract clauses, and continuous monitoring of critical providers.
  • Integrate NIS2 incident reporting with GDPR, EECC, eIDAS, and customer notification flows into one coordinated process.
  • Extend transparency: updated shared-responsibility matrices, control inheritance documentation, and evidence packs for regulated customers.
  • Run an internal audit against Article 21 and close gaps before first external supervision.

Frequently asked questions

Which digital infrastructure providers are in scope?

Annex I covers IXPs, DNS providers, TLD name registries, cloud providers, data center operators, CDNs, trust service providers, and public electronic communications networks and services.

Do size thresholds apply?

DNS providers, TLD registries, trust service providers, and public electronic communications providers are in scope regardless of size. Data centers, cloud providers, and CDNs generally need to meet medium or large thresholds.

Essential or important?

Most in-scope providers are essential, with higher maximum fines and proactive supervision. Smaller specific entities can be classified as important.

How does NIS2 interact with eIDAS?

Qualified trust service providers retain eIDAS duties and pick up NIS2 cybersecurity and reporting duties on top. Practically, they are implemented as one program with coordinated controls and reporting.

How does NIS2 interact with the CER Directive?

CER covers physical resilience. Some data centers and large electronic communications providers are in scope of both, and an integrated program avoids duplication.

What does cloud shared responsibility mean under NIS2?

Providers own the security of the cloud and their control share. Customers own the secure configuration and use of services. Providers should publish clear transparency so customers can meet their own Article 21 obligations.

What does DDoS readiness mean under Article 21?

Capacity planning, documented mitigation arrangements with upstream or specialist providers, runbooks, and periodic exercises. The bar is about demonstrable outcomes, not marketing claims.

How long does implementation take?

With ISO 27001 or SOC 2 in place, four to nine months is realistic. Without a formal ISMS, plan nine to eighteen months.

Built on top of what you already have

If you already run ISO 27001 or SOC 2, NIS2 is an extension, not a reset. A scoping call identifies the exact delta for your business model.

Book a scoping call Other industries