NIS2 for hosting providers and their clients: what actually changes

The EU NIS2 directive classifies cloud and hosting providers as essential entities, the highest-risk tier. Here's what that means for providers, their clients, and the penalties involved.

The EU's NIS2 directive (officially Directive (EU) 2022/2555) is the biggest overhaul of European cybersecurity regulation in years. It replaced the original NIS directive in October 2024, and it puts cloud providers, hosting companies, data centers, CDN operators, and DNS providers in the highest-risk category: essential entities.

That's not a marginal classification. It means proactive government supervision, mandatory incident reporting within 24 hours, personal liability for management, and fines up to €10 million or 2% of global turnover. And the obligations don't stop at the hosting provider; they cascade down to clients through supply chain requirements.

Yet 19 of 27 EU member states still haven't fully transposed the directive into national law, including the Netherlands. The confusion about who must do what (and when) is real.

TL;DR: NIS2 classifies hosting and cloud providers as essential entities, subject to the strictest obligations: 24-hour incident reporting, board-level accountability, supply chain security requirements, and fines up to €10M or 2% of global turnover. Clients of NIS2-covered providers benefit from higher baseline security, but NIS2-obligated clients will also need to audit their hosting provider's compliance. The Dutch Cyberbeveiligingswet is still in parliament as of April 2026.

Table of contents

What NIS2 changed

The original NIS directive from 2016 had a narrow scope (around seven sectors) and gave member states wide discretion in deciding which organisations fell under it. The result: fragmented implementation, inconsistent enforcement, and digital infrastructure that largely escaped meaningful oversight.

NIS2 fixes this. Adopted on 14 December 2022 and in force since January 2023, it expands coverage to 18 sectors, introduces a uniform size-based threshold instead of national discretion, sets minimum fine floors, and, critically, makes management personally liable for cybersecurity failures.

The transposition deadline was 17 October 2024. Most member states missed it. The European Commission sent formal reasoned opinions to 19 countries in May 2025, threatening referral to the Court of Justice. As of early 2026, roughly 8–10 member states have completed transposition. Belgium has been operational since October 2024. Germany's implementation entered into force in December 2025.

Why hosting providers are essential entities

NIS2 divides covered organisations into two tiers. Essential entities (Annex I) face proactive supervision: on-site inspections, audits, the full toolkit. Important entities (Annex II) are supervised reactively, only after an incident.

Cloud computing providers, data center operators, CDN providers, DNS providers, and managed service providers are all explicitly listed in Annex I under "digital infrastructure." That's the essential entity tier. The rationale is obvious: when a hosting provider goes down, dozens or hundreds of businesses go dark with it.

The general size threshold for NIS2 is a medium enterprise or larger, specifically 50 or more employees, or annual turnover above €10 million. Below that, most entities are exempt. But some categories are in scope regardless of size: DNS providers, TLD registries, qualified trust service providers, and providers of public electronic communications networks. A small DNS hosting company with 12 employees? In scope.

The key obligations

Article 21 defines ten minimum cybersecurity measures. For hosting providers, the ones with the most operational impact are:

  • Incident reporting with hard deadlines. A significant incident (like a complete service outage or a data breach) must be reported to the national CSIRT within 24 hours (early warning), with a detailed notification within 72 hours, and a full root-cause report within one month. No exceptions.
  • Supply chain security. You must assess the cybersecurity of your direct suppliers (hardware vendors, software providers, subcontractors) and include security requirements in contracts. This obligation runs in both directions: your clients who are themselves NIS2 entities will audit you.
  • Management accountability. The board must formally approve cybersecurity measures, oversee their implementation, and undergo cybersecurity training. This isn't checkbox governance; management can be held personally liable.
  • Multi-factor authentication. Article 21(j) requires MFA or continuous authentication. Not recommended. Required.
  • Vulnerability handling. A formal process for discovering, tracking, and disclosing vulnerabilities. If you're running managed WordPress environments, this connects directly to how you handle plugin vulnerabilities and security incidents.

For digital service providers specifically, Implementing Regulation (EU) 2024/2690 translates these principles into more than 150 concrete technical controls, and this regulation is already in force since November 2024, independent of national transposition.

What this means for hosting clients

NIS2 creates a compliance cascade through its supply chain requirements. If your business is an NIS2 entity (say, a healthcare company, a logistics firm, or a financial services provider) you're required to assess the cybersecurity practices of your direct suppliers. That includes your hosting provider.

In practice, this means NIS2-obligated clients will start asking their hosting providers for:

  • Evidence of a formal cybersecurity risk management program
  • Contractual clauses covering incident reporting, security requirements, and audit rights
  • Proof of NIS2 compliance or equivalent security posture

If the hosting provider can't deliver, the client has a regulatory reason to switch.

Even if you're a small business owner not directly in NIS2's scope, you benefit indirectly. A hosting provider that takes NIS2 compliance seriously raises the security baseline for everyone on their infrastructure: better incident response, faster patching, more robust access controls.

The parallel to GDPR is instructive. When GDPR arrived, every business started asking its suppliers for data processing agreements. NIS2 will trigger a similar wave, but for cybersecurity assurances. If you've been through the GDPR and cookie consent compliance process, the pattern will feel familiar.

The Dutch situation: waiting for the Cyberbeveiligingswet

The Netherlands missed the October 2024 transposition deadline and received a formal reasoned opinion from the Commission in May 2025. The Dutch implementing law, the Cyberbeveiligingswet (Cbw), was submitted to the Tweede Kamer on 7 June 2025 and debated in a plenary session on 23 March 2026. It still needs a vote in the Tweede Kamer and treatment in the Eerste Kamer. The government's current target is Q2 2026.

Until the Cyberbeveiligingswet enters into force, no NIS2 obligations formally apply in the Netherlands. The existing Wbni (Wet beveiliging netwerk- en informatiesystemen) remains operative.

That said: the Implementing Regulation (EU) 2024/2690 for digital service providers is an EU regulation, which means it applies directly, without national transposition. Hosting providers, cloud providers, CDN providers, and managed service providers are already technically covered by its 150+ technical controls.

Once the Cbw takes effect, organisations will have approximately 10 months to register and meet compliance requirements. Agentschap Telecom is expected to supervise digital infrastructure providers; NCSC handles incident reporting; and RDI conducts proactive compliance assessments.

Penalties and personal liability

The fines mirror GDPR's structure, and deliberately so. Essential entities face penalties of at least €10 million or 2% of total global annual turnover, whichever is higher. Important entities face at least €7 million or 1.4%. These are minimum floors; member states may legislate higher.

What's genuinely new: personal consequences for management. Under Article 20, board members of essential entities can face temporary bans from holding management positions if their negligence contributed to a compliance failure. This isn't theoretical. It's the mechanism the directive uses to ensure cybersecurity doesn't stay buried in the IT department.

No NIS2-specific fines have been publicly issued yet as of April 2026, primarily because most jurisdictions haven't finished transposing. But the enforcement machinery is being assembled. Belgium's registration deadline has already passed. Germany's BSI is collecting registrations. The window before active enforcement is closing.

When NIS2 is not your problem

Not every hosting company or web professional falls under NIS2. If you're a freelance developer, a small agency with fewer than 50 employees and under €10M turnover, or a business owner running a WordPress site: NIS2 does not impose direct obligations on you, unless you happen to provide DNS, TLD registry, or trust services.

The exception to watch: member states may designate smaller entities with a high-risk profile. And if you're a client of a hosting provider that is under NIS2, you benefit from their compliance obligations without bearing the burden yourself.

NIS2 also doesn't replace GDPR. A single ransomware attack on a hosting provider could trigger both: NIS2's 24-hour early warning to the national CSIRT and GDPR's 72-hour breach notification to the data protection authority. Different laws, different authorities, different timelines, both applicable simultaneously.

Key takeaways

  • NIS2 classifies cloud providers, hosting companies, data centers, CDN operators, and DNS providers as essential entities, the highest-risk tier, subject to proactive supervision.
  • The size threshold is generally 50+ employees or €10M+ turnover. DNS providers and TLD registries are in scope regardless of size.
  • Key obligations: 24h/72h/1 month incident reporting cascade, management accountability and training, supply chain security, and mandatory MFA.
  • NIS2-obligated clients will audit their hosting provider's security posture, similar to how GDPR triggered data processing agreements.
  • The Dutch Cyberbeveiligingswet is still in parliament. The EU's implementing regulation for digital providers is already in force.
  • Fines: up to €10M or 2% of global turnover for essential entities, with personal liability for management.

Recurring server or deployment issues?

I help teams make production reliable with CI/CD, Kubernetes, and cloud—so fixes stick and deploys stop being stressful.

Explore DevOps consultancy

  1. Self-hosted email in 2026: harder than ever, more important than ever

    Gmail rejects non-compliant email at the protocol level. Microsoft does the same. Running your own mail server in 2026 means maintaining SPF, DKIM, DMARC, MTA-STS, TLS, DNSSEC, correct PTR records, and a pristine sender reputation. Here's how to decide whether it's worth it.

    1836 words
  2. EU data sovereignty: why 'hosted in Frankfurt' doesn't mean GDPR-compliant

    Storing data in an EU data center does not make it sovereign. The US CLOUD Act can compel AWS, Azure, and Google Cloud to hand over EU-stored data. Here's what that means for your business and how to evaluate your hosting provider.

    1774 words
  3. Microsoft SMTP Basic Auth for Office 365 is going away: what WordPress site owners actually need to do

    If your WordPress site sends email through an Office 365 mailbox with a username and password, that setup has an expiration date. Here is what actually changed in 2026 and what to do about it.

    1780 words

Start typing to search, or browse the knowledge base and blog.