Skip to main content
GosselinkICT
GosselinkICT
· Compliance · 3 MIN READ

What NIS2 actually means for your Azure environment

A pragmatic, non-lawyer's reading of the NIS2 directive and the Azure controls that map to it.

NIS2 shield with Azure security control mapping

NIS2 has been “coming” for two years and is now, actually, here. Your sales team is probably already answering customer questionnaires about it. Your engineering team is probably still hoping someone else will figure it out.

This is a quick, opinionated reading of what it means in practice if you run workloads on Azure.

The short version
#

NIS2 widens the scope of entities covered compared to NIS1, raises the bar on incident reporting (24 hours initial notification, 72 hours full report, 1 month detailed report), and introduces personal liability for management. It does not prescribe specific technical controls — it prescribes outcomes.

That’s good news. It means you don’t have to rip and replace. You have to be able to demonstrate that your existing stack meets the outcomes.

The Azure controls that help
#

The good news: if you’re already running a half-decent Azure Landing Zone, you’re closer than you think. Here’s the mapping as I use it with clients:

Risk management & governance
#

  • Azure Policy with the built-in NIS2 initiative (yes, it exists now).
  • Microsoft Defender for Cloud regulatory compliance dashboard — point it at the NIS2 standard.
  • Resource tagging enforced via policy so you can actually answer “which workloads are in scope?”

Incident handling
#

  • Microsoft Sentinel with the connectors for Entra ID sign-ins, Defender for Cloud, and your relevant data plane logs.
  • Azure Monitor Action Groups routing high-severity alerts to an on-call rotation that exists, with a runbook that humans have actually read.
  • Log retention ≥ 12 months on the workspaces that matter. Archive tier is your friend.

Business continuity
#

  • Azure Backup with vaulted backups and cross-region restore tested at least annually.
  • Azure Site Recovery for the VMs that warrant it. RTO/RPO written down and signed off by someone with the authority to sign things off.

Supply chain
#

  • Entra ID Conditional Access enforced for all third-party admin accounts.
  • Managed Identities over service principals wherever possible.
  • Private endpoints + firewall allowlists in front of anything talking to an external SaaS.

Training & awareness
#

  • This one isn’t Azure, it’s people. But logging who-completed-what in a system that auditors can read matters as much as any control.

The part nobody likes
#

NIS2 requires that the measures be proportionate to the risk. “Proportionate” is lawyer-speak for “document your reasoning.” A 20-person SaaS and a regional hospital network will implement very different controls. What they both need is a written risk assessment that justifies what they chose.

That document is, in my experience, what most organisations are missing — not the controls.

Bottom line
#

NIS2 isn’t a checklist you pass. It’s a posture you maintain. Azure gives you most of the tooling. The hard part is having someone accountable for making sure the tooling is actually doing what the policy says it’s doing.

That accountable person, ideally, isn’t whoever happened to have a free afternoon.

#NIS2 #Compliance #Azure #Security