☁️NIS2 for Cloud Computing & Data Centers — deadlines, obligations, fines

Cloud, data centre and CDN providers must implement the ten minimum measures of NIS2 Art. 21(2)(a-j): risk and security policies, incident handling, continuity and recovery, supply-chain security, ICT acquisition and development (including vulnerability handling), effectiveness assessment, cyber hygiene and training, cryptography, HR security and access control, multi-factor authentication [C3]. Unlike telecom, for cloud / data centre / CDN there is a dedicated implementing regulation — Reg. (EU) 2024/2690 — that operationalises Art. 21(2) across 13 technical sections: policy on the security of network and information systems; risk management; incident handling; BCM and crisis management; supply-chain security; security in the acquisition, development and maintenance of ICT systems; network security; anti-malware protection; cyber hygiene and training; access control; HR security; asset management; physical and environmental security [C10]. Common technical framework: ISO/IEC 27001:2022 + ISO/IEC 27017 (cloud security) + ISO/IEC 27018 (PII in cloud); for data centres — EN 50600 and TIA-942; as a cloud baseline — CSA STAR and the ENISA Cloud Computing Risk Assessment. The management body approves and oversees implementation (NIS2 Art. 20) — supplemented by Law 124/2025 with an obligation of periodic professional cybersecurity training for members of the management body [C6][C16].

Reg. (EU) 2024/2690 Art. 7 sets, for cloud computing service providers, that an incident is significant if: (a) the service is fully unavailable for > 30 minutes; (b) availability is limited for > 5% of EU users of the service or > 1 million EU users (the lower of the two), for > 1 hour; (c) the integrity / confidentiality of data is compromised through suspected malicious action; (d) the compromise affects > 5% or > 1 million EU users [C9]. For data centre service providers (Art. 8): full unavailability, or limitation > 1 hour, or physical compromise of facility access [C8]. For CDN (Art. 9): its own thresholds based on traffic and availability. Reporting procedure is the standard NIS2 Art. 23: early warning to the CSIRT (DNSC) within 24 hours of awareness, detailed notification within 72 hours, final report within one month [C4]. In addition, NIS2 Art. 23(2) requires notification of customers / recipients of the service when the incident is likely to adversely affect their receipt of the contracted service — a key element for any multi-tenant cloud or colocation operator. The lesson of the Azure West Europe 2025 event [I7]: a single thermal event can take a whole regional cluster offline — thermal monitoring + automatic safety shutdown + customer-communication plan are already part of the 'proportionate measure'.

Reg. (EU) 2024/2690 Section 6 (Secure acquisition and development) + Section 7 (Network security) require logical isolation between tenants, hardware isolation where necessary for critical workloads, network segmentation and separation of management plane vs. data plane [C10]. NIS2 Art. 21(2)(h) (cryptography) requires high-quality cryptography for data at rest and in transit; Section 10 of the Annex to Reg. 2024/2690 requires an encryption policy with key rotation + a dedicated KMS [C3][C10]. NIS2 Art. 21(2)(j) (multi-factor authentication) requires MFA on any access to critical systems — on the operator's side, that means mandatory MFA on cloud administration consoles, jump hosts, SSH to hypervisors and to Kubernetes orchestrators [C3]. The lesson of the Snowflake 2024 breach [I6]: the cloud operator cannot fully transfer MFA responsibility to the customer — the shared-responsibility model requires the CSP to provide and enforce MFA by default. ENISA Threat Landscape 2024 confirms that cloud breaches come largely from loose configurations and missing MFA [C17]. For colocation data centres, physical isolation per customer (custom cage, locking cabinets, biometric access logs) is the minimum standard required by Section 13 (Physical security).

NIS2 Art. 21(2)(d) requires the assessment and management of cybersecurity risks across the supply chain, including aspects related to direct suppliers and third parties [C3]. Reg. 2024/2690 Section 5 details: a supplier inventory with criticality assessment, pre-contract due diligence, contractual clauses imposing the same incident-reporting obligations onto the operator, audit rights, SBOM for software components, continuous monitoring of critical suppliers [C10]. The lesson of OVH Strasbourg 2021 [I1] — the subsequent ruling ordering OVH to pay more than EUR 400,000 for data lost without off-site backup — shows that standard exoneration clauses of cloud providers are strictly limited under the European regime. The lesson of CrowdStrike 2024 [I4]: a single faulty update from a security vendor took down 8.5 million Windows systems in 24 hours; from 11.09.2026 ICT vendors are required by the CRA (Reg. (EU) 2024/2847) to report exploited vulnerabilities within 24 hours, publish an SBOM and provide security updates for the entire product lifetime [C14]. For CSPs serving financial customers, DORA (Reg. 2022/2554) adds direct oversight where designated as CTPPs — on 18.11.2025 the ESAs designated AWS, Microsoft Azure and Google Cloud among the first 19 CTPPs [C13].

Reg. (EU) 2024/2690 Section 13 (Physical and environmental security) requires perimeter protection, biometric physical access control, video monitoring, fire-detection systems + clean-agent fire suppression (FM-200 / Novec / IG-541), N+1 or 2N redundancy on power + cooling, monitoring of temperature / humidity / pressure in the data hall [C10]. The lesson of OVH Strasbourg 2021 [I1]: the fire started in a UPS room; the Eco-Room design turned the airflow into a chimney effect; the two UPS units identified as the origin had been recently serviced. The lesson of Contabo Nuremberg 2024 [I5]: a power fluctuation triggered UPS switchover, but the cooling system did not restart after grid restoration — all VPSs and dedicated servers were preventively shut down to keep temperatures below 40°C in the data hall. The lesson of Microsoft Azure West Europe 2025 [I7]: a thermal event shut down all cooling units -> automatic safety shutdown of clusters. Common technical framework: EN 50600 (data centre facilities and infrastructures), TIA-942 (Telecommunications Infrastructure Standard for Data Centers), Uptime Institute Tier I-IV. Mandatory annual testing of continuity plans under NIS2 Art. 21(2)(c) and Section 4 of the Annex to Reg. 2024/2690 [C3][C10].

Type: Major fire in a data centre — origin in the power room (UPS), Eco-Room design fed the fire

Impact: SBG2 (2 MW, ~30,000 servers) completely destroyed; SBG1 severely damaged; 100 firefighters and 44 vehicles fought the fire for six hours. Hundreds of thousands of websites and services offline simultaneously. A class action initiated by over 140 customers for damages exceeding EUR 10 million; in 2023 a French ruling ordered OVH to pay more than EUR 400,000 for lost backup data, showing that standard exoneration clauses of cloud providers are strictly limited under the European regime.

Lesson: A pivot incident for the sector. NIS2 Art. 21(2)(c) (continuity / crisis management) + Section 13 of the Annex to Reg. 2024/2690 (physical and environmental security) require N+1 or 2N redundancy on power + cooling, clean-agent fire detection and suppression, and separation of UPS rooms from the data hall. For customers: geo-redundant off-site backup is no longer optional — it is part of the shared-responsibility model.

Type: Automated scaling activity caused an internal denial-of-service on the AWS network

Impact: 7 December 2021, ~10:30 EST: network devices connecting the internal Amazon network with the AWS network became overloaded; foundational services (internal DNS, authorisation, EC2 control plane, monitoring) were affected; full recovery at 14:22 PST. Customers affected globally: Amazon Connect, Disney+, Netflix, Robinhood, Tinder, Coinbase, iRobot, McDonalds app and others.

Lesson: Hyperscalers are not immune. NIS2 Art. 21(2)(b) (incident handling) + Section 3 of the Annex to Reg. 2024/2690 (incident handling) require playbooks with automatic triggers for cascade isolation. For Romanian cloud customers: multi-region + multi-cloud architecture is no longer exotic — it is part of the 'proportionate measure' against single-vendor risk, especially where the CSP is designated CTPP under DORA.

Type: A change on a Microsoft WAN router triggered rapid BGP prefix re-announcement → global routing churn

Impact: 25 January 2023, 07:05-12:43 UTC: packet loss up to 100% on Azure routes for many locations; affected services: Azure, Microsoft 365 (Teams, Outlook, SharePoint), Power Platform. The bulk of the incident lasted ~90 minutes, residual effects the next day. Microsoft explained that a router command was propagated across the WAN and all routers recomputed adjacency / forwarding tables almost simultaneously.

Lesson: Configuration and change management on the cloud backbone are not back-office procedures — they are part of NIS2 Art. 21(2)(e) and Section 6 of the Annex to Reg. 2024/2690 (secure acquisition / development). For a CSP at scale, any production change requires staged rollout, automated rollback and prior simulation on an isolated environment.

Type: Faulty update to Channel File 291 in the Falcon sensor (20 vs. 21 input fields mismatch, out-of-bounds memory read)

Impact: 19 July 2024 — about 8.5 million Windows systems locked (BSOD); the largest IT outage in history; affected sectors: aviation (Delta — 7,000 flights cancelled, ~USD 500 million in losses reported via 8-K to the SEC), hospitals, banks, retail, governments. CISA issued an advisory on 19.07.2024; global damages estimated at tens of billions of US dollars.

Lesson: The same security vendor present on millions of systems = a single point of failure. NIS2 Art. 21(2)(d) (supply chain) + Reg. (EU) 2024/2847 (CRA) require SBOM, vulnerability disclosure and pre-deployment testing on any kernel-mode update. Operational takeaway: kill-switch for third-party kernel drivers + staged rollout (canary, regional, global); Microsoft announced it will move EDR / antivirus out of the Windows kernel.

Type: Snowflake customer accounts compromised via stolen credentials (infostealer malware) + lack of MFA on the customer side

Impact: May-June 2024 — hundreds of Snowflake instances compromised; affected customers include Live Nation / Ticketmaster (declared in 8-K to the SEC ~560 million customer records), Santander, Advance Auto Parts, AT&T (call records), Pure Storage, Neiman Marcus, LendingTree. The UNC5537 actor (tracked by Mandiant) used Snowflake credentials without MFA.

Lesson: The shared-responsibility model has real limits. NIS2 Art. 21(2)(j) + Section 10 of the Annex to Reg. 2024/2690 require mandatory MFA on any access to critical systems — the cloud operator cannot fully transfer that responsibility to the customer. Snowflake subsequently announced it would enforce MFA by default on new accounts. The lesson for Romanian cloud operators: MFA on-by-default is the minimum standard, not an optional feature.

Reg. de Implementare (UE) 2024/2690 — masuri tehnice si praguri incident NIS2 pentru cloud, data centre, CDN, DNS, TLD, MSP, MSSP, trust services · Directly applicable from 7 November 2024 (the twentieth day after publication in the OJ on 18.10.2024) [C8]

The central technical-legal document for the cloud / data centre / CDN sector. The Annex contains 13 thematic sections: network and system security policy; risk management; incident handling; BCM and crisis management; supply chain; secure ICT acquisition / development; network security; anti-malware; cyber hygiene + training; access control; HR security; asset management; physical and environmental security [C10]. For incident reporting, Art. 7 sets the cloud thresholds, Art. 8 the data-centre thresholds, Art. 9 the CDN thresholds [C9]. Proportionate application — "where appropriate, where applicable, or to the extent feasible" — leaves room for each provider's context, but also means that DNSC will require formal justification for any unimplemented measure.

EU Data Act — Reg. (UE) 2023/2854 · Enters into force 11 January 2024; fully applicable from 12 September 2025; cloud switching fees become prohibited from 12 January 2027 [C12]

Chapter VI introduces broad obligations to facilitate switching between data-processing providers (IaaS, PaaS, SaaS) [C12]. Providers must remove technical and contractual barriers, ensure portability + interoperability, and offer contractual and technical migration / exit processes. Where standards are missing, fallback export to a structured, machine-readable format is mandatory. For any Romanian CSP, that means reviewing all cloud-service contracts by 12.09.2025 — the general application deadline.

DORA — Reg. (UE) 2022/2554 (pentru CSP-urile catre entitati financiare) · Applicable from 17 January 2025; first CTPP list published 18 November 2025 (AWS, Azure, Google Cloud, IBM Cloud and 15 others) [C13]

If a Romanian CSP / data centre serves banks, insurers, non-bank lenders or financial institutions in the EU, it falls under NIS2 (to DNSC) and DORA (oversight regime) simultaneously. Providers designated as Critical ICT Third-Party Providers (CTPPs) under DORA Art. 31 are directly supervised by a Lead Overseer (EBA, ESMA or EIOPA). The mandatory contractual clauses (Art. 30 DORA) are stricter than NIS2 — including physical audit rights at data centres, sub-contracting with pre-approval, and a testable exit strategy [C13].

Cyber Resilience Act — Reg. (UE) 2024/2847 · Enters into force 10 December 2024; incident / vulnerability reporting obligations from 11 September 2026; fully applicable 11 December 2027 [C14]

The CRA covers products with digital elements (PDEs) — hardware and software placed on the EU market. For a cloud / data-centre operator, relevance comes from the supply chain: any hypervisor, router, firewall, EDR or monitoring agent is a PDE and must come with a published SBOM, vulnerability disclosure, a clearly defined lifetime and security updates throughout [C14]. Pure SaaS is largely excluded, but the software component of a hybrid product (e.g. an application + cloud back-end) is in scope. For CSPs providing managed services, the CRA overlays NIS2 Art. 21(2)(d).

EUCS — schema europeana de certificare cibernetica pentru cloud (Cybersecurity Act, Reg. (UE) 2019/881) · Scheme in final preparation at ENISA; formally voluntary participation, but NIS2 + EU Data Act allow Member States to require EUCS-certified CSPs for public and essential entities [C11]

EUCS introduces four assurance levels (Basic, Substantial, High, High+), covering 121+ technical and organisational controls. The main controversy — the requirement of immunity from non-EU laws (US CLOUD Act, similar laws in CN) at the High+ level — delayed final publication. For Romanian providers serving public authorities, financial partners or sensitive data, EUCS at Substantial or High level will be a key competitiveness tool in 2026-2027 [C11].