Data Centers and NIS2: How to Ensure Cybersecurity and Regulatory Compliance

Publications
Data Center

Data Centers and NIS2: How to Ensure Cybersecurity and Regulatory Compliance

Contents
Intro
Authors

The increasing digitalization of critical European infrastructures has led to an exponential rise in cyber risks, making a more robust and harmonized regulatory framework necessary. In this context, the NIS2 Directive represents a crucial step in the evolution of Europe’s cybersecurity strategy, with significant implications for essential service operators, particularly data center providers.

This article analyzes the impact of the NIS2 Directive on the data center sector in Italy, considering its recent national transposition. It outlines the scope of application, compliance obligations, and operational challenges that digital infrastructure providers will face in the coming months.

The regulatory framework: the NIS2 directive

The NIS2 Directive (EU) 2022/2555, which came into effect on January 16, 2023, replaced the NIS1 Directive (2016/1148) to strengthen the resilience of IT systems and networks in sectors deemed essential or important for the functioning of the European economy and society.

Italy transposed the directive through Legislative Decree No. 138 of September 4, 2024, published in the Official Gazette on October 1, 2024, and in force from October 16, 2024 (the “NIS2 Decree”). This decree significantly expands the scope of application, including local public administrations and introducing new obligations related to risk management, supply chain security, business continuity, and cybersecurity governance.

From December 1, 2024, organizations subject to NIS2 obligations must register with the National Cybersecurity Agency (ACN) through a dedicated digital platform. The registration deadline was set for February 28, 2025, and this requirement renews annually, making it a structural element of the supervision system rather than a one-time compliance task.

NIS2 mandates a systematic and documented approach to cybersecurity risk management, requiring organizations to implement proportionate technical and organizational measures. It also introduces a strict penalty regime, with fines of up to €10 million or 2% of global annual revenue, whichever is higher. This sanctioning framework mirrors the approach of Regulation (EU) 2016/679 (General Data Protection Regulation or “GDPR”), demonstrating the increasing alignment of European regulatory approaches to security and data protection.

Impact on data centers: who is subject to NIS2?

Data center providers, defined as entities offering infrastructure services for processing, storing, and transmitting digital data, are explicitly included among those subject to NIS2 obligations. Specifically, they are classified as “digital infrastructure service providers” under Article 3, paragraph 1, letter l), point 8 of the NIS2 Decree and listed in Annex I alongside cloud service providers, domain name registrars, and internet exchange point (IXP) operators.

The regulation distinguishes between essential and important entities based on objective criteria such as service type, sector, and company size. According to Article 4 of the NIS2 Decree, micro and small enterprises (i.e., those with fewer than 50 employees and annual revenue or balance sheet total not exceeding €10 million) are generally excluded. However, this exclusion does not apply if:

  • the entity provides services to essential or important entities with a critical role in the value chain.
  • the entity is designated as an essential service operator under previous legislation (Legislative Decree 65/2018).
  • the entity is the sole provider of a specific service in a Member State.
  • a service disruption could impact public security, safety, or health.
  • a service disruption could create systemic risks, particularly in sectors with cross-border impact.

Due to these criteria, most data centers are classified as essential entities and subject to stricter governance, security, and notification obligations due to their critical role in the digital ecosystem and the potential impact of service disruptions.

To better understand how NIS2 applies to different business models in the data center sector, consider the following scenarios:

  • a cloud service provider operating on a European or global scale, managing infrastructure across multiple Member States and serving both public and private clients, is fully covered as an essential entity under NIS2.
  • a national or interregional company offering colocation, housing, or hosting services, with more than 50 employees or an annual revenue exceeding €10 million, must comply with NIS2 obligations as an essential or important entity, depending on service criticality.
  • a mid-sized regional data center hosting IT systems for healthcare organizations, local public administrations, or energy infrastructures may fall under the directive’s scope, even if not operating nationwide, due to the functional importance of its services.

When assessing compliance, it is crucial to consider not only the nature of the service but also its level of interconnection and dependency within the broader ecosystem. As highlighted by the Court of Justice of the EU in case C-434/15 on digital services, a service’s regulatory relevance may derive more from its integration into critical value chains than from its standalone size. Consequently, even seemingly secondary entities embedded in essential supply chains may be classified as relevant under NIS2, with corresponding security obligations and liabilities.ua integrazione in catene del valore più ampie. Pertanto, anche soggetti apparentemente secondari, ma integrati in filiere essenziali, possono essere qualificati come soggetti rilevanti ai fini della NIS2, con tutte le conseguenze in termini di obblighi di sicurezza e responsabilità.

Compliance obligations for Data Centers

The NIS2 Directive, as implemented by the NIS2 Decree, requires entities within its scope—including data center operators classified as essential or important entities—to adopt a structured set of risk-based technical and organizational measures. These measures must ensure an adequate level of security, considering the probability and severity of risks to networks and information systems.

Key obligations include:

  • periodic risk analysis and management of system and network security.
  • technical and procedural measures for attack prevention and mitigation, including network segmentation, data encryption, multi-factor authentication (MFA), and access control.
  • incident response procedures, defining roles, responsibilities, escalation processes, and event logging.
  • business continuity (BCP) and disaster recovery (DRP) plans to ensure service availability and resilience.
  • mandatory incident notifications to CSIRT Italy and ACN within:
    • 24 hours for preliminary notification,
    • 72 hours for full notification,
    • One month for the final incident report, as per Implementing Regulation (EU) 2024/2690.

Effective compliance requires clear cybersecurity governance, defined internal responsibilities, updated contractual frameworks, and the ability to demonstrate due diligence in case of ACN inspections or legal disputes arising from violations or service disruptions. For data centers operating in regulated sectors (e.g., finance or healthcare), an integrated approach aligning NIS2 with sector-specific regulations such as Regulation (EU) 2022/2554 (“DORA”) for financial services is essentiali derivanti da violazioni o disservizi. Per i data center che operano in contesti regolamentati (es. finanziari o sanitari), è essenziale l’adozione di un approccio integrato che consideri anche gli ulteriori requisiti settoriali, come quelli previsti dal Regolamento (UE) 2022/2554 (“DORA“) per il settore finanziario.

The cybersecurity officer role and ACN powers

The NIS2 Decree mandates the appointment of a cybersecurity officer for essential and important entities (Articles 21 and 22, respectively). This role, analogous to the GDPR Data Protection Officer (DPO), must have adequate technical expertise, operational independence, and resources proportionate to the organization’s size and risk exposure.

The cybersecurity officer—sometimes identified as a Chief Information Security Officer (CISO) or Security Officer—coordinates internal security efforts and serves as the primary contact for authorities regarding incident management and notification obligations. While the decree does not specify formal certification requirements, professional standards and training programs are expected to emerge, similar to the DPO role under GDPR.

ACN, as the national supervisory authority, has extensive powers, including:

  • surveillance and inspection authority.
  • compliance assessment of regulated entities.
  • operational management of the notification system (in coordination with CSIRT Italy).
  • issuance of recommendations, binding measures, and corrective actions.
  • administrative fines of up to €10 million or 2% of global revenue.

For serious or systemic violations, ACN can impose specific measures, such as temporary business suspension or license revocation. Data centers providing services to public administrations may also face exclusion from public procurement contracts for non-compliance.n linea con quanto previsto dall’articolo 80 del D.Lgs. 36/2023 (Codice dei Contratti Pubblici).

From compliance to cyber resilience

NIS2 signifies a paradigm shift: cybersecurity is no longer just a technical requirement but a strategic asset embedded in corporate governance. Data centers, as critical enablers of digital transformation, must take a proactive role in ensuring systemic resilience.

By integrating compliance with operational security, updating internal policies, and fostering collaboration between legal, compliance, and IT security teams, organizations can turn regulatory obligations into a competitive advantage—enhancing stakeholder trust, service reliability, and business sustainability in an increasingly security-driven digital landscape.

First and foremost, the principle of accountability—borrowed from the GDPR experience and also reiterated in Implementing Regulation (EU) 2024/2690—requires operators to maintain rigorous and structured documentation of the security measures adopted, not only as a preventive measure but also for evidentiary purposes. The adequacy of these measures must be assessed based on risk, with continuous updates in response to evolving threats and the relevant operational context, as already outlined by ENISA in the document “NIS Investments” (November 2023) and in the preliminary recommendations of the Italian National Cybersecurity Agency (ACN) on cyber risk management (March 2025).

The regulatory framework stemming from NIS2 fits into a broader context of European reforms in digital security, creating significant synergies with other regulatory frameworks. In particular, data centers operating in the financial sector must also consider obligations arising from the DORA regulation on ICT services in finance, while those processing personal data must integrate NIS2 measures with those already adopted in compliance with Article 32 of the GDPR. Additionally, critical infrastructure operators must take into account the requirements set forth by Directive (EU) 2022/2557 on the resilience of critical entities (CER), transposed into Italian law through Legislative Decree 133/2024.

From this perspective, data center providers are required to thoroughly revise:

  • contracts and SLAs with clients, explicitly incorporating NIS2 obligations (e.g., incident notification, audits, shared responsibilities);
  • internal policies, to formalize roles, responsibilities, and incident response processes;
  • due diligence procedures for the supply chain, as supplier security is now a key factor in compliance evaluation.

NIS2 thus marks a paradigm shift: cybersecurity is no longer merely a technical compliance requirement but becomes a strategic asset to be integrated into the organization’s overall governance. Data centers, as critical infrastructures enabling digital transformation, must take on a proactive and central role in ensuring systemic resilience.

In terms of governance, greater involvement of administrative bodies is also desirable. In line with practices already in place in regulated sectors such as finance, they should periodically receive reports on the organization’s security posture, approve risk mitigation strategies, and ensure adequate resource allocation. However, only through a joint and structured effort among legal, compliance, and IT security functions can regulatory compliance be transformed into a competitive advantage, strengthening stakeholder trust, service reliability, and the sustainability of the business model in an environment where security is increasingly a key enabler of digital innovation.trutturato tra funzioni legali, compliance e IT security la conformità normativa potrà trasformarsi in vantaggio competitivo, rafforzando la fiducia degli stakeholder, l’affidabilità del servizio e la sostenibilità del modello di business in un contesto sempre più caratterizzato dalla centralità della sicurezza come fattore abilitante dell’innovazione digitale.

Download Area
Scarica il PDF
Download
Date
Speak to our experts
Contact us