The EU's NIS2 directive (Directive 2022/2555) is in force across member states. If your organisation operates critical infrastructure, financial services, health, digital infrastructure, or a range of other sectors in the EU — and you employ 50 or more people or turn over more than €10M — NIS2 applies to you now.
This guide covers what NIS2 requires, how Article 21 security measures apply to data vaulting and cold storage, what incident reporting deadlines you must meet, and the evidence package national authorities actually want to see.
Note: This guide is an informational overview for planning and preparation. It is not legal advice. Confirm the transposition status in your specific member state and consult qualified legal counsel for compliance decisions.
NIS2 uses two categories — essential entities and important entities — and a general size threshold. If your organisation meets the size threshold and operates in a listed sector, you are in scope.
Size threshold (general rule): Medium-sized enterprises (50+ employees, or €10M+ annual turnover/balance sheet). Large enterprises (250+ employees, or €50M+ annual turnover) also apply, with stronger obligations. Some sectors apply regardless of size.
Key difference between essential and important entities: Essential entities face proactive ex-ante supervision (authorities can audit you at any time). Important entities face reactive ex-post supervision (authorities act following an incident or complaint). Both face the same underlying security requirements under Article 21.
Article 21(2) of NIS2 mandates ten minimum security measures that all in-scope entities must implement. These are technology-neutral — NIS2 does not prescribe specific products — but they are concrete enough that authorities can assess compliance.
| Article 21(2) Ref | Requirement | Cold Storage / Data Vault Relevance |
|---|---|---|
| (a) | Risk analysis and information security policies | Must include data protection and cryptographic asset risk; cold storage should be part of the risk register |
| (b) | Incident handling | Detection, classification, and response procedures must cover data vault integrity events |
| (c) | Business continuity, including backup management, disaster recovery, and crisis management | Directly requires documented and tested backup and DR procedures. Cold storage architecture is the primary mechanism for meeting this requirement for high-value data. |
| (d) | Supply chain security | Hardware wallet and HSM supply chain; storage vendor contracts; key management software provenance |
| (e) | Security in network and information systems acquisition, development, and maintenance | Secure development of systems that handle vaulted data; update and patch management for storage firmware |
| (f) | Policies and procedures to assess the effectiveness of cybersecurity risk management measures | Requires periodic testing and review of cold storage recovery procedures (TTCR testing) |
| (g) | Basic cyber hygiene practices and cybersecurity training | Training must include safe handling of backup media, hardware wallets, and cold storage access procedures |
| (h) | Policies and procedures regarding the use of cryptography and encryption | Directly requires documented cryptographic policies. Includes key management, algorithm selection, and post-quantum migration planning. |
| (i) | Human resources security, access control policies, and asset management | Access controls on cold storage systems; asset inventory including hardware wallets; joiners/movers/leavers for vault access |
| (j) | Use of multi-factor authentication or continuous authentication solutions | MFA for all systems with access to backup management, cold storage controls, or cryptographic key material |
Article 21(2)(c) — "backup management and disaster recovery" — is the most operationally demanding requirement for most organisations. Here is what it requires in practice.
NIS2 does not accept the existence of backups as evidence of compliance. Authorities expect organisations to demonstrate:
Air-gapped cold storage — whether tape, offline disk, or immutable object storage — directly satisfies the immutability requirement. For organisations holding digital assets or long-term sensitive data, a cold storage architecture aligned with the three-tier model (full air-gap, near-air-gap, immutable object storage) provides the strongest NIS2 compliance posture for backup management.
NIS2 does not specify explicit RTO/RPO numbers, but it requires organisations to demonstrate recovery capability. In practice, the concept of Time to Clean Restore (TTCR) — the time from incident detection to verified clean recovery from cold storage — is becoming the standard metric that authorities ask about during supervisory reviews. Document your TTCR target, test it annually, and retain records.
NIS2 introduces a three-stage incident notification process. Missing these deadlines is itself a compliance failure, regardless of the underlying incident.
What counts as a "significant incident"? An incident is significant if it causes or is capable of causing severe operational disruption, financial loss, or significant damage to other organisations or individuals. For most entities, a ransomware attack affecting production systems or a data vault integrity failure would qualify.
Use this checklist to assess your current compliance posture. For a more detailed breakdown of data vaulting controls, see the companion NIS2 Data Vault Compliance Checklist.
Based on supervisory guidance and early NIS2 enforcement activity across member states, the following are the areas national competent authorities and their delegated auditors focus on when reviewing compliance:
NIS2 explicitly requires management bodies to be accountable for cybersecurity measures and to participate in cybersecurity training. Auditors will ask who in the executive team has signed off on the cybersecurity risk management framework. "The IT team handles it" is not an acceptable answer.
Having a DR plan and having tested it are treated as different things. Auditors want test records — dates, outcomes, what failed, what was fixed. An untested DR plan provides no compliance credit under NIS2.
Article 21(2)(h) requires documented cryptography policies. Auditors specifically look for: which algorithms are in use, when they were last reviewed, and whether there is a migration plan for post-quantum readiness. See our post-quantum migration guide for NIST FIPS 203/204/205 context.
For organisations in the digital infrastructure sector, auditors increasingly ask about ICT supplier contracts and whether those contracts include flow-down security requirements. Evidence of supply chain security assessments for critical vendors is expected.
NIS2 does not specifically address cryptocurrency custody — that is primarily covered by MiCA and the Transfer of Funds Regulation for regulated entities. However, for organisations that hold digital assets as part of their operations (treasury reserves, tokenised securities, staking infrastructure, private keys controlling smart contracts), NIS2's requirements for cryptographic policy, backup, and access control all apply to those assets.
The relevant NIS2 requirements for crypto asset custody are:
For a practical guide to hardware wallet selection in this context, see our hardware wallet comparison and the enterprise crypto security audit guide.
NIS2 introduced substantially higher maximum penalties than its predecessor. Member states must impose at least the following maximum fines:
Essential entities: Maximum fine of at least €10 million or 2% of total worldwide annual turnover (whichever is higher).
Important entities: Maximum fine of at least €7 million or 1.4% of total worldwide annual turnover (whichever is higher).
Management liability: NIS2 also allows national authorities to hold individual members of management bodies personally liable for infringements, including temporary bans from management positions, where the breach is attributable to failure of management oversight.
Yes. NIS2 applies based on where services are provided, not where the entity is headquartered. If you provide services to recipients in the EU in a listed sector, you may be required to designate a representative in the EU for NIS2 purposes.
DORA (Digital Operational Resilience Act) applies specifically to financial sector entities — banks, investment firms, insurance companies, crypto-asset service providers, and their critical ICT service providers. NIS2 covers a broader range of sectors. Financial entities subject to DORA are generally exempt from NIS2 for the overlapping requirements, but DORA's requirements are in most respects more detailed than NIS2.
ISO 27001 certification is a strong foundation and is recognised by many member state authorities as evidence of a systematic approach to information security. However, ISO 27001 alone does not guarantee NIS2 compliance. NIS2 has specific requirements — particularly for incident reporting timelines and management accountability — that go beyond what ISO 27001 mandates.
Essential entities in most member states must proactively register. Important entities may register proactively or be notified. Deadlines vary by member state. Check your national NIS2 transposition law or consult your national CSIRT / competent authority's guidance.
CryoVault's cyber resilience audit covers the NIS2 Article 21 requirements most often flagged in supervisory reviews — backup and recovery architecture, cryptographic policy, and cold storage integrity verification — producing the evidence package your authority expects.
Request an Audit →Or explore our Cyber Resilience Audit and Cold Storage service pages.