NIS2 for Data Centers and Cloud Providers

Why Data Centers and Cloud Providers Fall Under NIS2

Data centers are the physical foundation of the digital economy. When a data center fails, the impact is not limited to a single company but potentially affects hundreds or thousands of customers whose applications, data, and business processes run in that data center. A single fire at an OVHcloud data center in Strasbourg in March 2021 took down 3.6 million websites and destroyed data from thousands of customers who had no offsite backup.

The European legislator has therefore included data centers and cloud computing services in Annex I of the NIS2 Directive as part of the "Digital Infrastructure" sector. This means: affected companies are classified as essential entities and are subject to the strictest requirements NIS2 provides.

Specifically affected are:

• Data center operators: Companies that operate data centers and offer colocation services (server housing, cage, suite)
• Cloud computing providers: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), to the extent they exceed the thresholds
• Managed hosting providers: Companies providing dedicated servers or managed server environments
• Content Delivery Network providers (CDN): Listed separately in Annex I

The NIS2 Directive defines the scope through the company's seat in the EU: anyone with their headquarters or a relevant establishment in an EU member state who exceeds the thresholds (50 employees or 10 million EUR revenue) is affected. For cloud providers operating across borders, the headquarters principle applies: the supervisory authority at the headquarters is responsible.

Essential Entity: The Strictest Requirements

As essential entities, data centers and cloud providers are subject to the most stringent regulatory tier under NIS2:

Proactive supervision means in practice: the BSI can request evidence of the implementation of security measures without specific cause, commission audits, and issue orders when deficiencies are found. For data center operators accustomed to demonstrating their security measures to customers (ISO 27001, SOC 2), this is not an entirely new concept, but the binding nature and sanction possibilities go beyond what private certifications require.

The Special Role of Data Centers: Multiplier Risk

Data centers differ from most other NIS2-regulated sectors through a fundamental characteristic: their security gaps affect not only their own company but potentially all customers whose infrastructure runs in the data center.

The Dual Responsibility

Data center operators and cloud providers bear a dual responsibility:

1. Own NIS2 compliance: They must themselves fulfill all NIS2 requirements as a regulated entity.
2. Customer enablement: Many of their customers are also NIS2-obligated and need verifiable security guarantees to ensure their own compliance. If the cloud provider of a NIS2-obligated company cannot deliver sufficient security evidence, the customer has a problem with their supply chain assessment.

This dual responsibility makes security certifications a competitive factor. Data center operators that can demonstrate ISO 27001, BSI C5, or SOC 2 have a clear advantage over competitors without certification.

BSI C5: The German Cloud Security Standard

The Cloud Computing Compliance Criteria Catalogue (C5) from the BSI is the authoritative security standard for cloud services in Germany. It was introduced in 2016 and comprehensively revised in 2020. C5 defines minimum requirements for the information security of cloud services and is based on internationally recognized standards (ISO 27001, SOC 2, CSA CCM).

For cloud providers serving customers in the public sector or regulated industries, a C5 attestation is effectively mandatory. The federal administration may only use cloud services when a C5 attestation is available. And with NIS2, the significance of C5 will continue to increase because NIS2-obligated companies will demand verifiable security measures from their cloud providers.

C5 distinguishes two attestation types:

• Type 1: Confirmation that the security measures are appropriately designed at the time of examination
• Type 2: Confirmation that the measures were effectively implemented over an examination period (typically 6-12 months)

A Type 2 attestation is the gold standard. It shows not just that you have a security concept but that you actually live it.

Industry-Specific Requirements

Physical Security: The Foundation

For data centers, IT security begins with physical security. An attacker with physical access to the hardware can bypass all logical security measures. Physical security encompasses:

Access control:

• Multi-zone concept: exterior, reception, technical area, server hall, cage/suite
• Access control system with individual permissions per zone
• Multi-factor authentication for critical areas (chip card + PIN, biometric)
• Visitor escort: no unaccompanied access for external parties
• Complete logging of all access events
• Mantrap systems (airlocks, turnstiles) to prevent tailgating

Video surveillance:

• Complete camera coverage of all access points and technical areas
• Recording with sufficient retention period (at least 30 days)
• Alerting on unusual activities (movement in restricted areas)

Perimeter protection:

• Fencing, lighting, motion detectors
• Vehicle access control for delivery vehicles and visitors
• Vehicle attack protection (bollards, barriers) at high-security locations

Power Supply and Climate Control

A data center is as available as its power supply and cooling. The NIS2 risk analysis must fully capture this infrastructure.

Redundant power supply:

• Two independent power feeds (A/B supply) from different substations
• UPS systems (Uninterruptible Power Supply) for bridging seconds to minutes
• Emergency power generators (diesel generators) for outages lasting hours to days
• Fuel reserves for at least 48 hours of full-load operation
• Automatic switchover between supply paths

Climate control:

• Redundant cooling systems (N+1 or 2N)
• Monitoring of room temperature and humidity in all server halls
• Automatic alerting when thresholds are exceeded
• Emergency procedure for total cooling failure (controlled shutdown)

Fire protection:

• Early fire detection (VESDA or equivalent)
• Gas suppression system (typically Novec or Inergen) instead of water
• Fire compartments: server halls as separate fire compartments with appropriate construction
• Integration with building management system: automatic alerting and emergency shutdown

Tenant Isolation: Isolation Is Not a Feature But a Duty

In colocation data centers and cloud environments, multiple customers share the physical infrastructure. Tenant isolation ensures that one customer cannot access another customer's data or systems, and that a security incident at one customer does not affect others.

Physical tenant isolation (colocation):

• Cages (enclosed mesh areas) or suites (dedicated rooms) for customers
• Separate access control per cage/suite
• Separate power circuits (on request)
• Clear labeling and documentation of which hardware belongs to which customer

Logical tenant isolation (cloud/managed hosting):

• Network segmentation: VLANs, VRFs, or SDN-based isolation
• Hypervisor isolation: no access between virtual machines of different customers
• Storage isolation: separate storage pools or encrypted volumes with customer-specific keys
• Management isolation: separate administration access, no provider access to customer data without explicit authorization

SLA Management: Anchoring Security Contractually

Data centers and cloud providers define their services through Service Level Agreements (SLAs). Under NIS2, these SLAs must also cover security aspects — in both directions: toward their own customers and toward their own suppliers.

SLA requirements toward customers:

• Availability guarantees (typically 99.9% to 99.999%)
• Response times for security incidents: when is the customer informed?
• Transparency about security measures: what information does the customer receive about the implemented measures?
• Audit support: can the customer conduct their own audits or review attestations?
• Data handover and deletion: how is customer data transferred and securely deleted at the end of the contract?

SLA requirements toward suppliers:

• Energy suppliers: availability guarantees, maintenance advance notice
• Network providers (carriers): redundant connectivity, response times for disruptions
• Hardware suppliers: spare parts supply, response times for defects
• Maintenance service providers: security requirements for personnel with data center access

NIS2 Measures for Data Centers

Risk Analysis: IT, Physical Infrastructure, and Customer Responsibility

A data center's risk analysis is more comprehensive than that of a company protecting only its own IT. It must cover three levels:

1. IT infrastructure: Servers, network, storage, virtualization, management systems
2. Physical infrastructure: Building, power supply, climate control, access control, fire protection
3. Service level: Impact of an incident on customers, contractual obligations, reputational risk

Network Security: Multi-Layered Defense

Network security in a data center must encompass multiple layers of protection:

• Perimeter security: DDoS mitigation (on-premise or as a service), border firewalls, IDS/IPS
• Customer network isolation: Strict separation of customer networks from one another, no cross-connect without explicit authorization
• Management network: Physically or logically separated network for infrastructure management (IPMI, iLO, iDRAC, switch management). This network must never be reachable from the internet.
• Backbone security: Redundant uplinks to different carriers, encrypted inter-site connections

Incident Response: Customer Communication as a Core Process

A data center's incident response plan differs from that of other companies in that customer communication is a central component. When a security incident affects the infrastructure on which hundreds of customers run, communication must be fast, transparent, and coordinated.

Elements of the incident response plan:

• Classification by customer impact: An incident affecting only internal systems is treated differently than one affecting customer systems.
• Customer communication: Predefined communication channels and templates. Who informs the customers? Through which channel (status page, email, phone)? What information is shared and what is not (forensics protection)?
• Parallel reporting obligations: BSI notification (24h for NIS2) and simultaneous customer notification. The NIS2 notification and the customer information have different content and target audiences.
• Post-incident report: A detailed report after the incident is concluded that customers can request. Transparency strengthens trust.

Change Management: Every Change Is a Risk

In a data center serving hundreds of customers, any configuration change can have unintended effects. A change management process is not only a NIS2 requirement but an operational necessity.

• Classification: Standard changes (pre-reviewed, low risk), normal changes (individual review), emergency changes (accelerated procedure for security incidents)
• Approval: Every normal change is reviewed and approved before implementation. Who may approve changes? What information must be available?
• Maintenance windows: Planned changes are carried out in defined maintenance windows. Customers are informed in advance.
• Rollback plan: For every change, a documented rollback plan must exist to quickly return to the previous state if problems arise.

Practical Example: Colocation Provider with 75 Employees

Starting point:

DataCenter Süd GmbH (fictitious example) is a colocation provider based in Bavaria. 75 employees, 22 million EUR annual revenue. The company operates two data centers (Tier III Design) in the region and offers colocation (rack, cage, suite), managed hosting, connectivity, and cloud services (IaaS). 180 customers from various industries use the infrastructure, including financial services companies, healthcare organizations, and industrial enterprises.

DataCenter Süd is already ISO 27001 certified. The scope covers data center operations and managed hosting services. A BSI C5 attestation does not exist. SOC 2 Type 1 was first completed in the previous year.

The infrastructure:

• Data Center 1: 800 racks, 3 MW IT load, 2N power supply, redundant cooling, gas suppression system
• Data Center 2: 400 racks, 1.5 MW IT load, N+1 power supply, redundant cooling
• Network: Carrier-neutral, 6 carriers connected, redundant dark fiber connection between sites, own AS (Autonomous System) with BGP peerings
• Cloud platform: VMware-based IaaS platform (120 hosts, 3 vSAN clusters), self-service portal for customers
• Management systems: DCIM (Data Center Infrastructure Management), monitoring (Zabbix), ticketing system (JIRA Service Management), access control system, video surveillance
• Staff: 8 persons in data center operations (24/7 on-call), 12 persons in network and system operations, 6 persons in the cloud team, 3 persons in the security team, remainder in administration and sales

Phase 1: Gap Analysis (Months 1-2)

DataCenter Süd already has a functioning ISMS through its ISO 27001 certification. The task is not a new implementation but a gap analysis: where does the existing ISMS meet NIS2 requirements, and where is action needed?

NIS2 classification: Digital infrastructure, Annex I. Classification: essential entity. This means proactive BSI supervision and the highest fine tier.

Identified gaps:

1. Reporting process: The existing ISMS has an incident response plan but no formal BSI reporting process with a 24-hour deadline. Previous practice was voluntary reporting of severe incidents, not mandatory reporting with defined deadlines.

2. Management responsibility: Executive management supports the ISMS but is not formally involved in risk approval and training obligations as NIS2 requires.

3. Supply chain assessment: The supplier assessment in the existing ISMS focuses on availability (carriers, energy suppliers, hardware). A systematic assessment of the cybersecurity of all critical suppliers is missing.

4. Cloud platform security: The ISO 27001 certification covers colocation and managed hosting operations, but the cloud platform (IaaS) is not fully in scope. Tenant isolation, hypervisor security, and self-service portal hardening must be formalized.

5. BSI C5: Many NIS2-obligated customers will require a C5 attestation. The effort for a C5 Type 2 attestation must be planned, even though it is not directly a NIS2 obligation.

Phase 2: Implementing Gap Measures (Months 3-8)

Implement reporting process (Month 3):

• Reporting process with clear responsibilities defined per NIS2 reporting deadlines: the security team lead is the primary reporter, the CTO is the deputy
• Templates for all three reporting stages (24h, 72h, 1 month) created
• 24/7 reachability ensured: the data center on-call service can trigger the initial notification if the security team lead is not available
• Criteria for reportable incidents defined (distinguishing: incident affects only internal systems vs. incident affects customer infrastructure)

Management involvement (Months 3-4):

• Cybersecurity training for executive management completed
• Formal approval process for risk acceptance implemented
• Quarterly reporting to executive management on the state of information security established

Include cloud platform in ISMS scope (Months 4-6):

• Risk analysis for the VMware-based IaaS platform conducted — ISMS Lite enables the systematic capture of all cloud assets with their respective tenant isolation and associated risk assessments
• Tenant isolation formalized and documented:
  • Network isolation via NSX-based microsegmentation
  • Storage isolation via vSAN policies
  • Management access: no provider employee has access to customer VMs without an explicit ticket and four-eyes principle
• Self-service portal hardened: MFA for all customer accounts, API rate limiting, audit logging

Supply chain assessment (Months 5-7):

Systematic assessment of the 15 most critical suppliers:

Technical hardening (Months 6-8):

• Management network segmentation tightened: dedicated physical network for IPMI/iLO/iDRAC, no routing to customer or internet networks
• DDoS mitigation: expansion of existing protection to include automatic detection and mitigation at Layer 3/4 and Layer 7
• Monitoring expansion: anomaly detection for network traffic between customer segments (detecting lateral movement)
• Backup of management systems: DCIM, access control, and video surveillance receive offsite backup

Phase 3: Audit, Documentation, BSI Registration (Months 9-12)

Internal audit (Months 9-10):

The internal audit reviews both the existing ISO 27001 controls and the newly implemented NIS2 measures.

Findings:

1. Access logs at Data Center 2 are only retained for 14 days. Corrective action: increase retention to 90 days (C5 recommendation).
2. Three customer cages in Data Center 1 have no dedicated access control but are accessed through a shared room entrance. Corrective action: retrofit cage access control systems.
3. The rollback plan for VMware updates is not documented. Corrective action: formalize rollback procedures for all critical infrastructure components.

BSI registration (Month 11):

DataCenter Süd registers with the BSI as an essential entity in the Digital Infrastructure sector. The registration includes company data, a contact point for security incidents, and a description of the services provided.

C5 preparation (Months 10-12):

In parallel with the NIS2 implementation, preparation for the BSI C5 attestation begins. Many NIS2 measures overlap with C5 requirements, so the additional effort is manageable. The C5 audit (Type 1) is scheduled for the first quarter of the following year.

Management review: Executive management approves the residual risk catalog, the budget for the following year (priorities: C5 attestation, expansion of DDoS protection), and the audit plan.

Budget Overview

The budget is higher than for many other sectors because data centers, as essential entities, are subject to the highest requirements and because the BSI C5 attestation involves significant audit effort. The majority of ongoing costs go to the annual C5 attestation, which, however, also delivers direct business value by strengthening customer retention and being increasingly required in tenders. ISMS tool costs, on the other hand, can be reduced: ISMS Lite covers all modules 500 Euro pro Jahr without seat licenses or hidden costs.

What You Should Do Now

If you operate a data center or cloud service and need to implement NIS2, the following steps make sense:

1. Leverage existing certifications as a foundation. If you already have ISO 27001, SOC 2, or other certifications, you are in a good starting position. Conduct a gap analysis rather than starting from scratch.

2. Evaluate BSI C5 attestation. Even though C5 is not a direct NIS2 obligation, it will become a decision criterion for many customers. Plan C5 preparation in parallel with NIS2 implementation.

3. Prepare customer communication for security incidents. Your incident response plan must include customer communication as a core process. Predefined templates, clear communication channels, and transparency are critical.

4. Include the cloud platform in the ISMS scope. If your ISMS has so far only covered colocation operations, the cloud platform must be fully integrated: tenant isolation, hypervisor security, self-service portal.

Data centers and cloud providers bear a special responsibility under NIS2 because they provide the infrastructure on which the digital economy runs. Proactive BSI supervision and high fines reflect this responsibility. At the same time, NIS2 offers the opportunity to position security even more strongly as a competitive advantage: whoever is demonstrably secure wins the trust of customers who are themselves under compliance pressure.

Further Reading

• NIS2 für den Mittelstand: Was du wissen musst und was jetzt zu tun ist
• NIS2 für IT-Dienstleister und MSPs: Doppelrolle als Betroffener und Berater
• Self-hosted vs. Cloud: Was bedeutet das für deine Compliance?
• NIS2-Meldefristen im Überblick: 24h, 72h, 1 Monat - was wann fällig ist
• Netzwerksegmentierung im Mittelstand: Praxisleitfaden für KMU