For European SaaS Providers in NIS2 Scope

NIS2-Ready AWS Workloads for European SaaS

Map your AWS controls to NIS2 Article 21 requirements. Pass national CSIRT registration with documented evidence. ISO 27001:2022-certified delivery.

Book Free NIS2 Review →Download Article 21 Mapping

EU 2022/2555Active Enforcement

Cybersecurity is now boardroom liability.

24h

Early Warning

72h

Incident Notify

Max Fine

€10M

or annual turnover

NIS2 holds management bodies personally accountable for cybersecurity oversight failures.— EU Network & Information Security Directive 2

Enforced since

17 Oct 2024

The Problem We Solve

Your customers are auditing your AWS controls for NIS2.

01, ARTICLE 21 MAPPING

We're in scope for NIS2 but don't know which AWS controls map to Article 21.

NIS2 Article 21 mandates 10 categories of cybersecurity measures. Without explicit mapping to AWS services, evidence collection is guesswork.

02, SUPPLY-CHAIN PRESSURE

Our customers are asking for NIS2 attestation as part of supply-chain due diligence.

Article 21(2)(d) requires supply-chain security. SaaS providers in scope must demonstrate cloud-side controls to enterprise customers.

03, INCIDENT REPORTING

We need 24h/72h/1-month incident reporting workflows that won't fall apart in a real incident.

Article 23 requires staged reporting. National CSIRTs (BSI, ANSSI, NCSC-NL) expect tested workflows, not improvised responses.

What You'll Get

From scope-uncertainty to CSIRT-registered, audit-ready AWS.

Stream A · Assessment

Scope of Work

NIS2 scope determination (essential vs important)
Article 21 to AWS service mapping (10 categories)
Article 23 incident reporting workflow review
Supply-chain documentation (Article 21(2)(d))
ISO 27001 to NIS2 controls crosswalk

Stream B · Deliverables

Deliverables

NIS2-AWS controls crosswalk (Article 21 → AWS services)
Incident reporting runbook (24h/72h/1mo)
CSIRT registration support package
Supply-chain attestation template for customers
Evidence-collection automation (Audit Manager)
Management body briefing for personal accountability

Stream C · Timeline

Timeline

Assessment: 2 weeks
Implementation: 6–10 weeks (scope-dependent)
CSIRT registration support included
Annual NIS2 refresh option
Quarterly tabletop exercises available
Founder + AWS-certified engineer on every engagement

Mini Case Study

How a German SaaS provider passed BSI registration in 30 days

A B2B SaaS company headquartered in Munich with 120 employees was confirmed in NIS2 scope by their legal counsel in early 2026, with Germany's BSI registration deadline already passed. The board needed a credible compliance position before their next enterprise-customer audit.

We started with a 2-week assessment mapping their existing AWS controls (and existing ISO 27001:2022 certification) to all 10 NIS2 Article 21 categories. The gap analysis identified 4 missing areas: supply-chain documentation, incident reporting automation, business continuity testing, and management body accountability records.

Implementation took 8 weeks. We deployed Audit Manager with a custom NIS2 evidence framework, automated the 24h/72h reporting workflow via EventBridge, and produced supply-chain attestations the customer's procurement team could share with their own customers. BSI registration was completed during week 4.

ISO 27001 and AWS turned out to be 80% of the work. HAZERCLOUD knew exactly where the remaining 20% needed to go.— CISO · German B2B SaaS (anonymized)

Outcomes

Article 21 coverage10/10

BSI registrationWk 4

Engagement duration10 wks

ISO 27001 reuse80%

Tested incident SLA<24h

Read the full case study

Engagement Options

Two stages. Predictable cost. CSIRT-registered outcome.

Most NIS2 engagements start with the assessment to confirm scope and identify the gap. Implementation pricing reflects only what your specific environment needs.

Stage 01

NIS2 Cloud Compliance Assessment

NIS2 scope determination memo
Article 21 to AWS controls mapping
ISO 27001 to NIS2 crosswalk
Gap analysis with prioritized remediation list
Management body accountability briefing

Start with assessment →

Stage 02

NIS2 Implementation

Full Article 21 implementation
Audit Manager NIS2 evidence framework
Incident reporting workflow (24h/72h/1mo)
Supply-chain attestation templates
CSIRT registration support
Annual NIS2 refresh option

Book scoping call →

FAQ

NIS2 questions European SaaS founders ask first.

Scope uncertainty? Personal liability questions? National implementation differences? Book a call and we'll work through your specific situation.

Book Free NIS2 Review →

Are we in NIS2 scope as a SaaS company with 60 employees?+

NIS2 covers entities meeting the size threshold (50+ employees OR €10M+ turnover) AND operating in one of 18 sectors. "Digital infrastructure" and "managed service providers" capture most B2B SaaS. The Member State implementations sometimes add sector-specific extensions. We start every engagement with a scope determination memo so you know exactly where you stand.

How does NIS2 differ from GDPR? Do we need both?+

GDPR governs personal data processing; NIS2 governs cybersecurity and incident reporting. They overlap (both require Article 32-style technical controls) but have different reporting obligations and different national authorities. If you're in NIS2 scope, you need both, they're not substitutes.

What does NIS2 supply-chain security mean if we use AWS, Stripe, and Datadog?+

Article 21(2)(d) requires you to manage cybersecurity risk in your supply chain. For AWS, Stripe, Datadog: maintain a third-party register, document the risk assessment, ensure their security controls support your obligations, and maintain incident notification arrangements. We provide templates and the operational workflow to keep this current.

Can our existing ISO 27001 certification cover NIS2 requirements?+

ISO 27001:2022 covers ~80% of NIS2 Article 21 categories. The remaining 20% is mostly NIS2-specific reporting workflows, supply-chain documentation depth, and management body accountability records. We map your existing evidence to specific NIS2 articles so you avoid duplicating work.

What happens if we don't register with the national CSIRT in time?+

Penalties vary by Member State implementation but the EU directive sets a ceiling of €10M or 2% of global annual turnover for essential entities. Beyond fines, executives face personal liability under Article 20(2). National authorities (BSI in Germany, ANSSI in France, NCSC-NL in Netherlands) have started enforcement actions in 2026.

How does Germany's BSIG implementation differ from France's?+

Germany's NIS2 transposition (BSIG) emphasizes BSI registration and IT-Grundschutz alignment; France's transposition (SREN law) routes through ANSSI with sector-specific extensions; the Netherlands integrates NCSC-NL coordination. Member State requirements differ on registration timelines, reporting templates, and language obligations. Our country pages cover each in depth.

Jobin Joseph

Founder & CTO

AWS SA ProDevOps ProSecurity+2

Verify on Credly ↗

Who You'll Actually Work With

This engagement runs through me, personally.

The AWS-certified specialist on your discovery call leads the implementation team on your engagement. No bait-and-switch. No junior-led delivery.

Discovery call: I attend, no exceptions

Architecture sign-off: before any work begins

Weekly review: I'm on every call, every week

Material decisions: go through me first

Deliverable sign-off: my signature, my reputation

30 days post-handoff: direct line to me

NIS2

Ready for NIS2 readiness on AWS?

30 minutes with our founder. One Article 21 gap identified.

We'll review your scope, your existing ISO 27001 controls (if any), and identify the most critical NIS2 Article 21 gap in your AWS setup, with a specific remediation recommendation you can act on without us.