Security Requirements under NIS2 Directive

Directive (EU) 2022/2555, also known as NIS2 Directive, is the European Union’s updated framework for cybersecurity, replacing the original NIS Directive. 

This new directive expands the scope of covered entities to include more industries, and aims to enhance Member States’ capability to protect network and information systems, their users, and other affected individuals from cyber incidents and threats. 

In Finland, the directive was transposed into national legislation through Cybersecurity Act (124/2025).

Key requirements

NIS2 brings several requirements for cloud service providers concerning cybersecurity risk and incident management. While these security focused requirements are not new to cloud providers, they are no longer based on voluntary standards and certifications – they are mandatory legal requirements. 

• Risk Analysis: Companies must conduct thorough risk analyses to identify and evaluate all potential cybersecurity threats.

• Security Measures: Companies must implement appropriate security measures to protect data and systems, including business continuity plans, supply chain security controls, vulnerability handling and disclosure processes, penetration testing, security training for staff, application of cryptography, and access control measures.

• Incident Reporting: Companies must have processes in place to detect, manage, and report cybersecurity incidents. The national cybersecurity authority must be notified of any significant cybersecurity incidents. NIS2 sets strict deadlines for the notification, requiring companies to be prepared for incident handling. 

Ensuring security and compliance at UpCloud

UpCloud is responsible for meeting the requirements of the NIS2 Directive while also supporting customers in their compliance efforts. 

Our ISO 27001-certified Information Security Management System (ISMS) provides the foundation, with established policies for risk management and incident handling to ensure security incidents are effectively prevented, managed, and communicated to both authorities and customers when required. We provide annual employee training on ISMS and data privacy, and enforce strict access controls for internal systems and premises. 

We have embedded security requirements to our software development and supply chain management through dedicated policies and onboarding processes, safeguarding our products from development through delivery. We offer our customers additional product security features, such as multifactor authentication, encryption,w and backups. 

The effectiveness of these measures is verified with annual audits and penetration testing. Through this approach, UpCloud maintains continuous compliance with NIS2 and provides a secure and resilient environment for our customers.

Read more about security on our Security & Privacy page. Or reach out to our team to further discuss.