NIS2 for Cloud Providers and SaaS: The "Cloud Computing" Sector

1. Sector classification

NIS2 Annex I classifies cloud computing services as an essential entity sector. The default thresholds are 50+ employees and at least EUR 10M turnover. Providers below the size threshold can still be brought into scope when they are designated "critical" (e.g., CDN services for public administration).

2. Is your SaaS a cloud provider?

Not all SaaS qualifies as cloud computing under NIS2. The definition (Annex I) refers to "scalable, elastic IT resources." Pure SaaS is often outside scope; IaaS and PaaS are clearly inside. A pure email-marketing SaaS rarely qualifies; a PaaS that allocates compute on demand always does.

3. Heightened duties

• Stricter service-level agreements with customers
• Higher availability and resilience standards
• Alignment with the ENISA Cloud Security benchmark
• EU data boundary considerations

4. Sub-providers and supply chain

The cloud provider remains accountable for sub-providers. Section 30 BSIG supply-chain clauses apply strictly: due diligence, contractual security commitments, audit rights, and exit plans must be documented per sub-provider.

5. Customer notification on incidents

On a significant incident, the provider must notify customers (typically within 24 hours), so that customers can fulfill their own NIS2 and GDPR Art. 33 obligations downstream.

6. Recommended standards

• ISO 27017 - cloud security controls
• ISO 27018 - cloud privacy / personal data
• BSI C5 - cloud-computing compliance criteria (German federal benchmark)
• CSA STAR - lighter-weight, vendor-friendly attestation

Summary

Cloud and IaaS/PaaS providers operating in Germany sit in the highest NIS2 tier. Implementing ISO 27017 + BSI C5 typically covers the bulk of obligations and provides defensible evidence for customer audits.

View NIS2 Kit →