Two pieces of EU legislation, NIS2 and DORA, are fundamentally changing how European organisations must think about their technology suppliers. Neither regulation bans US cloud providers. But both make it legally necessary to understand, document, and manage the risks that come with depending on them.
Most organisations are not ready. Here is what the regulations actually require, and what compliance looks like in practice.
NIS2: Supply Chain Risk Is Now Mandatory
The Network and Information Security Directive 2 (NIS2), which EU member states were required to transpose into national law by October 2024, significantly expands the scope of cybersecurity obligations across Europe.