Cloudflare Authorised Service Delivery Partner (ASDP)

NIS2 Compliance with Cloudflare

NIS2 requires over 160,000 organisations across the EU to demonstrate auditable cybersecurity. It also affects non-EU companies serving European clients. Brixio deploys Cloudflare as a unified compliance platform: risk management, access control, incident detection, and 72-hour notification. One architecture, not ten tools.

  • Cloudflare ASDP · authorised service delivery
  • ISO 27001:2022 · audited security operations
  • 400+ projects in regulated industries
  • EMEA & GCC · Luxembourg, Paris, Dubai, Singapore
Request your NIS2 compliance mapping
nis2-compliance · brixio.one NIS2 Compliance Posture LIVE last sync 2s ago OBLIGATIONS COVERED · ART. 21 5 / 5 Risk management & governance 100% Access control & network security 100% Incident detection · 72h reporting 100% Business continuity & crisis 100% Supply chain security 100% LATEST SIGNIFICANT INCIDENT · ART. 23 Volumetric DDoS · /api · 1.2 Tbps absorbed Article 23 OK 07:14:22 detected · Cloudflare WAF + Magic Transit 07:31:08 qualified · single-pane correlation 07:52:44 notified to national authority · 38 min total ReCyF mapping (ANSSI) 20 / 20 objectives Pillar 1 Governance 5/5 Pillar 2 Protection 5/5 Pillar 3 Detection 5/5 Pillar 4 Continuity 5/5
160k+
Regulated entities
NIS2 expanded scope from ~500 to over 160,000 regulated organisations across the EU. A step change in the scale of EU cybersecurity law.
EUR 10M
Maximum fine
Essential Entities face fines up to EUR 10M or 2% of global annual turnover. Personal liability for directors under Article 20.
72h
Incident notification
Significant incidents must be assessed and notified to the national authority within 72 hours. Most stacked architectures cannot meet this deadline.
400+
Brixio projects
Cloudflare deployments across regulated sectors: government, banking, healthcare, energy, and manufacturing in EMEA and the GCC.
What changed in 2024

NIS2 changed the scale of the problem, not the principle.

NIS2 is not an update to NIS1. It is a shift from voluntary best practices to mandatory, enforceable cybersecurity obligations across the EU, with extraterritorial reach for non-EU service providers.

01Scope

From 500 to 160,000+ regulated entities

NIS1 covered ~500 operators of essential services across the EU. NIS2 extends to 160,000+ entities, including most mid-market companies above 50 employees or EUR 10M revenue. Annex I and II cover energy, transport, finance, healthcare, water, ICT, public administration, manufacturing, food and more.

02Sanctions

EUR 10M fines and personal director liability

Essential Entities face fines up to EUR 10M or 2% of global turnover. Important Entities face up to EUR 7M or 1.4%. Article 20 introduces personal liability for management, including potential bans from director functions for failure to ensure compliance.

03Operations

72 hours, supply chain, extraterritoriality

Article 23 imposes 72 hours to assess and notify a significant incident. Article 21 makes your suppliers' security your responsibility. Article 26 extends NIS2 to non-EU companies serving EU clients in regulated sectors.

NIS2 does not ask for perfection. It asks for proof of an architecture that is capable.
Geoffroy Morgan de Rivery
CEO, Brixio
Scope of NIS2

If you operate in Europe or serve European clients, NIS2 likely applies.

NIS2 reaches far beyond traditional critical-infrastructure operators. Three dimensions extend the scope: sector and size, supply chain contagion, and extraterritorial effect.

01Sector & size

Essential and Important Entities

Two scopes defined by Annexes I and II, plus a size threshold of 50+ employees or EUR 10M+ revenue, with sector-specific exceptions.

  • Annex I · Essential
  • Annex II · Important
  • 50+ employees
  • EUR 10M+ turnover
02Supply chain (Article 21)

Your suppliers fall in scope by contagion

Even if your organisation is not directly regulated, NIS2 obligations propagate through the supply chain. SMEs providing ICT services to a regulated entity must satisfy third-party risk requirements.

  • ICT service providers
  • Subcontractors
  • Cloud & MSP partners
03Extraterritorial (Article 26)

Non-EU companies serving EU clients

Cloud providers, MSPs, DNS operators and digital platforms based outside the EU must comply and designate a representative in a member state when they serve EU clients in regulated sectors.

  • GCC
  • APAC
  • UK
  • US
The 72-hour paradox

Stacked tools cannot meet the 72-hour notification window.

The natural response to NIS2 is to stack tools: VPN here, firewall there, EDR on endpoints, SWG for web filtering, SIEM for logs. Each tool addresses one requirement, but the stack as a whole creates a bigger problem than it solves.

  • Blind spots between tools (what one does not see, the other does not cover)
  • Total cost of ownership escalates with every added layer
  • No real-time correlation of security events across systems
  • Compliance evidence fragmented across 5 to 10 different log formats
  • Manual incident qualification cannot fit inside 72 hours

Cloudflare consolidates application security, network access, DDoS protection, web filtering, DLP and logging on a single platform. Fewer tools, more visibility. Fewer layers, more proof.

BrixioOne
NIS2 obligations on Cloudflare

Five obligations, one platform

Article 21 organises cybersecurity obligations around five operational areas. Each maps to native Cloudflare capabilities, with a single control plane and a single audit trail. No glue, no integration debt.

Article 21.2.a

Appropriate technical and organisational measures, proportionate to the risk

NIS2 demands documented risk management with clear ownership. Cloudflare provides a single policy engine across WAF, Access, DLP and Gateway, with full audit trails for every configuration decision and access event.

  • Single unified policy engine across WAF, Zero Trust, DLP and Gateway
  • Auditable change log for every configuration decision
  • Role-based access control aligned to internal governance
  • Brixio delivery framework documents each control mapping
Map my NIS2 governance
NIS2 across jurisdictions

One directive, several national regimes

NIS2 is transposed by each member state, often with sector-specific add-ons and competent authority designations. Brixio operates across EU jurisdictions and adapts the compliance approach country by country.

NIS2 Directive 2022/2555

EUApplicable since October 2024

160,000+ entities across the EU

Risk management, incident reporting (72h), supply chain security, management accountability.

CloudflareFull Cloudflare security stack mapped to NIS2 obligations, ASDP-certified delivery.

ANSSI ReCyF reference framework

FRNational transposition in progress, enforcement from 2026

15,000+ entities in France

20 security objectives organised in 4 pillars: governance, protection, detection, continuity.

CloudflareReCyF x Cloudflare mapping, each objective translated into an auditable configuration.

Loi du 26 avril 2024 + CCB CyFun

BECompliance expected by April 2027

Centre for Cybersecurity Belgium (CCB) as competent authority

CyFun framework or ISO 27001:2022 certification, depending on entity classification.

CloudflareCloudflare deployment aligned to CyFun controls, ISO-grade documentation.

Bill 8364 + ILR / CSSF

LUTransposition under review

6,000 to 8,000 expected regulated entities

ILR supervises most sectors, CSSF supervises financial services (NIS2 + DORA combined).

CloudflareCombined NIS2 and DORA delivery for Luxembourg financial entities.

nDSG + NCSC notification regime

CHCritical infrastructure notification mandatory since April 2025

Switzerland is not subject to NIS2 (non-EU)

24-hour incident notification to the NCSC for critical infrastructure operators.

CloudflareCloudflare logging and alerting tuned to NCSC reporting templates.

Brixio engineers operate across Luxembourg, Paris, Dubai and Singapore, with native coverage of EU national regimes and extraterritorial scope for GCC and APAC clients.

NIS2 by industry

Sectors where Brixio runs NIS2 programmes

From Annex I essential entities to Annex II important entities. Each industry has its own regulatory texture and operational stakes.

Government & public sector

Sovereign workloads, citizen services, classified networks.

  • NIS2 Annex I
  • ANSSI ReCyF
  • Sovereign cloud

Banking & financial services

Combined NIS2 + DORA obligations: ICT risk management, third-party oversight, resilience testing.

  • NIS2 Annex I
  • DORA
  • ECB / CSSF

Healthcare

Hospitals, labs, medical-device makers. Patient data and OT in the same building.

  • NIS2 Annex I
  • Patient data
  • Medical devices

Energy & utilities

Generation, transmission, distribution. SCADA and OT under the same boundary rules.

  • NIS2 Annex I
  • OT/IT convergence
  • Grid resilience

Manufacturing

Connected production lines, robotics, supply chain. Strong cross-border exposure.

  • NIS2 Annex II
  • Supply chain
  • OT segmentation

Education & research

Universities, research labs, school networks. Open campus IT meets sensitive research data.

  • NIS2 Annex II
  • Research IP
  • Campus networks
Sovereignty & advanced protection

Beyond compliance: control over data, keys and cryptography.

NIS2 is silent on sovereignty in detail, but national authorities increasingly expect control over data processing locations, encryption custody and post-quantum readiness. Cloudflare provides the mechanisms natively.

01Key custody

Keyless SSL

Encryption keys remain on-premise or in your chosen jurisdiction. Cloudflare terminates TLS without ever holding the private key. Suitable for finance, defence, government deployments where key sovereignty is non-negotiable.

02Data residency

Regional Services & Data Localization Suite

Restrict where Cloudflare processes your traffic, where logs are stored and where metadata is analysed. Enforce EU-only processing or any chosen geography, with auditable evidence aligned to NIS2, GDPR and sector regulations.

03Crypto-agility

Post-quantum encryption

Cloudflare has deployed hybrid post-quantum key agreement natively, ahead of NIST 2030 expectations. Long-life data is protected against harvest-now-decrypt-later attacks without rearchitecting the perimeter.

Explore data sovereignty & cloud security
Why Brixio

A compliance deployment partner, not another vendor

Brixio deploys the Cloudflare architecture. Brixio One turns it into continuous compliance proof: visibility, audit documentation, and compliance evidence centralised in one platform, ready for any NIS2 audit.

100% Cloudflare-only

Consolidate on a single platform rather than stacking tools. One control plane, full NIS2 coverage, unified compliance evidence.

ASDP & ISO 27001:2022

Documented, auditable delivery process. Direct escalation to Cloudflare engineering. Compliance built into our own operations, satisfying Article 21.2.d directly.

72-hour incident ready

Single-pane correlation means every incident can be qualified and notified within 72 hours. No manual log correlation between disconnected tools.

Multi-jurisdiction expertise

Engineers in Luxembourg, Paris, Dubai and Singapore. NIS2 expertise across EU national regimes and extraterritorial Article 26 scope for GCC and APAC clients.

Compliance-first delivery

Every configuration decision documented and mapped to NIS2 articles, ANSSI ReCyF objectives, or CyFun controls. Documentation is an output, not an afterthought.

400+ projects delivered

Government, banking, healthcare, energy, manufacturing. Configuration evidence pack delivered for every project, ready for audit.

FAQs

NIS2 Compliance FAQ

NIS2 (Network and Information Security Directive 2) is a European Union directive that imposes cybersecurity obligations on a broad range of public and private entities across the EU. It covers risk management, incident reporting (within 72 hours), supply chain security, and management accountability. It entered into force in 2023 and is applicable since October 2024.

Yes. NIS2 has extraterritorial effect (Article 26). Non-EU companies providing services in NIS2-regulated sectors to EU clients must comply and designate a representative in an EU member state. This affects cloud providers, managed service providers, DNS operators, and digital platforms serving EU markets. It is directly relevant for GCC and APAC companies with European operations or clients.

Fines up to EUR 10M or 2% of global annual turnover for Essential Entities. Up to EUR 7M or 1.4% for Important Entities. Article 20 also imposes personal liability on directors and board members, including potential bans from management functions.

NIS2 is applicable since October 2024 across the EU. Each member state transposes the directive into national law on its own timeline. Organisations should begin their compliance journey now. National authorities are expected to enforce from 2026-2027 depending on the jurisdiction.

Cloudflare covers a significant portion of NIS2's technical requirements (access control, network security, incident detection, continuity). However, NIS2 also includes organisational requirements (governance, training, crisis management) that require internal action. Brixio handles the technical deployment and can guide you toward partners for the organisational dimensions.

Brixio maps your NIS2 obligations to Cloudflare capabilities, designs the compliant architecture, deploys it, and documents every configuration decision for audit readiness. The result is not a compliance report. It is a working, auditable infrastructure.

Yes. Gulf-based organisations that provide services to EU clients or operate in EU markets are subject to NIS2's extraterritorial provisions. Brixio has a dedicated hub in Dubai and engineers who understand both NIS2 requirements and GCC operational constraints.

Turn the NIS2 obligation into an architecture advantage.

NIS2 demands proof. Brixio deploys the architecture. Brixio One makes it auditable on demand.

Request your NIS2 compliance mapping
Talk to an expert

NIS2 deadlines don't move. We do.

Tell us where you are with this solution. A Brixio engineer comes back to you with a clear next step — workshop, free assessment, or scoping call.

  1. You send a short messageTwo minutes, no qualification questionnaire.
    ≤ 5 min
  2. An engineer reads itWe pick the right next step based on your context and the solution(s) you flagged.
    ≤ 4 hours
  3. Callback scheduledA 30-min call with a certified Cloudflare engineer.
    ≤ 24 hours
  4. Engagement startsWorkshop, free assessment, scoping call — whichever fits your situation.
    Day 1+
We help scope the right next step.You decide whether to engage. ISO 27001:2022.
Step 01 · Send your message

Tell us a bit, get a callback.

Other Cloudflare solutions you're exploring (optional)

By submitting, you accept that a Brixio engineer will reach out. No newsletter, no spam. ISO 27001:2022.