NIS2 Directive — Impact on Virtual Data Rooms

The NIS2 Directive ((EU) 2022/2555) is the EU's main cybersecurity legislation. It expands the scope of NIS1 to cover 18 critical and important sectors, introduces stricter cybersecurity risk-management duties under Article 21, and adds supply-chain due-diligence and incident-reporting requirements. The transposition deadline was 17 October 2024.

Two NIS2 angles matter for virtual data rooms: (1) some VDR providers themselves are within scope as digital infrastructure or trust service providers, and (2) entities subject to NIS2 (banking, insurance, healthcare, energy, transport, digital infrastructure) must impose NIS2-aligned cybersecurity duties on their suppliers — including VDR providers — through supply-chain due diligence.

On 20 January 2026 the European Commission proposed targeted amendments to NIS2 to increase legal clarity and simplify compliance with risk-management requirements. As of March 2026, approximately two-thirds of member states have completed transposition.

Last updated: May 2026.

NIS2 Scope and Sectors

  • Essential entities (Annex I): energy, transport, banking, financial market infrastructure, healthcare, drinking water, waste water, digital infrastructure (cloud, data centre, content-delivery, DNS, trust services), ICT-service management, public administration, space.
  • Important entities (Annex II): postal, waste management, chemical manufacturing, food, manufacturing of medical devices / computers / electronics / motor vehicles, digital providers (online marketplaces, search engines, social platforms), research.

Article 21 Minimum Cybersecurity Measures

Article 21 requires entities to implement at least ten minimum cybersecurity risk-management measures, appropriate and proportionate, based on an all-hazards approach:

  1. Risk analysis and information system security policies.
  2. Incident handling.
  3. Business continuity (backups, disaster recovery, crisis management).
  4. Supply-chain security (including supplier security).
  5. Security in network and information system acquisition, development, and maintenance.
  6. Policies and procedures to assess effectiveness of cybersecurity measures.
  7. Basic cyber hygiene practices and cybersecurity training.
  8. Policies on cryptography and encryption.
  9. Human-resources security, access-control policies, asset management.
  10. Multi-factor authentication, secured communications, secured emergency communications.

Direct Impact on VDR Procurement

  • For NIS2-scope buyers: include NIS2-aligned controls in your VDR procurement criteria — Article 21 measures, incident-reporting SLAs (24h early warning, 72h incident notification, 30d final report), and supply-chain due diligence on the VDR's sub-processors.
  • VDR providers in scope themselves (e.g. a VDR classified as a digital infrastructure provider) must register with the national competent authority and report incidents under the directive's SLAs.
  • Buyers outside NIS2 scope still benefit from NIS2-aligned vendors as a baseline of cybersecurity maturity.

Transposition Status (March 2026)

As of March 2026, approximately two-thirds of EU member states have completed NIS2 transposition. Belgium, Croatia, and Hungary were among early completers; Germany, France, and several others finalized implementing legislation in 2025.

On 20 January 2026 the European Commission proposed targeted amendments to NIS2 as part of a wider cybersecurity package, intended to simplify compliance with risk-management requirements.

Frequently Asked Questions

Are VDR providers themselves in scope of NIS2?

Sometimes. A VDR provider is in scope where it qualifies as a digital infrastructure provider (cloud, data centre, ICT-service management) or a trust service provider. Most pure VDRs sit at the edge of scope; the practical effect is that they often align controls voluntarily because their customers are in scope.

What does NIS2 require on supply-chain due diligence?

Article 21(d) requires entities to manage supply-chain cybersecurity risk — typically through written supplier security requirements, periodic assessments, contractual flow-down, and integration of supply-chain risk into the entity's risk register.

Has Germany transposed NIS2?

Germany completed transposition in 2025 via the NIS2-Umsetzungsgesetz.

What is the incident reporting SLA under NIS2?

Three steps: an early warning to the CSIRT or national competent authority within 24 hours of becoming aware of a significant incident; an incident notification within 72 hours; and a final report within one month.

Further Reading