How to audit your AWS infrastructure for NIS2 and DORA compliance (practical guide)

With NIS2 mandatory since October 2024 and DORA in force since January 2025, EU cloud teams are scrambling to figure out what actually needs to change in their AWS infrastructure. This guide walks through the specific checks, the tooling, and the common gaps we see. What NIS2 and DORA actually require on AWS NIS2 Art. 21 defines minimum security measures for "essential" and "important" entities. For AWS infrastructure, the relevant requirements translate to: Encryption at rest and in transit (Art. 21(2)(h)) Access control and least privilege (Art. 21(2)(i)) Multi-factor authentication (Art. 21(2)(j)) Logging and audit trails — minimum 12 months retention Incident response capability (Art. 21(2)(b)) Backup and recovery procedures (Art. 21(2)(c)) DORA Art. 9 (for financial services: banks, insurance, investment firms) adds: ICT risk management framework documented and tested Encryption of data at rest AND in transit with current standards Full logging coverage across all regions (not jus