NIS2 Compliance Checklist for AWS, Azure & GCP: The Complete 2026 Guide

The EU NIS2 Directive has been enforceable since October 17, 2024 . If your company runs on AWS, Azure, or GCP and falls under its scope, you need a clear checklist of what to fix — and a way to verify it automatically. This guide covers both. Who is affected by NIS2? NIS2 applies to any company operating in the EU with either: 50+ employees or €10M+ annual revenue , AND Operations in a covered sector: energy, transport, healthcare, water, digital infrastructure, ICT services, banking, financial market infrastructure, or manufacturing of critical products. Unlike NIS1, NIS2 also covers important entities (medium-sized companies) — not just operators of essential services. This means tens of thousands of European companies are newly in scope. What NIS2 requires (Article 21) Article 21 mandates a risk-based approach to security. For cloud infrastructure, this translates into 8 concrete categories: 1. IAM & Access Control AWS: MFA on all IAM users (especially root), no wildcard * permissi