NIS2 Azure Compliance: Checklist for Architects

The NIS2 directive (Network and Information Security Directive 2) is now in effect, and organizations across the EU must demonstrate that they have cybersecurity under control. As a Cloud Architect, I encounter this daily – clients need a clear, practical guide on how to align their Azure infrastructure with NIS2 requirements without having to read hundreds of pages of legislative text.

What Does NIS2 Mean for Your Azure Architecture?

NIS2 expands the scope of obligated entities and tightens requirements for:

• Risk management – systematic identification and management of risks
• Incident reporting – reporting incidents within 24 hours
• Supply chain security – verifying supplier security
• Business continuity – recovery and continuity of operations plans
• Encryption & access control – data encryption and access management

Step 1: Azure Policy as the Governance Foundation

The first step is deploying strict Azure Policy definitions that enforce compliance across the entire organization:

resource nis2PolicyAssignment 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
  name: 'nis2-baseline'
  properties: {
    displayName: 'NIS2 Baseline Security Controls'
    policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8'
    enforcementMode: 'Default'
    parameters: {
      // Enforce storage account encryption
      storageAccountsEncryption: { value: 'Audit' }
      // Enforce HTTPS on web apps
      webAppsHttps: { value: 'Deny' }
    }
  }
}

Step 2: Defender for Cloud – CSPM at Maximum

Microsoft Defender for Cloud is an absolute must-have. I recommend activating:

1. Defender CSPM (Cloud Security Posture Management) – detects misconfigurations
2. Defender for Servers – protects VM workloads
3. Defender for Key Vault – monitors access to secrets
4. Defender for DNS – detects suspicious DNS activity

Your Secure Score should be at least 80% to meet the NIS2 baseline.

Step 3: Centralized Logging and SIEM

NIS2 requires the ability to detect and report security incidents. In Azure, we solve this with:

• Azure Monitor + Log Analytics Workspace – centralized log collection
• Azure Sentinel (Microsoft Sentinel) – SIEM/SOAR platform
• Diagnostic Settings – enabled on all critical resources

# Enable diagnostics for Key Vault
az monitor diagnostic-settings create \
  --resource "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.KeyVault/vaults/{vault}" \
  --name "nis2-logging" \
  --workspace "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.OperationalInsights/workspaces/{law}" \
  --logs '[{"categoryGroup": "allLogs", "enabled": true}]' \
  --metrics '[{"category": "AllMetrics", "enabled": true}]'

Step 4: Identity & Access Management

Zero Trust architecture is critical for NIS2:

• Entra ID Conditional Access – MFA for all administrators
• PIM (Privileged Identity Management) – just-in-time access
• Access Reviews – quarterly permission audits
• Break-glass accounts – emergency accounts with monitoring alerts

Conclusion

NIS2 compliance in Azure is not just about ticking checkboxes. It's about building a truly secure, monitored, and resilient infrastructure. Start with Azure Policy and Defender for Cloud – these two tools will cover the majority of the directive's technical requirements. For hands-on CSPM implementation, see our Defender for Cloud setup guide.

Need help implementing NIS2 in your Azure environment? See our Cloud Security and NIS2 consulting services or reach out for a free assessment.