Skip to content
AuditFront
Annex.I.3 NIS2

NIS2 Annex.I.3: Digital Infrastructure and ICT Service Cybersecurity Requirements

What This Control Requires

Annex I identifies the digital infrastructure sector including internet exchange point providers, DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, trust service providers, and providers of public electronic communications networks and publicly available electronic communications services.

In Plain Language

When a cloud platform goes down or a DNS provider is compromised, the ripple effect hits every organisation that depends on them. Digital infrastructure providers are the foundation layer of the modern economy, and NIS2 treats them accordingly - many are classified as essential entities regardless of size.

The scope here is broad: internet exchange points routing traffic, cloud providers hosting critical workloads, DNS service providers, TLD registries, data centres, CDNs, trust service providers issuing digital certificates, and electronic communications networks. Each sub-sector has its own security challenges, but they all share one thing - other organisations fundamentally depend on their availability and integrity.

Sophisticated threat actors, including nation-state groups, actively target core internet infrastructure for intelligence gathering and pre-positioning. If you operate in this space, your security posture needs to match the threat level. Focus on availability, integrity of routing and DNS data, protection of cryptographic key material, and resilience against large-scale attacks.

How to Implement

Match your security investment to the critical role your infrastructure plays. Cloud providers should pursue and maintain recognised certifications (ISO 27001, SOC 2, C5, or the upcoming EUCS scheme). DNS providers need DNSSEC and protection against DNS hijacking. Trust service providers must meet eIDAS requirements for qualified trust services.

Design for high availability from the ground up. Digital infrastructure customers expect service continuity even during active cyber incidents. Build redundancy at every level - multiple data centres, diverse network paths, automated failover, and geographically distributed infrastructure. Set SLAs that reflect the critical nature of what you provide.

Invest heavily in DDoS protection. Large-scale denial-of-service attacks are a primary threat in this sector. Deploy upstream filtering, anycast network architectures, traffic scrubbing centres, and automated mitigation with manual escalation paths.

Lock down the management plane. Administrative access to core infrastructure - routers, DNS servers, certificate generation systems, hypervisors - demands the strongest controls available: hardware-based MFA, privileged access workstations, just-in-time access provisioning, and comprehensive audit logging.

Secure your hardware and software supply chain. Verify firmware and software update integrity, assess hardware supplier security, monitor for supply chain tampering, and diversify critical components to reduce single-supplier risk.

Plan incident response around cascading impact. When your infrastructure is compromised, your customers are affected too. Establish coordination channels with downstream customers, peering partners, and sector regulators. Have rapid notification procedures ready for when incidents affect service delivery.

Meet sector-specific obligations beyond NIS2, including the European Electronic Communications Code for network operators and eIDAS for trust service providers.

Evidence Your Auditor Will Request

  • Recognised security certifications relevant to the sub-sector
  • High availability architecture documentation with redundancy and failover
  • DDoS protection capabilities and testing records
  • Privileged access management for core infrastructure
  • Sector-specific compliance documentation (eIDAS, EECC, etc.)

Common Mistakes

  • Single points of failure in infrastructure design despite availability SLAs
  • DNSSEC not implemented by DNS service providers
  • DDoS protection inadequate for the scale of attacks targeting infrastructure providers
  • Administrative access to core systems uses weak authentication
  • Customer notification procedures inadequate for rapid communication during incidents

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.8.6 Related
SOC 2 A1.1 Related

Frequently Asked Questions

Are small cloud providers in scope for NIS2?
Yes, and this is one of the key differences from other sectors. Cloud computing service providers, DNS providers, TLD registries, and trust service providers are classified as essential entities regardless of size under NIS2. Even a small team running a DNS service faces the full requirements, because the critical nature of these infrastructure services justifies it.
How does the EUCS cloud certification scheme relate to NIS2?
EUCS (the European Cybersecurity Certification Scheme for Cloud Services) is being developed under the Cybersecurity Act. Once finalised, it will give cloud providers a structured way to demonstrate they meet defined security requirements. In practice, EUCS certification is likely to become a convenient path for showing NIS2 compliance on cloud-specific measures.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment