Are data centers on top of NIS 2 cyber compliance?

IT and facility teams are often misaligned when it comes to cybersecurity. Managers may think their facility is secure if operational technology (OT) systems are patched and “air-gapped”, but risks from remote access and third-party attacks are often overlooked. Higher levels of OT security may help but may also restrict essential access to equipment.

European regulators are now enforcing better cybersecurity. The Digital Operational Resilience Act (DORA) and Network and Information Security 2 (NIS 2) require organizations to implement best practices and report on incidents and threats. DORA relates to financial services resiliency (see Will legislation change how finance uses public cloud?); NIS 2 relates to cybersecurity specifically. Both regulations require management of third-party risk — and both bear the threat of severe fines and management penalties. However, currently, only 12% of operators utilize or conform to NIS 2 (Uptime Institute Data Center Security Survey 2024).