NIS2 Compliance for Your Website & Hosting: Practical Checklist (2026)
NIS2 (Directive (EU) 2022/2555) took cybersecurity from the IT basement to the boardroom: management liability, 24-hour reporting clocks and supply-chain duties. Most guides drown you in legalese — this one focuses on the slice you can act on quickly: your web infrastructure.
NIS2 in 90 seconds
- Replaces the 2016 NIS directive; member-state laws apply from October 2024 onward.
- Two tiers: essential and important entities across 18 sectors (energy, health, transport, digital infrastructure, ICT services, manufacturing, digital providers…), generally from 50 employees / €10M turnover.
- Core duties: risk management measures, incident reporting (24 h / 72 h / 1 month), supply-chain security, management accountability.
- Teeth: fines up to €10M or 2 % of worldwide turnover, personal liability for management.
Even if you’re below thresholds, NIS2 reaches you through contracts: regulated customers must vet their suppliers — including whoever runs their website.
What NIS2 means for your website specifically
Your public website is an attack surface and often a business-critical service. The directive’s risk-management logic translates into concrete web questions:
- Availability — can a DDoS attack take you out? For how long? (Incident = potentially reportable.)
- Integrity — is the site protected against defacement and web attacks (WAF)?
- Supply chain — who is your hosting provider, under which jurisdiction, with what certifications?
- Detection — would you even know within 24 hours that something happened?
- Recovery — backups, tested restore, documented procedure.
Practical checklist
Infrastructure
- Hosting provider in the EU with auditable security posture (why jurisdiction matters)
- DDoS protection + WAF in front of every public web property
- TLS everywhere, automated certificate renewal
- Daily backups, restore tested at least twice a year
Process
- Uptime + integrity monitoring with alerting (24 h clock starts when you become aware)
- Incident response one-pager: who calls whom, who notifies the CSIRT
- Supplier list with jurisdictions and certifications (hosting, DNS, CDN, e-mail)
- Management sign-off on the measures — documented
The shortcut: compliance-ready EU infrastructure
You can assemble all of the above from parts — or put your web behind a stack built for exactly this audience. WEDOS NIS2 packages EU-jurisdiction infrastructure with DDoS/WAF shielding and the documentation trail auditors ask for; it pairs with WEDOS Protection (L3–L7 mitigation, 100 % SLA) for the availability requirement.
Related: EU hosting & data sovereignty · Cloudflare alternatives in the EU
Frequently asked questions
Does NIS2 apply to my company?
NIS2 covers 'essential' and 'important' entities in sectors like energy, transport, health, digital infrastructure, manufacturing and digital providers — generally from 50 employees or €10M turnover, with some sector exceptions regardless of size. If you supply regulated companies, expect their requirements to cascade onto you contractually.
What are the NIS2 incident reporting deadlines?
An early warning to the national CSIRT within 24 hours of becoming aware of a significant incident, a fuller notification within 72 hours, and a final report within a month. Your hosting and monitoring must make incidents visible fast enough to meet this.
What are the penalties?
Up to €10 million or 2 % of global annual turnover for essential entities (€7M/1.4 % for important entities) — and management can be held personally accountable for approving inadequate measures.
Is this article legal advice?
No. It's a practical orientation for website and hosting decisions. For a compliance program, work with counsel and your national transposition of the directive.