NIS2 Compliance for Your Website & Hosting: Practical Checklist (2026)

NIS2 (Directive (EU) 2022/2555) took cybersecurity from the IT basement to the boardroom: management liability, 24-hour reporting clocks and supply-chain duties. Most guides drown you in legalese — this one focuses on the slice you can act on quickly: your web infrastructure.

NIS2 in 90 seconds

Even if you’re below thresholds, NIS2 reaches you through contracts: regulated customers must vet their suppliers — including whoever runs their website.

What NIS2 means for your website specifically

Your public website is an attack surface and often a business-critical service. The directive’s risk-management logic translates into concrete web questions:

  1. Availability — can a DDoS attack take you out? For how long? (Incident = potentially reportable.)
  2. Integrity — is the site protected against defacement and web attacks (WAF)?
  3. Supply chain — who is your hosting provider, under which jurisdiction, with what certifications?
  4. Detection — would you even know within 24 hours that something happened?
  5. Recovery — backups, tested restore, documented procedure.

Practical checklist

Infrastructure

Process

The shortcut: compliance-ready EU infrastructure

You can assemble all of the above from parts — or put your web behind a stack built for exactly this audience. WEDOS NIS2 packages EU-jurisdiction infrastructure with DDoS/WAF shielding and the documentation trail auditors ask for; it pairs with WEDOS Protection (L3–L7 mitigation, 100 % SLA) for the availability requirement.

Related: EU hosting & data sovereignty · Cloudflare alternatives in the EU

Frequently asked questions

Does NIS2 apply to my company?

NIS2 covers 'essential' and 'important' entities in sectors like energy, transport, health, digital infrastructure, manufacturing and digital providers — generally from 50 employees or €10M turnover, with some sector exceptions regardless of size. If you supply regulated companies, expect their requirements to cascade onto you contractually.

What are the NIS2 incident reporting deadlines?

An early warning to the national CSIRT within 24 hours of becoming aware of a significant incident, a fuller notification within 72 hours, and a final report within a month. Your hosting and monitoring must make incidents visible fast enough to meet this.

What are the penalties?

Up to €10 million or 2 % of global annual turnover for essential entities (€7M/1.4 % for important entities) — and management can be held personally accountable for approving inadequate measures.

Is this article legal advice?

No. It's a practical orientation for website and hosting decisions. For a compliance program, work with counsel and your national transposition of the directive.