NIS-2 has landed. Dependence on American cloud is becoming risky.

For European companies that still rely on American hyperscalers to store critical data, the clock is ticking. The NIS 2 Directive is the European Union’s most ambitious cybersecurity framework to date and it is redefining how digital services are secured, governed, and held accountable. Now, MSPs, telcos, hosting providers, data centres, and cloud platforms are considered part of Europe’s critical infrastructure and this directive gives them new responsibilities that many have not yet prepared for: Tighter reporting timelines. Stricter accountability. Real consequences.

What is NIS 2?

The Network and Information Security Directive 2 (NIS 2) mandates European organisations to adopt stricter cybersecurity risk management practices, report incidents within very short timeframes (sometimes just 24 hours), and ensure their technology partners are equally secure and compliant.

The directive places particular emphasis on supply chain risk and cross-border legal control. For example, a managed service provider must be able to detect a breach, assess its impact, notify authorities, and mitigate the risk — all within a tight legal window. At the same time, they must ensure that every part of its supply chain, including infrastructure partners and cloud vendors, meets the same level of security and compliance.

This brings out the question: Can a European company truly be compliant if its data is stored by a non-European provider?

The jurisdiction dilemma and The U.S. CLOUD Act

For years, American hyperscalers have been the default choice for scalability and innovation. Their tools are global and deeply embedded in modern data infrastructure but also subject to U.S. jurisdiction — regardless of where their servers are physically located.

Under the U.S. CLOUD Act, American authorities can compel these companies to hand over data stored in the EU. That includes everything from encrypted backups and logs to customer records and infrastructure configurations. In other words, for organisations using a U.S.-based cloud provider like AWS, their data is only technically in Europe. Legally, it’s not.

Cloud exit incoming

The distinction between American and European cloud providers is gaining traction as American hyperscalers operate within a framework where national security interests can override client confidentiality. European providers, on the other hand, are bound by GDPR, EU Charter of Fundamental Rights, and increasingly, sovereignty-focused legislation that prioritises the user’s right to control and protect their data.

European organisations are exiting the public cloud and moving to local providers, like SpaceTime, as they realise the gravity of the situation.

Is NIS 2 in full-effect yet?

NIS 2 came into force in January 2023 and was supposed to be fully implemented by October 17, 2024. That’s the legal deadline by which EU Member States were required to transpose its requirements into national law.

However, many countries have missed the deadline. As of early 2025, the majority of EU member states have not yet implemented NIS 2 into their national legislation for different reasons: legislative backlog, lack of national coordination, and in some cases, a general underestimation of the complexity of the directive’s scope: Implementation is politically sensitive and technically demanding.

But while governments stall, European companies are not off the hook. The directive is still in force at the EU level. Regulators and national cybersecurity agencies are pressing ahead. And for organisations operating across multiple jurisdictions — or handling sensitive data — the expectations are already in place.