Embracing Broad Responsibility for Securing Digital Infrastructure: AWS’s Approach to NIS 2 Compliance in the European Unionhe European Union

This presentation examines Amazon Web Services’ (AWS) comprehensive approach to meeting the European Union’s NIS 2 Directive (EU 2022/2555), which establishes strengthened cybersecurity requirements for essential and important entities across critical sectors. As digital infrastructure becomes increasingly vital to European societies, governments, and businesses, cloud service providers bear broad responsibility for ensuring robust security measures.

The research explores AWS’s implementation of risk-based cybersecurity controls covering the full security lifecycle: identification, protection, detection, response, recovery, and communication. Methodologies include analysis of AWS’s existing compliance frameworks (ISO 27001, C5, ENS High, HDS), examination of the AWS Shared Responsibility Model, and evaluation of technical capabilities that enable customers to meet NIS 2 obligations.

Key outcomes demonstrate how AWS addresses NIS 2 requirements through multiple mechanisms: over 150 independently audited security certifications, specialized European attestations, and comprehensive service offerings including AWS Security Hub, CloudTrail, Config, and Resilience Hub. The presentation highlights AWS’s proactive cooperation with national cybersecurity authorities through the Global Cloud Security Program (GCSP), including partnerships with Dutch NCSC-NL, Italian ACN, and Spanish CNI-CCN.

Expected applicability extends to essential and important entities navigating NIS 2 compliance, demonstrating practical implementation of governance measures, incident management, business continuity planning, supply chain security, and cryptographic controls. The updated NIS 2 Considerations for AWS Customers guide (December 2025) provides actionable mappings between Annex requirements and AWS capabilities, enabling proportionate control deployment.

This research contributes to understanding how cloud infrastructure providers can elevate cybersecurity standards across Europe while supporting customer resilience through security-by-design principles, comprehensive training programs, and collaborative engagement with regulatory authorities to build societal trust in digital environments.