NIS2 for SaaS, cloud and managed-service providers.
Digital infrastructure providers are named essential entities under NIS2 Annex I — independent of size. If you host other NIS2-regulated customers, your compliance posture becomes their supply-chain obligation.
Why this matters now
Enterprise customers that are themselves NIS2-regulated are pushing vendor attestations down to their SaaS providers. Providers without NIS2 posture are losing deals at procurement.
- Classification confusion: SaaS vendors often think they're 'only' important entities until legal review — most qualify as essential
- Customer procurement asking for NIS2-specific attestations alongside existing SOC 2 and ISO 27001
- Registration obligations with national supervisory authority (BSI in Germany) within 3 months of scope trigger
- Incident-notification chain: when a cloud customer is breached, the provider may owe parallel notifications
How Matproof covers NIS2 for SaaS & Cloud Providers
Scope + registration
Matproof helps determine your NIS2 classification (essential vs important), jurisdictional assignment (Member State of main establishment), and prepares the BSI registration dossier.
Customer-facing NIS2 attestations
Generate vendor NIS2 attestations from your control evidence. Customers can cite your NIS2 posture in their own Art. 21(2)(d) supply-chain management.
SOC 2 + ISO 27001 + NIS2 dual mapping
80% control overlap. Matproof keeps one evidence pipeline, generates artefacts for all three audits and vendor questionnaires.
Incident chain notifications
When a customer-data incident occurs, track who must be notified: BSI (your NIS2 obligation), customers (your contract + their NIS2 obligation), data protection authorities (GDPR Art. 33/34).
In scope
- Cloud computing services (IaaS, PaaS, SaaS) — NIS2 Annex I
- Data center service providers — NIS2 Annex I
- Content delivery networks — NIS2 Annex I
- DNS, TLD name registries, trust service providers — NIS2 Annex I
- Managed services providers and managed security services providers — NIS2 Annex I
Frequently asked questions
Is my SaaS platform an essential entity or important entity under NIS2?+
If you're a cloud service provider, data center operator, CDN, or MSSP, you're in NIS2 Annex I. If your company exceeds 250 employees or EUR 50M turnover → essential entity. Between 50-249 employees or EUR 10-50M → important entity. Below both thresholds, you're still regulated if you're a named infrastructure type — size-independent for TLD registries, trust service providers.
How does NIS2 interact with SOC 2 and ISO 27001 for my SaaS?+
Technical controls overlap ~80%. The gaps: NIS2 requires specific incident-notification timelines to BSI (24h/72h/1 month), supply-chain security depth, board-level accountability, registration with supervisory authority. These aren't in SOC 2/ISO 27001. Matproof's platform maps all three frameworks to the same control evidence where they overlap and handles the gaps.
What happens if one of my cloud customers has a breach involving my infrastructure?+
You likely have parallel obligations: your own NIS2 notification to BSI if it's a significant incident on your infrastructure, customer contractual notification per your DPA, and potentially cooperation with your customer's supervisory authority if they're NIS2-regulated. Matproof's incident workflow captures all three streams from one source.
Can I defer NIS2 if I'm non-EU but serve EU customers?+
No. NIS2 applies to non-EU entities providing services in the EU. You must designate a legal representative in the Member State where you serve most customers, and register with that country's authority. US-based SaaS vendors with EU customers are in scope.
Ready to start with NIS2?
30-minute demo tailored to SaaS & Cloud Providers. We show you exactly how Matproof covers NIS2 for your sector.