NIS2 France ANSSI vs Netherlands NCSC 2026: Western Europe SaaS Compliance Guide
Post #3 in the sota.io EU NIS2 SaaS Compliance Series
If you sell SaaS to French enterprises or Dutch organizations — or if you host infrastructure serving users in France and the Netherlands — you are now subject to two distinct NIS2 national implementations with different registration portals, different supervisory authorities, and different enforcement timelines. Neither country simply adopted the EU NIS2 Directive verbatim. Both added national procedural layers that a DACH-focused compliance playbook won't cover.
France transposed NIS2 via Ordonnance n° 2024-821 du 8 juillet 2024 and subsequent implementing decrees. The Netherlands enacted the Cyberbeveiligingswet (Cbw) in late 2024. This guide maps both implementations side-by-side: who oversees what, where you register, how long you have to report incidents, and what the penalties look like.
The Series Context
| Post | Country/Region | Status |
|---|---|---|
| #1 — Germany BSIG 3.0 | DACH / Germany | ✅ Live |
| #2 — Austria NISG 2024 vs Germany | DACH Comparison | ✅ Live |
| #3 — France ANSSI + Netherlands NCSC | Western Europe | This post |
| #4 — Southern Europe (Spain, Italy, Portugal) | Southern Europe | Coming |
| #5 — 21-Country NIS2 Compliance Stack Finale | EU-wide | Coming |
Part 1: France NIS2 — ANSSI, Ordonnance 2024-821, and CERT-FR
1.1 Legislative Timeline
France was among the EU Member States that needed the most time to implement NIS2. The journey:
- 17 October 2024: EU NIS2 transposition deadline (all Member States)
- 8 July 2024: Ordonnance n° 2024-821 published — the primary French NIS2 transposition ordinance
- 2024-2025: Implementing decrees (décrets d'application) published in phased waves
- 2025: ANSSI begins formal registration process for NIS2-scope entities
- 2026: First enforcement actions and supervisory reviews expected at scale
The Ordonnance amends the French Code de la sécurité intérieure (CSI) and replaces the first-generation NIS1 framework (Loi n° 2018-133). Unlike Germany's single BSIG 3.0 statute or Austria's NISG 2024, France split the NIS2 implementation across the Ordonnance and a cascade of sectoral decrees — a structure that reflects France's tradition of regulatory layering.
1.2 ANSSI — France's National Competent Authority
ANSSI (Agence nationale de la sécurité des systèmes d'information) is France's cybersecurity agency, created in 2009 under the Secretary-General for National Defence and Security (SGDSN). Under Ordonnance 2024-821, ANSSI serves as:
- National Competent Authority (NCA) for NIS2
- National CSIRT coordinator via its operational arm CERT-FR
- Registration authority for cross-sectoral entities
ANSSI contact and registration:
- Portal: si-reg.anssi.fr (Système d'information de régulation)
- General contact: contact@cert.ssi.gouv.fr
- Incident reporting: cert-fr.eu.europa.eu (EU CSIRT network portal) + https://www.cybermalveillance.gouv.fr for SMEs
1.3 Sectoral NCA Architecture in France
France applies a multi-authority model. ANSSI coordinates but sectoral regulators supervise entities in their domains:
| Sector | French NIS2 Supervisory Authority |
|---|---|
| Telecommunications / Digital | ARCEP (Autorité de régulation des communications électroniques) |
| Financial sector (banks, insurance) | ACPR (Autorité de contrôle prudentiel et de résolution) + AMF |
| Healthcare | ANS (Agence du Numérique en Santé) |
| Energy | CRE (Commission de régulation de l'énergie) |
| Water / Wastewater | Préfecture + Ministère de la Transition Écologique |
| Digital infrastructure (IXPs, DNS, cloud) | ANSSI (primary) |
| Managed services / SaaS | ANSSI — cross-sectoral default |
For SaaS companies, the default authority is ANSSI unless the SaaS serves a regulated sector (e.g., SaaS for banks → ACPR oversight layer applies on top of ANSSI baseline).
1.4 Scope: Which SaaS Companies Are Caught?
France applies the NIS2 size criteria (Article 3 of the Directive) with limited national adjustments:
Essential Entities (Entités Essentielles — EE):
- Large enterprises (≥250 employees OR ≥€50M turnover AND ≥€43M balance sheet)
- In high-criticality sectors (Annex I of Directive)
Important Entities (Entités Importantes — EI):
- Medium enterprises (≥50 employees OR ≥€10M turnover AND ≥€10M balance sheet)
- In sectors from Annexes I or II
SaaS-specific triggers under French law:
- Cloud computing services provider to French public bodies or essential-sector customers
- Managed service providers (MSPs) serving French entities in-scope
- Digital marketplace operators with French users ≥€50M
- DNS service providers serving .fr or French enterprise DNS
1.5 Registration Process — si-reg.anssi.fr
The French registration process differs from Germany's meldeplattform.bsi.de in its phased rollout:
Phase 1 (2025): ANSSI directly contacts entities it has already identified (former NIS1 operators, critical infrastructure operators from national lists).
Phase 2 (2025-2026): Self-registration via si-reg.anssi.fr opens for entities that believe they fall in scope.
Required registration data:
- Legal entity name and SIREN/SIRET number
- Primary contact person (name + professional email)
- Sector(s) of operation (Annex I / Annex II)
- Entity type: EE or EI
- Number of employees and annual turnover
- List of significant network and information systems (NIS)
- Cross-border operating countries
Registration deadline for in-scope entities: ANSSI has not yet published a hard deadline for self-identification — unlike Germany's BSIG which had a deadline tied to the BSI registration platform. French entities are advised to register proactively before ANSSI begins enforcement reviews in 2026.
1.6 Incident Reporting — France / CERT-FR
France follows the NIS2 Directive's three-tier reporting framework, channeled through ANSSI/CERT-FR:
| Report Type | Timeline | Channel | Content |
|---|---|---|---|
| Early Warning (Alerte précoce) | 24 hours | cert-fr.eu.europa.eu / sécurité@cert.ssi.gouv.fr | Incident type, initial impact assessment |
| Incident Notification (Notification d'incident) | 72 hours | ANSSI portal | Detailed technical description, affected systems, users impacted |
| Final Report (Rapport final) | 1 month | ANSSI portal | Root cause, remediation measures, cross-border impact if any |
France-specific addition: For incidents affecting critical national infrastructure (Opérateurs d'Importance Vitale — OIV, a French-specific category that predates NIS2), ANSSI requires parallel reporting to the relevant ministerial FSSI (Fonctionnaire de Sécurité des Systèmes d'Information). SaaS companies serving OIV customers may trigger this dual-track requirement.
1.7 Security Requirements — French NIS2 Baseline
Ordonnance 2024-821 implementing decrees specify minimum security measures aligned to NIS2 Article 21:
- Risk analysis (analyse de risques): Annual risk assessment mandatory for EE; biennial for EI. ANSSI recommends EBIOS Risk Manager methodology.
- Incident response: Documented IR plan, tested annually for EE.
- Business continuity: BCP covering at least the top-5 critical services.
- Supply chain security: Third-party security questionnaires for critical service providers (Article 21(2)(d)).
- Access control: MFA mandatory for remote access and privileged accounts (ANSSI's PAMO — Politique d'administration et de maîtrise des objets numériques).
- Encryption: TLS 1.2+ for data in transit; AES-256 recommended for data at rest.
- Vulnerability management: Critical patches within 15 days (EE) or 30 days (EI).
- Cyber hygiene training: Annual security awareness training documented.
- Cryptographic policy: ANSSI-approved algorithms (RGS — Référentiel Général de Sécurité) apply to entities working with French government data.
French-specific note for cloud SaaS: ANSSI's SecNumCloud qualification scheme (equivalent to EU EUCS high tier) is not yet mandatory under NIS2, but entities seeking to serve French public sector clients must meet SecNumCloud requirements separately. NIS2 compliance ≠ SecNumCloud qualification.
1.8 Penalties — France
French NIS2 penalties under Ordonnance 2024-821 implementing decrees:
| Violation Type | Essential Entities (EE) | Important Entities (EI) |
|---|---|---|
| Failure to register | Up to €100,000 | Up to €50,000 |
| Missing risk measures (Art. 21) | Up to €10,000,000 or 2% global turnover | Up to €7,000,000 or 1.4% global turnover |
| Late/missing incident report | Up to €1,000,000 (EE) | Up to €500,000 (EI) |
| Non-cooperation with ANSSI audit | Up to €500,000 | Up to €250,000 |
Personal liability: French NIS2 law does not directly replicate Article 20's personal liability clause as aggressively as Germany's BSIG, but ANSSI can request evidence of management approval for security governance documentation.
Part 2: Netherlands NIS2 — Cyberbeveiligingswet, NCSC-NL, and RDI
2.1 Legislative Timeline
The Netherlands transposed NIS2 into the Wet beveiliging netwerk- en informatiesystemen 2 (commonly called the Cyberbeveiligingswet or Cbw), enacted in late 2024:
- 17 October 2024: EU NIS2 transposition deadline
- October 2024: Cyberbeveiligingswet enters into force
- Late 2024 / Q1 2025: Implementing decrees (Algemene Maatregelen van Bestuur — AMvB) published
- 2025: Registration portal opens via RDI / NCSC-NL
- 2026: First enforcement cycles and supervisory audits
The Cyberbeveiligingswet replaces the original Wet beveiliging netwerk- en informatiesystemen (Wbni) from 2018 (NIS1). Dutch regulatory style favors principled frameworks with implementing decrees rather than prescriptive statute text — similar to how France structures its NIS2 implementation.
2.2 The Dutch NIS2 Authority Architecture
The Netherlands splits NIS2 supervision across four main bodies:
| Authority | Dutch Name | NIS2 Role | Sectors |
|---|---|---|---|
| NCSC-NL | Nationaal Cyber Security Centrum | National CSIRT + coordination | All sectors (CSIRT) |
| RDI | Rijksinspectie Digitale Infrastructuur | Supervisory authority | Digital infrastructure, managed services, cloud, DNS, IXPs |
| DNB | De Nederlandsche Bank | Supervisory authority | Banking, payment institutions |
| DTC | Digital Trust Center | Contact point | Important entities without sectoral supervisor |
For SaaS companies: RDI is the primary supervisory authority. RDI (formerly Agentschap Telecom) oversees telecommunications and digital infrastructure regulation and took on NIS2 digital services supervision. If your SaaS serves Dutch financial institutions, DNB may be your NCA.
NCSC-NL remains the CSIRT for all incident reports — regardless of which sectoral authority supervises your entity.
2.3 Scope — Dutch Cbw
The Netherlands applies NIS2's size criteria (Article 3) directly without significant national adjustment:
Essential Entities (Essentiële entiteiten — EE):
- ≥250 employees OR ≥€50M turnover AND ≥€43M balance sheet
- Annex I sectors (energy, transport, banking, health, water, digital infrastructure)
Important Entities (Belangrijke entiteiten — BE):
- ≥50 employees OR ≥€10M turnover AND ≥€10M balance sheet
- Annex I + II sectors
Digital services SaaS triggers under Dutch Cbw:
- Cloud computing providers (public/private/hybrid) with Dutch customer base
- Managed service providers with Dutch essential entity customers
- Online marketplace operators serving NL ≥€10M
- DNS resolver operators serving .nl or Dutch enterprise networks
- SaaS/platform providers meeting size thresholds even if HQ is outside NL (Brussels Effect applies)
Dutch-specific scope extension: The Netherlands chose to apply NIS2 to all entities in scope (not just those meeting size thresholds) for specific high-criticality sectors like drinking water, healthcare, and national rail. This affects SaaS vendors to those sectors regardless of company size.
2.4 Registration — RDI Portal
Dutch NIS2 registration runs through RDI (Rijksinspectie Digitale Infrastructuur):
- Portal: rdi.nl/cyberbeveiligingswet (NIS2 self-assessment and registration)
- Alternative: ncsc.nl (for CSIRT contact and incident reporting)
- DTC (Digital Trust Center): digitaltrustcenter.nl for important entities without a specific sectoral supervisor
Required registration data:
- KvK (Kamer van Koophandel) number — Dutch Chamber of Commerce registration
- Legal entity name and headquarters address
- Sector(s) of operation (Annex I / Annex II per Cbw)
- Entity classification: EE or BE
- Primary security contact (name + email + phone)
- List of in-scope information systems
- Cross-border operation countries
Registration deadline: RDI has established that entities must register within 3 months of identifying themselves as in-scope — or by the deadline announced in the Staatsblad (Dutch Official Gazette) accompanying AMvB publication. For entities in scope since Cbw enactment (October 2024), the practical deadline falls in 2025.
2.5 Incident Reporting — NCSC-NL
All incident reports in the Netherlands route to NCSC-NL as CSIRT regardless of sector:
| Report Type | Timeline | Channel | Content |
|---|---|---|---|
| Early Warning | 24 hours | meldportaal.ncsc.nl | Brief incident description, initial impact estimate |
| Incident Notification | 72 hours | meldportaal.ncsc.nl | Technical details, affected systems, number of affected users |
| Intermediate Update | As significant changes occur | meldportaal.ncsc.nl | Progress update if investigation ongoing |
| Final Report | 1 month | meldportaal.ncsc.nl | Root cause analysis, remediation actions, cross-border impact |
Dutch additional requirement: For incidents affecting NL essential entities, NCSC-NL may notify NCTV (Nationaal Coördinator Terrorismebestrijding en Veiligheid) if national security implications are identified. SaaS vendors serving critical Dutch infrastructure should be aware that NCSC-NL may escalate without prior notification to the affected entity.
CSIRT-DSP: For digital service providers specifically, NCSC-NL has a dedicated CSIRT-DSP (CSIRT for Digital Service Providers) team. First contact for cloud/SaaS incident reports should specify "digital service provider" in the report classification.
2.6 Security Requirements — Dutch Cbw Baseline
The Cyberbeveiligingswet AMvB specifies minimum measures following NIS2 Article 21:
- Risk management: NCSC-NL recommends the NCSC Handreiking Risicomanagement framework; ISO 27001:2022 certification accepted as partial compliance evidence.
- Incident handling: IR playbooks covering detection, containment, eradication, recovery, post-incident review.
- Business continuity: BCP and DRP tested annually for EE. RDI can request test results.
- Supply chain security: Vendor risk assessments required for "kritische leveranciers" (critical suppliers). No prescribed questionnaire format — NCSC-NL publishes guidance.
- Access control: MFA mandatory for all administrative access and VPN/remote access. NCSC-NL Handreiking Toegangsbeheer applies.
- Encryption: Dutch Cbw requires state-of-the-art encryption — NCSC-NL publishes the ICT-beveiligingsrichtlijnen voor TLS (TLS security guidelines), currently requiring TLS 1.2+ and recommending TLS 1.3.
- Vulnerability management: NCSC-NL's Coordinated Vulnerability Disclosure (CVD) policy must be implemented and published. This is a Dutch-specific requirement beyond NIS2 baseline.
- Training: Annual cyber hygiene training for all staff; role-specific training for security staff.
- Asset management: Inventory of all in-scope information systems, updated at least quarterly.
Dutch-specific note: NCSC-NL's Baseline Informatiebeveiliging Overheid (BIO) applies to government SaaS procurement. If you sell SaaS to Dutch public sector, BIO 2.0 compliance (published 2023) is a de facto requirement — separately from Cbw/NIS2.
2.7 Penalties — Netherlands
Dutch Cbw penalties align with NIS2 maximums:
| Violation Type | Essential Entities (EE) | Important Entities (BE) |
|---|---|---|
| Registration failure | Up to €100,000 | Up to €50,000 |
| Security measure failure (Art. 21) | Up to €10,000,000 or 2% global turnover | Up to €7,000,000 or 1.4% global turnover |
| Incident reporting failure | Up to €1,500,000 | Up to €750,000 |
| Non-cooperation with RDI/NCSC | Up to €500,000 | Up to €250,000 |
Personal liability under Dutch Cbw: RDI can hold management personally liable for systematic non-compliance. Directors can be banned from executive roles for up to 3 years in cases of willful negligence — a stronger personal liability provision than France's current implementation.
Part 3: France vs Netherlands — Side-by-Side Comparison
3.1 Key Structural Differences
| Dimension | France | Netherlands |
|---|---|---|
| NIS2 national law | Ordonnance n° 2024-821 (2024) | Cyberbeveiligingswet / Cbw (2024) |
| Primary national authority | ANSSI | NCSC-NL (CSIRT) + RDI (supervisor) |
| SaaS default supervisor | ANSSI | RDI |
| Registration portal | si-reg.anssi.fr | rdi.nl/cyberbeveiligingswet |
| CSIRT | CERT-FR | NCSC-NL / CSIRT-DSP |
| Early warning deadline | 24 hours | 24 hours |
| Full notification deadline | 72 hours | 72 hours |
| Final report deadline | 1 month | 1 month |
| SME size threshold | Same as NIS2 (≥50 employees) | Same as NIS2 (≥50 employees) |
| EE penalty max | €10M / 2% turnover | €10M / 2% turnover |
| EI penalty max | €7M / 1.4% turnover | €7M / 1.4% turnover |
| Personal liability | Limited (management sign-off) | Director ban up to 3 years |
| National-specific scheme | SecNumCloud (govt SaaS) | BIO 2.0 (govt SaaS) + CVD mandatory |
| Enforcement phase | 2026 (ramp-up) | 2026 (RDI audits) |
3.2 Incident Reporting: Parallel Obligations for FR+NL SaaS
If your SaaS has customers in both France and the Netherlands and you experience a cross-border incident, you must file:
- ANSSI/CERT-FR (France) — 24h early warning + 72h notification
- NCSC-NL/CSIRT-DSP (Netherlands) — 24h early warning + 72h notification
The EU NIS2 "one-stop-shop" mechanism does not eliminate both reports — it provides a coordination mechanism between national CSIRTs after you've filed initial reports. For practical purposes: two separate incident notifications within 72 hours.
ENISA's EU CSIRT network facilitates information sharing between CERT-FR and NCSC-NL, but you cannot rely on one filing propagating to the other automatically.
3.3 Registration Strategy for FR+NL SaaS
If you operate SaaS in both countries:
Step 1: Determine entity type in each country
→ France: EE or EI based on size + sector (ANSSI assessment)
→ NL: EE or BE based on size + sector (RDI assessment)
Step 2: Register in both countries
→ France: si-reg.anssi.fr (SIREN/SIRET required)
→ Netherlands: rdi.nl/cyberbeveiligingswet (KvK required)
Step 3: Designate country-specific contacts
→ France contact: French-speaking preferred (ANSSI correspondence is in French)
→ Netherlands contact: Dutch/English both accepted (RDI operates bilingually)
Step 4: Align security baselines
→ FR: EBIOS Risk Manager + ANSSI RGS (if serving public sector)
→ NL: ISO 27001:2022 + NCSC TLS guidelines + CVD policy published
→ Common: NIS2 Art. 21 measures (MFA, encryption, IR plan, supply chain)
Part 4: Western Europe NIS2 Compliance Stack for SaaS
4.1 Unified Incident Response Procedure (FR + NL)
Day 0 — Incident detected
├── 0-24h: File Early Warning to CERT-FR (cert-fr.eu.europa.eu)
├── 0-24h: File Early Warning to NCSC-NL (meldportaal.ncsc.nl)
├── 0-72h: File full Incident Notification to ANSSI portal (FR)
├── 0-72h: File full Incident Notification to NCSC-NL (NL)
│
├── Parallel: Notify affected customers (GDPR Art. 33 if personal data involved)
│ → CNIL (FR) if personal data breach ≥72h
│ → AP (Autoriteit Persoonsgegevens, NL) if personal data breach ≥72h
│
└── Month 1: Final root cause report to both ANSSI + NCSC-NL
Note: A NIS2 incident involving personal data triggers parallel GDPR notification obligations. CNIL (France) and AP (Netherlands) are your DPA contacts. NIS2 + GDPR dual-reporting is mandatory and the timelines overlap.
4.2 Security Baseline Matrix (FR + NL Combined)
| Control | FR (ANSSI) | NL (NCSC-NL / RDI) | Unified Action |
|---|---|---|---|
| Risk assessment | EBIOS Risk Manager (recommended) | ISO 27001:2022 / NCSC Handreiking | Document both methodologies or use ISO 27001 (accepted both countries) |
| MFA | Mandatory (remote + admin) | Mandatory (admin + VPN) | Enforce MFA universally — no exceptions |
| TLS standard | TLS 1.2+ (ANSSI RGS) | TLS 1.2+ / 1.3 preferred (NCSC ICT-beveiligingsrichtlijnen) | Deploy TLS 1.3, disable TLS 1.1 and earlier |
| Vulnerability management | Patches <15d (EE), <30d (EI) | Not prescriptively timed; NCSC CVD policy required | Patch critical CVEs ≤14 days; publish CVD policy |
| Supply chain | Third-party security assessments | Critical supplier assessments | Vendor risk program covering all critical SaaS dependencies |
| Training | Annual (documented) | Annual (documented) | Combined training module with FR+NL regulatory references |
| Penetration testing | ANSSI-endorsed pentester recommended | RDI can request test results | Annual pentest by qualified firm; retain report 3 years |
| CVD policy | Not explicitly required | Mandatory (Dutch-specific) | Publish CVD policy on your security page regardless — best practice anyway |
4.3 Sovereign Cloud Considerations
For SaaS serving French or Dutch public sector clients:
France — SecNumCloud: SecNumCloud (ANSSI qualification scheme) is not yet mandatory under NIS2 for private sector SaaS. However, for government contracts, the French DINUM (Direction Interministérielle du Numérique) increasingly requires SecNumCloud-qualified providers. If you serve French public entities, evaluate:
- Scaleway (SecNumCloud qualified — Paris DC)
- OVHcloud (SecNumCloud qualified — Roubaix/Strasbourg)
- Outscale / 3DS Outscale (SecNumCloud qualified)
- sota.io on EU Hetzner Germany — GDPR-100%, no US parent, evaluating SecNumCloud path
Netherlands — NEN 7510 + BIO 2.0: Dutch public sector SaaS must meet BIO 2.0 (Baseline Informatiebeveiliging Overheid), published by NCSC-NL. BIO 2.0 is based on ISO 27001:2022 and adds Dutch government-specific controls. Healthcare SaaS must additionally comply with NEN 7510 (Dutch health information security standard).
Part 5: 30-Point Western Europe NIS2 Checklist for SaaS
Category A — Registration (Both Countries)
- FR-1: SIREN/SIRET number obtained (French tax/company registration)
- FR-2: Entity classified as EE or EI under French Ordonnance 2024-821
- FR-3: Registered at si-reg.anssi.fr with primary NIS2 contact designated
- FR-4: Sectoral authority identified (ANSSI default vs ARCEP/ACPR/ANS if sector-specific)
- NL-1: KvK (Chamber of Commerce) number confirmed
- NL-2: Entity classified as EE or BE under Dutch Cyberbeveiligingswet
- NL-3: Registered at rdi.nl/cyberbeveiligingswet with primary contact designated
- NL-4: DTC (Digital Trust Center) notified if important entity without sectoral supervisor
Category B — Incident Response (Both Countries)
- IR-1: CERT-FR contact added to IR runbook (cert-fr.eu.europa.eu)
- IR-2: NCSC-NL / meldportaal.ncsc.nl access credentials established
- IR-3: Internal SLA: 20-hour internal escalation (leaves 4h buffer for 24h early warning)
- IR-4: IR playbook tested with FR+NL dual-reporting scenario
- IR-5: CNIL (FR) and AP (NL) GDPR breach notification procedure linked to NIS2 IR plan
- IR-6: Customer notification templates prepared in French and Dutch
Category C — Security Controls
- SC-1: MFA enforced for all remote access and privileged accounts
- SC-2: TLS 1.3 deployed; TLS 1.1 and earlier disabled
- SC-3: Annual risk assessment documented (EBIOS RM or ISO 27001 methodology)
- SC-4: Supply chain security questionnaire sent to all critical vendors
- SC-5: CVD (Coordinated Vulnerability Disclosure) policy published on security page
- SC-6: Penetration test completed by qualified firm; report retained
- SC-7: Business continuity plan covering top-5 services, tested annually
- SC-8: Critical security patches deployed within 14 days of CVE publication
- SC-9: Annual security awareness training with attendance records
Category D — Governance and Documentation
- GV-1: Management sign-off on NIS2 security policy (both FR and NL implementations)
- GV-2: NIS2 compliance lead designated (can be same person for both countries)
- GV-3: Security policy documentation available in French and English (ANSSI may request French)
- GV-4: Evidence retention plan: keep compliance documentation ≥3 years
- GV-5: Annual NIS2 compliance review scheduled (Q1 recommended — before enforcement cycle)
- GV-6: Board-level NIS2 briefing documented (Article 20 management accountability)
What's Next: Southern Europe (Post #4)
Post #4 in this series covers Spain (INCIBE-CERT / CCN-CERT), Italy (ACN / CSIRT Italia), and Portugal (CNCS) — three Member States with distinct NIS2 implementation timelines and enforcement approaches that matter if you serve the Iberian or Italian enterprise market.
Post #5 closes the series with a 21-country NIS2 compliance stack finale — a decision framework for SaaS companies determining which national implementations are material to their operations and how to build a unified compliance program that satisfies all of them.
Hosting Your NIS2-Compliant Stack
Both ANSSI (France) and NCSC-NL (Netherlands) give credit for European-hosted infrastructure in compliance assessments. Running your SaaS on US-parented cloud providers (AWS, Azure, GCP) exposes your French and Dutch customers to CLOUD Act risk — a concern that ANSSI has explicitly flagged in its cloud guidance.
sota.io provides EU-native managed PaaS — deployed on Hetzner in Germany, no US parent company, no CLOUD Act exposure. If you're building the infrastructure for your NIS2-compliant SaaS deployment, that matters.
Sources: Ordonnance n° 2024-821 du 8 juillet 2024 (France); ANSSI NIS2 guidance (anssi.gouv.fr); Wet beveiliging netwerk- en informatiesystemen 2 / Cyberbeveiligingswet (Netherlands); NCSC-NL NIS2 implementation guidance (ncsc.nl); RDI digital infrastructure regulation (rdi.nl); EU NIS2 Directive 2022/2555/EU.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.