NIS2 Data Vault Compliance Checklist (2026)
The EU's NIS2 directive (Directive 2022/2555) significantly expanded the scope and requirements for cybersecurity across essential and important entities. With member-state transposition ongoing through 2026, organizations in scope face a compliance landscape that explicitly covers backup management, disaster recovery, and business continuity — including how data is vaulted, verified, and recovered.
This checklist covers the NIS2 requirements that apply to data vaulting and cold storage, what evidence you need, and how to align your architecture with the directive's expectations.
Who Is In Scope?
NIS2 dramatically broadened the scope of entities covered. If your organization operates in any of these sectors within the EU, you are likely subject to NIS2:
Essential entities (Annex I): Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, space.
Important entities (Annex II): Postal and courier services, waste management, manufacture of chemicals, food, medical devices, computers, electronics, machinery, motor vehicles; digital providers (online marketplaces, search engines, social networking).
Size threshold: Generally applies to medium-sized enterprises (50+ employees or €10M+ turnover) and above, with some sectors applying regardless of size.
NIS2 Requirements for Data Vaulting and Recovery
Article 21 of NIS2 mandates cybersecurity risk-management measures, which explicitly include:
1. Business Continuity and Disaster Recovery (Art. 21(2)(c))
- Documented business continuity plan that covers backup management and disaster recovery
- Defined recovery time objectives for critical systems and data
- Cold storage architecture documented with isolation level, geographic distribution, and retention policies
- Disaster recovery procedures that are current, tested, and account for actual infrastructure
2. Backup Management
- Regular, automated backups of critical data and system configurations
- Backup storage isolated from production networks (air-gapped, near-air-gapped, or logically immutable)
- Cryptographic integrity verification of backup data (hash chains, signed attestations)
- Retention policies aligned with regulatory and business requirements
- Geographic redundancy for backup storage (protection against site-level incidents)
3. Recovery Testing
- Periodic testing of recovery procedures — not just tabletop exercises, but actual data restoration
- Time to Clean Restore measurements documenting end-to-end recovery time with integrity verification
- Deficiency tracking: issues discovered during testing and their remediation status
- Testing cadence appropriate to risk level (quarterly recommended for critical systems)
4. Cryptography and Encryption (Art. 21(2)(h))
- Policies for use of cryptography and encryption for data at rest (including cold storage and vaults)
- Key management procedures: HSM usage, key rotation schedules, key backup and recovery
- Post-quantum readiness assessment for long-term data protection (recommended though not yet explicitly mandated)
- Encryption key access procedures during crisis recovery
5. Supply Chain Security (Art. 21(2)(d))
- Risk assessment of third-party backup and storage providers
- Contractual security requirements for cloud storage, managed backup services, and storage hardware vendors
- Assessment of provider-side integrity verification and access controls
- Incident notification obligations in contracts with storage/backup providers
6. Incident Reporting (Art. 23)
- Early warning to national CSIRT within 24 hours of becoming aware of a significant incident
- Incident notification within 72 hours with initial assessment including severity and impact
- Final report within one month including root cause, recovery actions taken, and cross-border impact
- Recovery capability is part of the incident assessment — documented TTCR and tested procedures support faster, more accurate reporting
The NIS2 Compliance Checklist for Data Vaulting
Use this checklist to assess your readiness:
- ☐ Business continuity plan documented and current (updated within 12 months)
- ☐ Cold storage architecture documented: isolation level, geographic distribution, retention
- ☐ Backup isolation verified: production network cannot modify or delete backups
- ☐ Cryptographic integrity verification in place (hash chains, Merkle trees, signed attestations)
- ☐ Zero-data-drift monitoring active with alerting
- ☐ Recovery procedures documented, current, and assigned to named personnel
- ☐ Recovery testing performed and documented (with TTCR measurements)
- ☐ Testing deficiencies tracked and remediated
- ☐ Encryption applied to data at rest in cold storage
- ☐ Key management documented: HSM usage, rotation, backup, recovery procedures
- ☐ PQC readiness assessed for long-term data protection
- ☐ Third-party storage/backup providers assessed for security
- ☐ Contracts with providers include security requirements and incident notification
- ☐ Incident reporting procedures documented with 24h/72h/1-month timelines
- ☐ Management body (board/executive) has approved cybersecurity risk-management measures
- ☐ Management body has received cybersecurity training (Art. 20(2))
Enforcement and Penalties
NIS2 introduces significant penalties for non-compliance:
- Essential entities: Administrative fines up to €10 million or 2% of global annual turnover, whichever is higher.
- Important entities: Administrative fines up to €7 million or 1.4% of global annual turnover, whichever is higher.
- Personal liability: NIS2 explicitly provides for management body accountability. Directors and officers can be held personally responsible for failing to approve and oversee cybersecurity risk-management measures.
How to Get Ready
- Determine if you're in scope. Check Annex I and Annex II of the directive against your sector and size. When in doubt, assume you're in scope — the breadth of NIS2 catches many organizations that didn't fall under the original NIS directive.
- Gap assessment. Run through the checklist above and identify missing elements. The most common gaps are: no documented TTCR testing, no integrity verification on cold storage, and no third-party storage provider risk assessment.
- Prioritize recovery testing. If you haven't measured TTCR, that is the highest-priority action. Running a controlled restore drill and documenting the results addresses multiple checklist items at once.
- Assess your cold storage isolation. If backups are reachable from the production network, address this before enforcement actions begin.
- Engage your management body. NIS2 explicitly requires management approval of cybersecurity measures and management cybersecurity training. This is not optional — personal liability provisions make board engagement a legal requirement.
For a structured assessment of your NIS2 readiness focused on data vaulting and recovery, see our cyber-resilience audit service. For organizations with crypto or digital asset holdings, clean transaction and tax reporting supports record-keeping and audit readiness — e.g. CoinLedger for crypto tax and reporting.