Field notes · Case F-10 · Compliance

NIS2 and CER: the fence is now a regulated asset

Europe quietly moved data centers into the regulated world. Two directives make physical resilience a legal duty and put management names on the outcome.

For twenty years, data-center physical security was a private matter between operators, customers and insurers. In the European Union that era is over. NIS2 places data centers and cloud providers in scope as essential entities; its sibling, the Critical Entities Resilience directive, does the same for physical resilience. Together they convert what used to be good practice into supervised obligation.

NIS2 made the CISO’s problem the board’s problem. CER made the fence a regulated asset.

What actually changed

Three mechanisms have teeth. First, management accountability: NIS2 requires management bodies to approve and oversee risk measures, with personal liability and even temporary bans on the table for serious failures. Delegating security to a vendor no longer delegates the consequence. Second, incident reporting on a clock: an early warning within twenty-four hours of a significant incident, a fuller notification within seventy-two. If your operations center cannot classify an incident and brief legal inside a day, the gap is procedural, not technical. Third, supervision: national authorities can audit, instruct and fine up to two percent of global turnover for essential entities.

The physical dimension is the surprise

CER, and NIS2’s own definition of security measures, explicitly covers physical and environmental protection: access control, perimeter, resilience of supporting utilities. Evidence expectations follow. Patrol logs, badge reconciliations, drill records and assessment reports move from internal hygiene to material a supervisor may ask for. Most compliance teams have mapped their ISO 27001 and SOC 2 controls; far fewer have asked whether the guard force’s documentation would survive regulatory review.

Making it one program

We have rehearsed the twenty-four-hour clock with teams like yours. It gets easier the second time.