How Azure network security can help you meet NIS2 compliance

Microsoft

Sep 26, 2025

With the adoption of the NIS2 Directive EU 2022 2555, cybersecurity obligations for both public and private sector organizations have become more strict and far reaching. NIS2 aims to establish a higher common level of cybersecurity across the European Union by enforcing stronger requirements on risk management, incident reporting, supply chain protection, and governance.

If your organization runs on Microsoft Azure, you already have powerful services to support your NIS2 journey. In particular Azure network security products such as Azure Firewall, Azure Web Application Firewall WAF, and Azure DDoS Protection provide foundational controls. The key is to configure and operate them in a way that aligns with the directive’s expectations.

Important note This article is a technical guide based on the NIS2 Directive EU 2022 2555 and Microsoft product documentation. It is not legal advice. For formal interpretations, consult your legal or regulatory experts.

What is NIS2?

NIS2 replaces the original NIS Directive 2016 and entered into force on 16 January 2023. Member states must transpose it into national law by 17 October 2024. Its goals are to:

Expand the scope of covered entities essential and important entities
Harmonize cybersecurity standards across member states
Introduce stricter supervisory and enforcement measures
Strengthen supply chain security and reporting obligations

Key provisions include:

Article 20 management responsibility and governance
Article 21 cybersecurity risk management measures
Article 23 incident notification obligations

These articles require organizations to implement technical, operational, and organizational measures to manage risks, respond to incidents, and ensure leadership accountability.

Where Azure network security fits

The table below maps common NIS2 focus areas to Azure network security capabilities and how they support compliance outcomes.

NIS2 focus area	Azure services and capabilities	How this supports compliance
Incident handling and detection	Azure Firewall Premium IDPS and TLS inspection, Threat Intelligence mode, Azure WAF managed rule sets and custom rules, Azure DDoS Protection, Azure Bastion diagnostic logs	Detect, block, and log threats across layers three to seven. Provide telemetry for triage and enable response workflows that are auditable.
Business continuity and resilience	Azure Firewall availability zones and autoscale, Azure Front Door or Application Gateway WAF with zone redundant deployments, Azure Monitor with Log Analytics, Traffic Manager or Front Door for failover	Improve service availability and provide data for resilience reviews and disaster recovery scenarios.
Access control and segmentation	Azure Firewall policy with DNAT, network, and application rules, NSGs and ASGs, Azure Bastion for browser based RDP SSH without public IPs, Private Link	Enforce segmentation and isolation of critical assets. Support Zero Trust and least privilege for inbound and egress.
Vulnerability and misconfiguration defense	Azure WAF Microsoft managed rule set based on OWASP CRS. Azure Firewall Premium IDPS signatures	Reduce exposure to common web exploits and misconfigurations for public facing apps and APIs.
Encryption and secure communications	TLS policy: Application Gateway SSL policy; Front Door TLS policy; App Service/PaaS minimum TLS. Inspection: Azure Firewall Premium TLS inspection	Inspect and enforce encrypted communication policies and block traffic that violates TLS requirements. Inspect decrypted traffic for threats.
Incident reporting and evidence	Azure Network Security diagnostics, Log Analytics, Microsoft Sentinel incidents, workbooks, and playbooks	Capture and retain telemetry. Correlate events, create incident timelines, and export reports to meet regulator timelines.

NIS2 articles in practice

Article 21 cybersecurity risk management measures

Azure network controls contribute to several required measures:

Prevention and detection. Azure Firewall blocks unauthorized access and inspects traffic with IDPS. Azure DDoS Protection mitigates volumetric and protocol attacks. Azure WAF prevents common web exploits based on OWASP guidance.
Logging and monitoring. Azure Firewall, WAF, DDoS, and Bastion resources produce detailed resource logs and metrics in Azure Monitor. Ingest these into Microsoft Sentinel for correlation, analytics rules, and automation.
Control of encrypted communications. Azure Firewall Premium provides TLS inspection to reveal malicious payloads inside encrypted sessions.
Supply chain and service provider management. Use Azure Policy and Defender for Cloud to continuously assess configuration and require approved network security baselines across subscriptions and landing zones.

Article 23 incident notification

Build an evidence friendly workflow with Sentinel:

Early warning within twenty four hours. Use Sentinel analytics rules on Firewall, WAF, DDoS, and Bastion logs to generate incidents and trigger playbooks that assemble an initial advisory.
Incident notification within seventy two hours. Enrich the incident with additional context such as mitigation actions from DDoS, Firewall and WAF.
Final report within one month. Produce a summary that includes root cause, impact, and corrective actions. Use Workbooks to export charts and tables that back up your narrative.

Article 20 governance and accountability

Management accountability. Track policy compliance with Azure Policy initiatives for Firewall, DDoS and WAF. Use exemptions rarely and record justification.
Centralized visibility. Defender for Cloud’s network security posture views and recommendations give executives and owners a quick view of exposure and misconfigurations.
Change control and drift prevention. Manage Firewall, WAF, and DDoS through Network Security Hub and Infrastructure as Code with Bicep or Terraform. Require pull requests and approvals to enforce four eyes on changes.

Network security baseline

Use this blueprint as a starting point. Adapt to your landing zone architecture and regulator guidance.

Topology and control plane
1. Hub and spoke architecture with a centralized Azure Firewall Premium in the hub. Enable availability zones.
2. Deploy Azure Bastion Premium in the hub or a dedicated management VNet; peer to spokes. Remove public IPs from management NICs and disable public RDP SSH on VMs.
3. Use Network Security Hub for at-scale management.
4. Require Infrastructure as Code for all network security resources.
Web application protection
1. Protect public apps with Azure Front Door Premium WAF where edge inspection is required. Use Application Gateway WAF v2 for regional scenarios.
2. Enable the Microsoft managed rule set and the latest version. Add custom rules for geo based allow or deny and bot management. enable rate limiting when appropriate.
DDoS strategy
1. Enable DDoS Network Protection on virtual networks that contain internet facing resources. Use IP Protection for single public IP scenarios.
2. Configure DDoS diagnostics and alerts. Stream to Sentinel. Define runbooks for escalation and service team engagement.
Firewall policy
1. Enable IDPS in alert and then in alert and deny for high confidence signatures. Enable TLS inspection for outbound and inbound where supported.
2. Enforce FQDN and URL filtering for egress. Require explicit allow lists for critical segments.
3. Deny inbound RDP SSH from the internet. Allow management traffic only from Bastion subnets or approved management jump segments.
Logging, retention, and access
1. Turn on diagnostic settings for Firewall, WAF, DDoS, and Application Gateway or Front Door. Send to Log Analytics and an archive storage account for long term retention.
2. Set retention per national law and internal policy. Azure Monitor Log Analytics supports table-level retention and archive for up to 12 years, many teams keep a shorter interactive window and multi-year archive for audits.
3. Restrict access with Azure RBAC and Customer Managed Keys where applicable.
Automation and playbooks
1. Build Sentinel playbooks for regulator notifications, ticket creation, and evidence collection. Maintain dry run versions for exercises.
2. Add analytics for Bastion session starts to sensitive VMs, excessive failed connection attempts, and out of hours access.

Conclusion

Azure network security services provide the technical controls most organizations need in order to align with NIS2. When combined with policy enforcement, centralized logging, and automated detection and response, they create a defensible and auditable posture.

Focus on layered protection, secure connectivity, and real time response so that you can reduce exposure to evolving threats, accelerate incident response, and meet NIS2 obligations with confidence.