The NIS2 Directive is the EU's most significant cybersecurity legislation to date. It mandates specific technical security measures for thousands of organisations across Europe — and airgap solutions are one of the most direct ways to implement them.
NIS2 (Directive EU 2022/2555) replaces the original NIS Directive from 2016. It significantly expands the scope of mandatory cybersecurity obligations across the EU — covering more sectors, more organisations, and imposing stricter requirements and higher penalties. Member states were required to transpose NIS2 into national law by October 2024.
The original NIS Directive covered only operators of essential services and digital service providers. NIS2 doubles down: it creates two categories — essential entities and important entities — and applies mandatory cybersecurity requirements to both. The distinction affects supervisory intensity and fines, not the technical requirements themselves.
Crucially, NIS2 shifts liability explicitly to senior management. Board members and executives can now be held personally responsible for cybersecurity failures, including failure to implement adequate technical measures.
Size thresholds apply: generally medium-sized (50+ employees, €10M+ turnover) and large organisations. Some sectors have no size threshold.
Article 21 is the technical heart of NIS2. It requires organisations to implement "appropriate and proportionate technical, operational and organisational measures" based on a risk assessment. The article lists ten minimum measures. Several of these directly map to what an airgap solution provides.
Organisations must have documented policies covering how risks are identified and managed across their network and information systems.
Backup management, disaster recovery, and crisis management must be in place. Backups must be protected from the threats that affect the primary systems.
Organisations must address security risks in supply chains, including the security posture of suppliers and service providers with access to their systems.
Security must be built into the acquisition and maintenance of systems, including vulnerability handling and disclosure.
Prevention, detection and response to incidents. Organisations must be able to detect, report and recover from security incidents.
A data diode enables safe one-way forwarding of logs and monitoring data from isolated OT or secure networks to a SIEM without creating a return attack path into those environments.
Organisations must measure and assess whether their security measures are actually working.
A hardware data diode provides a provable, binary security property — either data flows one way or it doesn't. It is significantly easier to demonstrate effectiveness than software-based controls.
NIS2 explicitly requires organisations to address the human element — training, awareness and baseline hygiene practices.
Where appropriate, policies on the use of cryptography and encryption must be in place.
Access control policies, personnel security, and asset management must be in place.
MFA and encrypted communications must be used where appropriate, including for administrative access to systems.
The table below maps specific airgap deployment patterns to the NIS2 Article 21 requirements they address.
| Deployment | NIS2 requirement | How it addresses it |
|---|---|---|
| OT / IT network separation with data diode | Art. 21(2)(a) — Risk & policy Art. 21(2)(d) — Supply chain |
Physically prevents lateral movement from IT into OT. Attack surface reduction is demonstrable and hardware-enforced, not reliant on firewall rule correctness. ✓ Direct control |
| One-way log forwarding from OT to SIEM | Art. 21(2)(b) — Incident handling | Enables continuous monitoring and incident detection from isolated networks without creating a return attack path. Security teams gain visibility without compromising the protected zone. ✓ Direct control |
| Airgapped backup vault (Veeam + data diode) | Art. 21(2)(c) — Business continuity & backup | Backups are replicated to an isolated vault that ransomware physically cannot reach. Restore points are preserved even if the production environment is fully compromised. ✓ Direct control |
| Supplier / remote access isolation | Art. 21(2)(d) — Supply chain security | Supplier data feeds (sensor data, telemetry, patches) can be received one-way without giving suppliers any access back into the internal network. Eliminates the supply chain as a lateral movement vector. ✓ Direct control |
| Camera / physical security network isolation | Art. 21(2)(a) — Risk policy Art. 21(2)(i) — Access control |
Isolates IoT-heavy camera networks from corporate and operational systems. A compromised camera cannot pivot to the NVR server or to broader IT infrastructure. ✓ Direct control |
| CDR (OPSWAT MetaDefender) on data import | Art. 21(2)(e) — Secure acquisition Art. 21(2)(d) — Supply chain |
All files crossing the boundary are sanitised via Deep CDR before delivery — every file is treated as potentially malicious regardless of source. Removes malware, macro exploits and embedded threats at the transfer point. ✓ Direct control |
NIS2 sets minimum fine levels that member states must apply. National implementations may be stricter. Unlike the original NIS Directive, penalties are now explicitly proportionate to the severity of the failure — and management liability is personal.
Whichever is higher: €10 million or 2% of total global annual turnover. Applies to the highest-risk sectors — energy, transport, health, water, digital infrastructure, banking.
Whichever is higher: €7 million or 1.4% of total global annual turnover. Applies to manufacturing, food, chemicals, postal services, digital providers and others.
Additionally, member state supervisory authorities can issue binding instructions, order temporary suspension of services, and publicly name non-compliant organisations. Senior management can be held personally liable and barred from management roles.
NIS2 compliance is not a single product purchase — it is an ongoing programme. But a data diode deployment can address multiple requirements in a single project, with a provable, auditable result.
We help you map your network, identify the right airgap architecture, and produce the documentation that auditors require.
Talk to us Our consultancy process