NIS2 Directive: What EU Enterprises Must Do About Data Sanitization
NIS2 Directive: What EU Enterprises Must Do About Data Sanitization
The Network and Information Security Directive 2 — known as NIS2 — represents the European Union's most significant cybersecurity legislation in nearly a decade. Adopted in January 2023 and transposed into national law by EU member states by October 2024, NIS2 dramatically expands the scope of cybersecurity obligations for organisations operating across critical and important sectors. Yet one area that receives insufficient attention in enterprise compliance planning is NIS2 data sanitization — specifically, how the directive shapes obligations around the secure disposal of data-bearing assets.
If your organisation falls within the NIS2 scope, this guide explains what the directive requires, where data sanitization fits into your compliance posture, and how to implement a defensible, audit-ready approach to data erasure across your estate.
## What Is the NIS2 Directive and Who Does It Apply To?NIS2 replaces and substantially expands the original NIS Directive (2016). Where NIS1 applied to a narrow set of operators of essential services and digital service providers, NIS2 extends obligations to a far broader category of organisations across 18 sectors, including energy, transport, banking, healthcare, water, digital infrastructure, ICT service management, and public administration.
NIS2 distinguishes between two categories of entities:
- Essential Entities (EE): Large organisations in highly critical sectors such as energy, transport, banking, health, and digital infrastructure. Subject to proactive supervision by competent authorities.
- Important Entities (IE): Mid-size organisations in other critical sectors such as postal services, waste management, food, manufacturing, chemicals, and digital providers. Subject to reactive supervision.
The threshold for classification as an Essential or Important Entity is generally tied to size (organisations with 50 or more employees or over €10 million in annual turnover) and sector. Member states may lower these thresholds for specific sectors.
If your organisation meets these criteria, NIS2 compliance is not optional. Non-compliance can result in fines of up to €10 million or 2% of global annual turnover for Essential Entities — and up to €7 million or 1.4% of turnover for Important Entities.
## How NIS2 Creates Data Sanitization ObligationsNIS2 does not use the phrase "data sanitization" explicitly, but its risk management and security requirements create direct obligations that encompass how data-bearing hardware and media are handled at end of life. Specifically, Article 21 of NIS2 mandates that covered entities implement appropriate and proportionate technical and organisational measures to manage cybersecurity risks. These measures must include:
- Policies on the use, acquisition, and disposal of assets — this directly covers IT equipment containing stored data
- Access control policies — ensuring data does not remain accessible on decommissioned hardware
- Incident handling and business continuity — including the integrity and confidentiality of data across its lifecycle
- Supply chain security — encompassing third-party handling of hardware and data, including ITAD partners
When an organisation decommissions a laptop, decommissions a storage array, retires a cloud instance, or transfers hardware to a third party, the data stored on that asset must be destroyed in a manner that prevents any future access. Failure to do so is not just a data protection risk — under NIS2, it constitutes a failure of your cybersecurity risk management framework.
### NIS2 and : Overlapping ObligationsNIS2 operates alongside GDPR, and for most EU enterprises, the two frameworks create reinforcing obligations around data erasure. While GDPR Article 5(1)(e) mandates the principle of storage limitation — that personal data is not kept longer than necessary — NIS2 adds an information security dimension that extends beyond personal data to all sensitive organisational information.
In practical terms, this means your NIS2 compliance programme and your GDPR data protection programme should share a unified approach to asset disposal. A solution that produces cryptographically signed, tamper-proof audit certificates serves both frameworks simultaneously.
## The Risk Landscape: Why Inadequate Sanitization Is a NIS2 RiskNIS2's risk management obligations require organisations to assess and mitigate cybersecurity risks proportionate to their threat exposure. Unsanitized or inadequately sanitized storage devices represent a well-documented and material data security risk. Consider the following scenarios that European enterprises regularly face:
- Device retirement and ITAD handoff: Laptops, workstations, and servers transferred to third-party ITAD providers without verified data erasure. If the ITAD provider fails to sanitize devices before remarketing or recycling, data exposure liability passes back to the originating organisation.
- Cloud and virtual infrastructure decommissioning: Cloud volumes and virtual machine images that are deleted without cryptographic erasure or overwrite verification leave residual data accessible to subsequent tenants or infrastructure administrators.
- Mobile device end-of-life: Smartphones and tablets enrolled in corporate MDM programmes that are returned to employees, traded in, or disposed of without verified factory-state sanitization.
- Cross-border data transfers involving hardware: Hardware shipped between EU member states or to non-EU countries for refurbishment must comply with both NIS2 and GDPR data transfer restrictions.
For Essential Entities, these risks are not theoretical. NIS2 supervisory authorities may require organisations to demonstrate their asset disposal processes as part of proactive oversight. Audit evidence of compliant data sanitization is essential.
## What Compliant NIS2 Data Sanitization Looks LikeMeeting NIS2 data sanitization obligations requires more than running a free disk wipe utility or relying on factory reset procedures. The following characteristics define a defensible, compliant approach:
### 1. Alignment With Recognised StandardsSanitization methods must align with internationally recognised standards that NIS2 supervisory authorities will recognise as proportionate and appropriate. These include:
- NIST SP 800-88 Rev. 1 (Clear, Purge, and Destroy methods for different media types)
- IEEE 2883-2022 (Updated standard addressing modern HDD, SSD, NVMe, and hybrid storage)
- Common Criteria EAL 4+ (The highest internationally recognised security evaluation for commercial software products)
's Drive Eraser is evaluated to Common Criteria EAL 4+, providing an independently verified assurance level that aligns with the proportionate risk management expectations of NIS2 for Essential and Important Entities handling sensitive or critical data.
### 2. Verifiable and Tamper-Proof Audit TrailsNIS2's reporting and accountability obligations require that organisations be able to demonstrate the security measures they have taken. For data sanitization, this means generating a tamper-proof Certificate of Erasure for every sanitized asset, containing:
- Device identifier (serial number, make, model)
- Sanitization method applied
- Erasure standard compliance reference (e.g., Purge)
- Date, time, and operator information
- Cryptographic hash or digital signature confirming certificate authenticity
Without this audit trail, your organisation cannot demonstrate compliance in the event of a supervisory authority audit or a notifiable incident investigation.
### 3. Centralised Management and ReportingFor enterprises managing large and distributed device estates — common across NIS2 Essential Entities in energy, transport, and financial infrastructure — centralised erasure management is essential. D-Secure's Cloud Console enables IT security and compliance teams to manage, monitor, and report on erasure activity across multiple locations and device types from a single dashboard, providing the operational visibility that NIS2's risk management framework demands.
### 4. Coverage Across All Media TypesNIS2-scoped organisations typically operate heterogeneous IT environments. A compliant data sanitization programme must cover:
- Traditional HDDs and SSDs in laptops and workstations
- Enterprise storage arrays (SAN, NAS, LUN)
- Virtual machines and cloud storage volumes
- Smartphones and mobile devices
- Removable media
Single-product or single-method approaches that leave entire categories of storage media unaddressed create gaps that will be visible during a supervisory review.
## Common Mistakes EU Enterprises Make When Addressing NIS2 Data SanitizationBased on the architecture of NIS2 obligations and common enterprise IT practices, the following errors are frequently observed:
Mistake 1: Treating data sanitization as a GDPR-only obligation
NIS2 is a cybersecurity risk management directive, not a data protection regulation. Many compliance teams delegate data disposal entirely to DPOs without engaging IT security. NIS2 requires that cybersecurity risk owners — typically CISOs and IT Security Managers — own the asset disposal security process.
Mistake 2: Relying on physical destruction for all assets
Physical destruction (shredding) is not always the proportionate or sustainable approach. NIST 800-88 and NIS2's proportionality principle both recognise that software-based sanitization, when applied correctly to appropriate media types, is equally valid and supports hardware reuse — an ESG priority for many EU enterprises under CSRD.
Mistake 3: Accepting ITAD partner assurances without independent verification
NIS2's supply chain security provisions (Article 21(2)(d)) require organisations to assess and monitor the security practices of their supply chain, including ITAD partners. A supplier's verbal assurance or generic terms of service does not constitute adequate due diligence. Verified certificates of erasure produced by certified software are the minimum acceptable standard.
Mistake 4: Ignoring cloud and virtual assets
Many NIS2 compliance reviews focus on physical hardware. Cloud storage volumes, virtual machine images, and IaaS snapshots contain organisational data that is equally subject to NIS2 risk management obligations when those environments are decommissioned.
Mistake 5: Lacking a documented sanitization policy
NIS2 Article 21 requires policies — not just practices. If your organisation erases data correctly but has no documented policy governing when, how, and by whom erasure is performed, you have an audit gap even if your technical controls are sound.
The following steps provide a structured approach for IT Security Managers and Compliance Officers implementing a NIS2-aligned data sanitization programme:
1. Classify your NIS2 scope. Determine whether your organisation is an Essential or Important Entity and identify which competent national authority has supervisory responsibility.
2. Conduct an asset inventory. Map all data-bearing assets across your estate — physical, virtual, mobile, and removable media.
3. Document your sanitization policy. Define methods (Clear, Purge, Destroy) by media type and risk classification, aligned with NIST 800-88 and IEEE 2883-2022.
4. Select certified erasure software. Implement solutions evaluated to recognised standards, including Common Criteria EAL 4+ for software assurance.
5. Establish certificate generation and retention. Ensure every sanitized asset produces a tamper-proof Certificate of Erasure, retained for a period consistent with your record retention obligations.
6. Integrate supply chain controls. Include data sanitization verification requirements in ITAD and logistics partner contracts and conduct periodic audits.
7. Enable centralised reporting. Deploy a management platform that provides real-time visibility into erasure status across all locations.
8. Review and update annually. NIS2 requires proportionate risk management, meaning your policies and tools must evolve as your asset estate and threat landscape change.
Several EU member states, including Germany, the Netherlands, Italy, and Belgium, have either fully transposed NIS2 or are at advanced stages. Supervisory authorities are establishing audit frameworks and notification procedures. Essential Entities in particular face proactive oversight, meaning waiting for an incident before reviewing your data sanitization posture is not a viable strategy.
The reputational and financial exposure from a data breach involving an inadequately sanitized decommissioned device — combined with NIS2's incident reporting obligations and potential fines — makes proactive compliance investment straightforward to justify.
## ConclusionNIS2 compliance for EU enterprises is not limited to network security, incident response, and access controls. The directive's risk management framework creates clear and enforceable obligations around how data-bearing assets are handled at end of life. A defensible NIS2 data sanitization programme requires alignment with recognised standards, independently certified software, tamper-proof audit trails, centralised management, and documented policies that cover your entire asset estate — physical, virtual, and mobile.
D-Secure's Drive Eraser, evaluated to Common Criteria EAL 4+ and supporting NIST 800-88, IEEE 2883-2022, and EU directive alignment, is built to meet the assurance level NIS2 supervisory authorities expect. To see how D-Secure supports your NIS2 EU cybersecurity directive compliance programme in practice, request a Compliance Demo with our enterprise team today.
No comments yet. Be the first to comment.