Data Sanitization Tips for NIS2 Compliance
The European Union’s Network and Information Security 2 Directive (NIS2) states that all organizations providing “essential” or “important” services to EU member states must have documented processes for managing cyber risk and reporting on cybersecurity incidents across their supply chains.
This article outlines what NIS2-compliant organizations should know about end-of-life data destruction.
Stephen Connolly As a content writer for Blancco, Stephen uses his 10+ years of experience researching and writing about technology to explain how data sanitization is the secure, compliant, efficient, and sustainable choice for end-of-life data management.
NIS2 is a major piece of EU cybersecurity legislation, but its enactment has been slow. As of March 2025, only six EU member countries had fully transposed NIS2 into local laws despite the October 2024 deadline.
However, more countries are gradually coming on stream. Germany, France, and Spain all have laws either drafted or under discussion. So, despite the delayed rollout, affected organizations should align their cybersecurity and risk management postures now if they want to comply with the eventual regulations.
This article outlines key things to know about NIS2’s requirements, the importance of national implementations, and why securely disposing of end-of-life data and IT assets should be part of your NIS2 compliance strategy.
What is the NIS2 Directive?
NIS2 (EU Directive 2022/2555) establishes a framework for protecting the cybersecurity of critical infrastructure across the European Union.
Article 21 of the Directive makes member states responsible for ensuring that essential and important entities (defined below) take “measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services.”
This includes having plans for the following areas:
- risk analysis and IT security policies
- incident handling
- business continuity plans for backup management and disaster recovery, etc.
- supply chain security
- network and information systems lifecycle security
- cybersecurity risk assessment policies
- cyber hygiene practices and cybersecurity training
- policies around cryptography and encryption
- security for access controls and asset management
- multi-factor or continuous authentication solutions and secure emergency communication systems
Member states must use these baseline conditions in their national implementations, but penalties, rules, requirements, and mechanisms are all expected to be expanded upon locally.
Who’s affected by NIS2?
There are two kinds of organizations that must comply directly with the national implementations of NIS2. First, there are essential entities, which are organizations providing services in what the Directive defines as “sectors of high criticality.” Secondly, there are entities in “other critical sectors,” which are known as important entities.
These essential and important entities serve critical infrastructure projects in transport, energy, health, and more. See the table below for the relevant sectors and their statuses.
| Sectors | Status | Organizations |
| Banking Digital infrastructure Energy Financial market infrastructure Health ICT service management Public administration Space Transport Waste water Water | High criticality | Essential |
| Digital providers Manufacture, production, and distribution of chemicals Manufacturing Postal and courier services Production, processing, and distribution of food Research Waste management | Other critical sectors | Important |
I’m outside the EU, does NIS2 apply to my company?
Regardless of where you are based, all businesses providing services to the European economy are included within the scope of the law.
“This Directive applies to public or private entities […] which provide their services or carry out their activities within the Union.”
Article 2(1), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
In addition to entities directly providing services to European countries, supply chain providers in EU and non-EU countries could also be indirectly affected. Article 21(d) of the Directive focuses on the need for “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.”
This means that entities complying with NIS2 will likely seek commercial partners and products with proven security credentials, such as ISO 27001. The burden will be on the providers to show they are also NIS2 compliant if they want to win or keep the custom of Essential and Important entities.
What are the penalties for not complying with NIS2?
- For essential entities, NIS2 fines can be up to €10 million or 2% of worldwide annual turnover, whichever is higher.
- For important entities, fines can be up to €7 million or 1.4% of worldwide annual turnover, whichever is higher.
- Member states can impose additional financial penalties.
How to align with NIS2: the Belgian example
Article 21 of the Directive states that essential and important entities must document their cybersecurity and risk management processes. But the framework does not contain much information, so how do you know if your current arrangements are good enough?
As and when they are published, the national implementations should contain more detail.
Belgium is a good example because it has already implemented NIS2 in the form of the Law establishing a framework for the cybersecurity of network and information systems of general interest for public security.
To help companies comply with the new law, the Centre for Cybersecurity Belgium (CCB) has created the CyberFundamentals Framework (CyFun®). CyFun is based on international guidelines, including NIST Cybersecurity Framework v1.1 (CSF), ISO 27001 and 27002, CIS Controls, and IEC-62443.
The Belgian framework has four levels: Small, Basic, Important, and Essential. Each level has a different number of security controls and offers different levels of resistance, with the Small level being advisory rather than a regulatory requirement. For example, the Essential level, which has 140 controls, addresses 100% of real-world cyber-attacks, while the Important level, with 117 controls, counters 94% of attacks.
To comply with Belgium’s NIS2 law, companies must complete a risk assessment that gives them one of the three assurance-quality levels Basic, Important, or Essential. The organization must then meet all the requirements relevant for that level to comply with Belgium’s NIS2 law.
These level-based requirements are spelled out in the CyFun framework, which builds on the NIST CSF. Both frameworks have five core functions: Identify, Protect, Detect, Respond, and Recover.
Organizations must satisfy the requirements set out in the CyFun Framework’s core functions to comply with Belgium’s NIS2 law.
What does NIS2 say about data disposal, and how can Blancco help?
It is difficult to anticipate what each EU country will require when it comes to end-of-life data disposal. Belgium’s example, however, suggests that following tried and tested data sanitization methods from frameworks such as ISO 27001 and NIST 800-53 will be critical.
CyFun and the CSF both stress the need for thorough data destruction, but CyFun also offers some additional details around what compliant organizations must do.
The table below contains some of the data disposal information in the CyFun mapping document. As these guidelines reflect best practices gleaned from NIST and ISO guidelines, it should be expected that similar levels of scrutiny will be applied to NIS2 implementations across Europe.
| Subcategory | Level | Requirement | Guidance | How Blancco helps |
| PR.IP-6.1 | Important and Essential | The organization shall ensure that its critical system’s data is destroyed according to policy. | N/A | Blancco’s software-based data sanitization solutions provide complete, certified data erasure across the widest range of asset classes, from drives and laptops to LUNs and virtual machines. |
| PR.IP-6.1 | Essential | As above | Disposal actions include media sanitization actions. Including: Electronic or soft copy media (the bits and bytes contained in hard drives, random access memory (RAM), read-only memory (ROM), disks, memory devices, phones, mobile computing devices, networking equipment…). | Data erasure is the non-destructive, software-based process of securely overwriting digitally stored information with random binary data according to a specified standard, then verifying and certifying that the erasure has been successful. Blancco secure data erasure is offered in both active and inactive environments across a variety of IT assets, such as servers, PCs/laptops, mobile devices, removable media, and loose drives, as well as in large, virtualized data centers and cloud environments. The “bits and bytes” mentioned in the CyFun framework are eradicated, and their removal is verified and documented for compliance purposes. |
| PR.IP-6.2 | Essential | Sanitation processes shall be documented and tested. | Including: Consider applying non-destructive sanitization techniques to portable storage devices. Consider sanitation procedures in proportion to confidentiality requirements. | As opposed to destructive processes such as IT asset shredding or incineration, Blancco allows you to completely sanitize storage devices with zero data left behind. The erasure is verified and documented with an audit-ready certificate of erasure. Blancco’s software also offers the choice of 25+ different erasure standards (e.g., NIST 800-88, IEEE 2883, and DoD 5220.22-M to ensure that data can be wiped in accordance with specific confidentiality or regulatory requirements. |
| PR.DS-3 | Basic, Important, and Essential | Assets and media shall be disposed of safely. | Including: When eliminating tangible assets like business computers | Blancco recommends that onsite data sanitization should be performed prior to the disposition of any data-bearing assets, and offers several options for operators to sanitize assets remotely before assets leave protected environments. Whether you sanitize this data in-house, work with an ITAD vendor, or engage another partner, securely erasing data from storage devices prior to them leaving your control means there is less chance of any data on them being breached during transport, storage, or prior to physical destruction. The added value of having a certificate of erasure means that this step in your chain of custody shows auditors you were compliant with data destruction rules. Blancco offers multiple remote wiping options, including a dedicated Windows erasure solution, WinEraser, which can be initiated via Microsoft Intune. |
| PR.DS-3.2 | Important and Essential | The organization shall enforce accountability for all its business-critical assets throughout the system lifecycle, including removal, transfers, and disposition. | Including: Monitoring and maintaining documentation related to the movements of business-critical assets. | Each Blancco erasure is accompanied by a detailed, tamper-proof certificate. This is helpful if you need to prove NIS2 compliance around the movement of IT assets, and to show when, how, and which assets were erased prior to them being removed, transferred, or disposed of. |
| PR.DS-3.3 | Important and Essential | The organization shall ensure that the necessary measures are taken to deal with loss, misuse, damage, or theft of assets. | This can be done by policies, processes & procedures (reporting), technical & organizational means (encryption, Access Control (AC), Mobile Device Management (MDM), monitoring, secure wipe, awareness, signed user agreement, guidelines & manuals, backups, inventory update …). | Secure data erasure means assets can be remotely wiped so that all data is eradicated. Even if erased assets are lost or stolen, therefore, there is no danger of sensitive data being leaked. |
| PR.DS-3.4 | Essential | The organization shall ensure that disposal actions are approved, tracked, documented, and verified. | Disposal actions include media sanitization actions (See PR.IP-6) | All data sanitization actions made with Blancco’s solutions are automatically verified to ensure a successful erasure has taken place. Erasures are also accompanied by tamper-proof, audit-ready certificates that are easily accessible through your centralized Blancco Management Portal. |
Although NIS2 compliance requirements are not yet clear for all affected countries, Belgium’s example sets an unambiguous precedent: end-of-life data sanitization is critical.
As more and more national laws are enacted, companies will need to follow rigorous best practices for sanitizing data, especially on decommissioned IT assets.
