NIS2: a new Requirement from the European Union and extended log retention

webdig

The entry into force of the NIS2 Directive across the European Union, together with its national transpositions such as Portugal’s Decree-Law 125/2025, is reshaping the way digital service providers must approach information security and, in particular, the retention and management of logs.

This legislation goes far beyond general cybersecurity principles; it introduces clear, structured and mandatory obligations for hosting companies, cloud operators, DNS and email service providers, managed service providers and organisations running any form of digital infrastructure.

As a result, environments that have traditionally relied on short-term operational logging now face the need to rethink their entire approach to the collection, storage and traceability of evidence.

Portugal’s implementation of NIS2 affects me directly as a service provider and affects every Enhance user operating from Portugal. However, these obligations are not confined to Portuguese providers.

Because NIS2 is an EU-wide directive, the same requirements apply to all Enhance users operating within the European Union, regardless of the size or maturity of their hosting setup.

Moreover, based on conversations with government contacts in several African countries, it is already clear that many of these nations intend to follow the same path and adopt legislation aligned with the European framework.
In practical terms, this means that expectations around long-term log retention, forensic traceability and greater operational accountability will soon extend beyond Europe and become a broader international standard.

This requirement also needs to be understood in light of the broader European timeline. In many EU Member States, the national transposition of NIS2 is already underway, and several countries are preparing to enforce long-term log retention as a mandatory requirement within the next few months.

As each national law comes into force, these obligations will no longer be theoretical: providers will be expected to retain logs for extended periods, maintain their integrity and ensure they can be delivered promptly for audits or security investigations.

The expectation is that long-term, structured and tamper-resistant logging will rapidly become a baseline standard across the European Union, further reinforcing the need for hosting platforms and service providers to adopt logging architectures capable of meeting these demands.

Under NIS2, every covered entity must be able to detect security incidents, understand how they occurred, reconstruct the sequence of events and provide the relevant authorities with the necessary records for investigation and mitigation.

None of this is possible without complete, reliable and long-term log data. Logs are no longer simple technical artefacts used for troubleshooting; they become legal evidence and a fundamental part of organisational accountability.

The directive requires that entities maintain logging capabilities that support forensic analysis, clear attribution of actions and proof that suitable security measures were in place before, during and after an incident.

In practice, this means logs must exist, must be preserved for extended periods, and must be protected against alteration or premature deletion.

This requirement highlights a practical challenge: many hosting control panels, including Enhance, are not yet prepared to meet these new standards. By default, most system logs, web server logs, email logs and DNS logs are retained only for short periods—ranging from a few days to a few weeks.

Operating system rotation policies remove logs long before the retention periods implied by NIS2, which typically range from six to twenty-four months.

Furthermore, Enhance currently lacks built-in tools for centralising logs across nodes, ensuring log integrity or retrieving historical logs in a format suitable for audits. Without such capabilities, providers operating within the EU will struggle to meet their legal obligations under NIS2, regardless of their internal security practices.

One of the most important steps toward compliance, and a measure that any provider subject to the NIS2 framework should seriously consider, is the creation of a dedicated logging infrastructure that is physically and logically separated from all production systems.

Setting up a standalone logging server—used exclusively to receive and store logs over the long term—ensures that every record is collected through secure channels and preserved independently from the servers that generate them.

This reduces the risk of accidental loss, corruption or deletion and provides a safer environment for retaining information with legal significance.

To meet the expectations set by the directive, this logging server should also be capable of organising logs in a structured, audit-ready manner, particularly sorted by date and by customer account.

This level of organisation allows service providers to quickly retrieve the exact records needed for an investigation, an internal review or a formal request from national cybersecurity authorities.

It also reflects well-established forensic best practices, where logs must remain intact and trustworthy even if a production server is compromised.

This architectural change may be one of the most decisive steps toward achieving full legal compliance, because it delivers the level of traceability, continuity and operational accountability that the NIS2 framework explicitly requires.

By adopting a dedicated logging server and ensuring that logs are centralised, securely transmitted, properly indexed and retained for the necessary period, service providers place themselves in a position where they can demonstrate — not merely claim — their commitment to transparency, resilience and responsible operational governance.

The urgency of adopting these changes is becoming increasingly clear. As NIS2-derived national laws take effect, authorities will expect complete traceability, and organisations will be required to justify their actions with verifiable evidence.

Security incidents must be reported within twenty-four hours and followed by detailed reports within thirty days. None of this can be achieved effectively without structured, tamper-resistant log data.

Providers unable to meet these requirements risk not only operational difficulties but also serious legal and financial consequences.

NIS2 is neither optional nor advisory. It is a binding regulatory framework designed to raise the level of cybersecurity and resilience throughout the European digital ecosystem.

For hosting providers, cloud operators and any organisation delivering digital services, adapting to this new reality is not simply advisable — it is mandatory.

By investing in long-term log retention, integrity mechanisms, centralised storage and dedicated logging infrastructure, providers not only comply with the law but also significantly strengthen their ability to protect clients and maintain long-term operational trust.

Vendoz

webdig I completely agree.

NIS2 is having a huge impact on our company and our customers. As we move forward, more and more companies are "only working with NIS2-compliant companies," and there will be more and more of them. So audits and monitoring are literally tripling in all activities. Along these lines, I absolutely agree that Enhance should also dedicate some resources (although I honestly don't think it's a huge undertaking) to improving log management and adding some audits.

Ignoring NIS2 is a huge mistake because it will be like the GDPR: when it first came out, it seemed like no one cared, and within a few years, it became the norm.

Zoinkies

No one will do it. I won't be. EU can manufacture whatever rules they want, they don't enforce 90 percent of them lol

webdig

Zoinkies I completely understand your point — the European Union has plenty of rules that seem to have little real impact in day-to-day operations.

However, in the case of NIS2, several EU countries are already preparing audits and planning to enforce long-term log retention, especially for hosting, cloud and DNS providers. In this area, the requirements stop being optional and become something that national authorities actually check, and the fines are far from pleasant.

The truth is that most of us are not big providers with entire legal teams behind us. We don’t have those expensive lawyers who can tie up a process for years. We’re normal businesses, working every day to keep things running and to stay compliant with whatever the law demands.

And if the choice is between paying a fine simply because I didn’t prepare in time or spending that same money on a dinner with friends, I’d much rather choose the dinner. At the end of the day, the State already feels like the majority shareholder in every company and self-employed person — no need to give it even more money unnecessarily.

That’s why I’m raising the topic now, so that Enhance users in Europe won’t be caught off-guard when these requirements start being enforced in practice. The sooner we adapt, the better for everyone.

Zoinkies

webdig I am UK based, I won't be doing it. They can fine me all they want. I am moving to Dubai soon, once my place is built. I'll move the company over. There's always loopholes.

JohnB

Zoinkies Tell them to mail you the fines on quilted 6-ply toilet paper.

JohnB

Isn't the UK the country with the genius idea that all encryption must have a backdoor? Or maybe thats Australia. Regardless it seems like its often the UK when there is some new idiotic "security" related law being implemented.

At the end of the day they just want more logging data that they can legally force providers to share. One day it will be a crime to store encrypted customer data that you can't decrypt if the government wants it and VPNs? Straight to jail because some old politicians heard thats how you access the extra dark darkweb.

Its sad how tech related laws are written and voted on by people who couldn't even install Windows and voters don't care about such "nerdy" stuff. They think they are being protected and don't understand the consquences of how its implemented. Ie age verification (instead of parents doing their job) is going to cause a huge huge increase in identity theft.

webdig

JohnB I can easily imagine some of these directives being drafted in Word by someone who still hasn’t figured out how to remove the blue grammar underline.

It reminds me of Ministries of Agriculture run by people who have never planted a potato in their entire lives. Not even in a school garden. Yet they somehow feel perfectly qualified to tell actual farmers how to farm, what equipment to use and how to measure crop productivity.

In our industry, it’s exactly the same. We have people who think “the cloud” is literally a cloud and that a “server” is some kind of magical box you plug into the wall like a microwave, but they are the ones writing legislation about encryption, forensic logging, DDoS mitigation, cybersecurity auditing and long-term data retention.

And when it comes to fines, suddenly nobody is incompetent anymore. They know how to calculate those numbers with incredible precision. It’s as if a divine light shines upon them. Apparently every hosting provider is a multi-million-dollar corporation with a legal department in every corridor and pockets full of cash.

Meanwhile, the reality couldn’t be further from that image. Most of us are just trying to keep machines running, deal with clients, manage backups that love to fail at 3 a.m. and occasionally survive a mysterious bug without losing our sanity.

But the law assumes we’re all Google. And then governments act surprised when small providers either shut down or move their businesses outside the EU.

That’s why I bring up these topics. Not to dramatize anything, but to avoid the day when the “hot potato” ends up landing on our heads. And honestly, if I have to spend money, I’d much rather spend it on a dinner with friends than on another fine written by someone who still thinks DNS stands for “Digital National Service”.