How Should You Architect for Both NIS2 and Data Sovereignty?

Architecture decisions affect compliance. According to Gartner (2025), 54% of EU enterprises now require cloud workloads processing EU data to run in EU-based regions, even when regulations don't strictly mandate it. Indian IT companies need flexible architectures.

Pattern 1: EU Region for Production, Mumbai for Development

Host production workloads on AWS EU regions (eu-central-1, eu-west-1). Use AWS Mumbai for development, testing, and internal operations. This satisfies EU client data residency preferences while keeping development infrastructure close to Indian teams.

NIS2 implications: Both regions must meet Article 21 controls. Don't apply weaker security to development environments that process EU client data, even test data.

Pattern 2: Mumbai Primary With EU Disaster Recovery

For workloads where Mumbai hosting is acceptable, use AWS Mumbai as primary and an EU region for disaster recovery. This provides business continuity alignment with EU expectations.

NIS2 implications: DR testing must demonstrate recovery in the EU region meets client RTOs. Data replication between regions must be encrypted in transit.

Pattern 3: Multi-Region With Data Classification

Route workloads based on data classification. Personal data and critical business data go to EU regions. Aggregated analytics, non-sensitive processing, and internal tools run on Mumbai.

NIS2 implications: Requires robust data classification and routing controls. The classification must be documented and auditable.

[PERSONAL EXPERIENCE] In practice, Pattern 1 is the most common for Indian IT companies. It minimises data sovereignty risks while keeping operational costs manageable. The key is ensuring that development environments on Mumbai don't use production EU data without proper anonymisation.

What AWS Services Help Meet NIS2 Article 21 Requirements?

Mapping AWS services to NIS2 requirements simplifies implementation. According to AWS (2025), AWS offers over 300 security-relevant features and services, but a focused set covers the majority of NIS2's Article 21 categories.

Risk Analysis (Article 21(2)(a))

• AWS Security Hub for centralised security posture management
• AWS Config for continuous compliance monitoring against rules
• Amazon Inspector for automated vulnerability assessment

Incident Handling (Article 21(2)(b))

• Amazon GuardDuty for intelligent threat detection
• AWS Security Hub for aggregated security findings
• Amazon EventBridge for automated incident response workflows
• AWS CloudTrail for audit trail and forensic investigation

Business Continuity (Article 21(2)(c))

• AWS Backup for centralised backup management
• AWS Elastic Disaster Recovery for automated DR
• Cross-region replication for S3, RDS, and DynamoDB

Encryption (Article 21(2)(h))

• AWS KMS for key management with customer-managed keys
• AWS Certificate Manager for TLS certificate management
• AWS CloudHSM for hardware security modules

MFA (Article 21(2)(j))

• AWS IAM MFA for console and API access
• AWS SSO with MFA enforcement
• Amazon Verified Permissions for fine-grained authorisation

[UNIQUE INSIGHT] The most overlooked NIS2 requirement on AWS is log retention. CERT-In requires 180 days. EU clients may require longer. CloudTrail default retention is 90 days. You must explicitly configure longer retention by routing logs to S3 with lifecycle policies. This simple configuration gap is a common audit finding.

Citation capsule: AWS Mumbai (ap-south-1) holds the same security certifications as EU regions, including ISO 27001, SOC 2, and CSA STAR (AWS, 2025), but NIS2 compliance at the workload level remains the customer's responsibility under the shared responsibility model.

What Are the Cost Implications of NIS2-Compliant AWS Architecture?

NIS2 compliance adds incremental AWS costs. According to Flexera (2025), organisations implementing compliance-driven security controls on AWS see a 15-25% increase in cloud spending compared to baseline deployments.

Primary Cost Drivers

Logging and monitoring: CloudTrail, CloudWatch, VPC Flow Logs, and extended log retention in S3 represent the largest incremental cost. Budget 3-5% of base compute spend.

Encryption: AWS KMS charges per API call and per key. Customer-managed encryption across all services adds 1-2% to storage costs.

Security services: GuardDuty, Security Hub, and Inspector are priced per event or resource. Budget 2-4% of base compute spend.

Multi-region deployment: If deploying to EU regions alongside Mumbai, factor in data transfer costs, cross-region replication, and duplicate infrastructure. This can add 20-40% depending on architecture.

Cost Optimisation Strategies

• Use S3 Intelligent-Tiering for log storage to reduce long-term retention costs
• Right-size GuardDuty by enabling only in regions where you operate
• Use AWS Config conformance packs rather than individual rules for bulk compliance checking
• Consolidate security findings through Security Hub to reduce alert fatigue and response costs

Frequently Asked Questions

Can Indian companies host EU client production data on AWS Mumbai?

NIS2 doesn't prohibit it, but your EU client's contract may. Check contractual data residency requirements and the relevant EU member state's NIS2 implementation. Many EU enterprises prefer or require EU-based hosting for production data. Development and testing on Mumbai is generally more acceptable.

Does AWS's ISO 27001 certification cover my NIS2 obligations?

No. AWS's certifications cover the infrastructure layer only. Under the shared responsibility model, you're responsible for workload-level security, access management, encryption, incident response, and all other NIS2 Article 21 measures at the application and data layer. AWS provides the foundation; you build the compliance.

How does CERT-In's log retention requirement interact with AWS CloudTrail?

CERT-In requires 180-day log retention within Indian jurisdiction. CloudTrail's default retention in the Event History is 90 days. Route CloudTrail logs to an S3 bucket in ap-south-1 with a 180-day minimum lifecycle policy. For EU client workloads, check if longer retention is required and adjust accordingly.

Should Indian IT companies use AWS India or AWS EU regions for NIS2 compliance?

The answer depends on your EU client's requirements. For production workloads with EU data, EU regions are often preferred or required. For development, testing, and management operations, Mumbai is typically acceptable. A hybrid approach, EU regions for production and Mumbai for operations, is the most common pattern.

What AWS compliance reports should Indian vendors share with EU clients?

Share AWS's SOC 2 Type II reports and ISO 27001 certificate from AWS Artifact. Additionally, provide your own compliance documentation covering workload-level controls. EU clients need evidence of both infrastructure-level and application-level security for NIS2 compliance.

Key Takeaways on NIS2 AWS Mumbai Compliance India-Hosted

AWS Mumbai is a viable platform for NIS2-compliant workloads, provided you implement proper controls at the workload level. NIS2 doesn't mandate EU data residency, but your EU clients might.

Architecture matters. Choose deployment patterns that balance EU client preferences with operational efficiency. Implement AWS security services that map to NIS2 Article 21 categories. Configure log retention to satisfy both CERT-In and EU requirements.

The shared responsibility model means AWS handles infrastructure security. Everything above that, identity, encryption, monitoring, incident response, business continuity, is your compliance burden.

Your next step: review your current AWS architecture against Article 21 and identify where customer-managed controls need strengthening.

For hands-on delivery in India, see EU NIS2 readiness for Indian outsourcing.

Related from our knowledge base: Turn NIS2 Compliance Into Your Next EU Client Win