NIS2 and DORA: What a Self-Hosted Stack Must Actually Deliver
NIS2 and DORA are not cybersecurity laws in the narrow sense — they are evidence laws. Anyone in scope must not only be secure, but prove they are systematically so. That changes what a stack must deliver.
Who is in scope at all
- NIS2 applies from 50 employees or €10M revenue in many sectors — energy, healthcare, transport, digital services, public administration, manufacturing. For many mid-sized firms it becomes assessable for the first time.
- DORA hits financial services and their IT providers — including non-financial participants delivering critical services.
- Both put management personally on the hook — liability and fines are directed at the C-level, not the IT department.
The four requirements that actually count
- Risk management: A current inventory (assets, dependencies, suppliers). No shadow-Excel register.
- Incident reporting: Significant incidents must be reported within 24 hours (NIS2) or via a defined tiered plan (DORA) — channels must be defined in advance.
- Supply chains: Sub-contractors are in scope. A SaaS provider without its own NIS2 evidence becomes a risk itself.
- Cryptography & authentication: MFA, encryption of data at rest and in transit, an ordered key-management process.
What the self-hosted stack contributes
- Proxmox HA cluster with quorum and fencing delivers availability from a proven architecture — no single point of failure that must be explained away in risk analysis.
- Proxmox Backup Server with client-side encryption, sync jobs, and 3-2-1 replication satisfies the recovery requirement traceably — including restore tests.
- CrowdSec instead of fail2ban brings incident-oriented detection with shared threat intelligence — and logs centrally.
- Mail gateway with quarantine and AV keeps the communication channel clean that is usually the first attack vector.
What it does not replace
On-prem solves the hardware side. But NIS2/DORA also demand documentation, reporting chains, and exercises — organisation, not technology. The right question when choosing a vendor is not "is this DORA-compliant?" but "can the vendor prove its part?". Self-hosted here means: the proof sits with you — which is both the control and the obligation.
Our Take
Compliance is not a feature you buy on top. It emerges from a stack built for provability from the start — HA, encryption, backups, logging, reporting paths. Run that on-prem and you hold the technical half of the obligation under control. The other half is discipline.
Do NIS2 or DORA even apply to my company?+
NIS2 applies from 50 employees or €10M revenue in many sectors — energy, healthcare, transport, digital services, public administration, manufacturing. DORA hits financial services and their IT providers, including non-financial participants delivering critical services. Both put management personally on the hook. An initial assessment pays off early, not only at audit time.
Does a self-hosted stack automatically make me NIS2-compliant?+
No. On-prem solves the technical half — HA clusters, encrypted backups, central logging, clean reporting chains. But NIS2 and DORA additionally demand a provable process: risk analysis, documented supply chains, exercises. Self-hosted here means the proof sits with you — which is both control and obligation.
Do CrowdSec or Proxmox Backup replace dedicated compliance documentation?+
No — they provide the evidence, not the documentation. An HA cluster with quorum, restore-tested backups, and central incident detection are the technical foundation you can show. The reporting chains, asset registers, and exercises must be maintained as an organisation, though. Compliance is not a feature you bolt on; it is a stack built for provability.