senn-techsenn-tech
Security
Security2026-07-06· by Mag. (FH) Franz Senn

NIS2 and DORA: What a Self-Hosted Stack Must Actually Deliver

NIS2 and DORA are not cybersecurity laws in the narrow sense — they are evidence laws. Anyone in scope must not only be secure, but prove they are systematically so. That changes what a stack must deliver.

Who is in scope at all

  • NIS2 applies from 50 employees or €10M revenue in many sectors — energy, healthcare, transport, digital services, public administration, manufacturing. For many mid-sized firms it becomes assessable for the first time.
  • DORA hits financial services and their IT providers — including non-financial participants delivering critical services.
  • Both put management personally on the hook — liability and fines are directed at the C-level, not the IT department.

The four requirements that actually count

  • Risk management: A current inventory (assets, dependencies, suppliers). No shadow-Excel register.
  • Incident reporting: Significant incidents must be reported within 24 hours (NIS2) or via a defined tiered plan (DORA) — channels must be defined in advance.
  • Supply chains: Sub-contractors are in scope. A SaaS provider without its own NIS2 evidence becomes a risk itself.
  • Cryptography & authentication: MFA, encryption of data at rest and in transit, an ordered key-management process.

What the self-hosted stack contributes

  • Proxmox HA cluster with quorum and fencing delivers availability from a proven architecture — no single point of failure that must be explained away in risk analysis.
  • Proxmox Backup Server with client-side encryption, sync jobs, and 3-2-1 replication satisfies the recovery requirement traceably — including restore tests.
  • CrowdSec instead of fail2ban brings incident-oriented detection with shared threat intelligence — and logs centrally.
  • Mail gateway with quarantine and AV keeps the communication channel clean that is usually the first attack vector.

What it does not replace

On-prem solves the hardware side. But NIS2/DORA also demand documentation, reporting chains, and exercises — organisation, not technology. The right question when choosing a vendor is not "is this DORA-compliant?" but "can the vendor prove its part?". Self-hosted here means: the proof sits with you — which is both the control and the obligation.

Our Take

Compliance is not a feature you buy on top. It emerges from a stack built for provability from the start — HA, encryption, backups, logging, reporting paths. Run that on-prem and you hold the technical half of the obligation under control. The other half is discipline.

FAQ
Do NIS2 or DORA even apply to my company?+

NIS2 applies from 50 employees or €10M revenue in many sectors — energy, healthcare, transport, digital services, public administration, manufacturing. DORA hits financial services and their IT providers, including non-financial participants delivering critical services. Both put management personally on the hook. An initial assessment pays off early, not only at audit time.

Does a self-hosted stack automatically make me NIS2-compliant?+

No. On-prem solves the technical half — HA clusters, encrypted backups, central logging, clean reporting chains. But NIS2 and DORA additionally demand a provable process: risk analysis, documented supply chains, exercises. Self-hosted here means the proof sits with you — which is both control and obligation.

Do CrowdSec or Proxmox Backup replace dedicated compliance documentation?+

No — they provide the evidence, not the documentation. An HA cluster with quorum, restore-tested backups, and central incident detection are the technical foundation you can show. The reporting chains, asset registers, and exercises must be maintained as an organisation, though. Compliance is not a feature you bolt on; it is a stack built for provability.