NIS2 and Digital Infrastructure: Asset Inventory for Cloud Providers and Data Centers

On March 10, 2021, a fire at OVHcloud’s SBG2 datacenter in Strasbourg completely destroyed the building and partially damaged another. Thousands of customers permanently lost data. Government websites, e-commerce platforms, and emergency services went offline. The investigation revealed that the datacenter’s physical asset inventory was not up to date, enormously complicating damage assessment and recovery.

If you operate digital infrastructure — cloud, datacenter, DNS, CDN, telecom — you’re an essential entity under NIS2. And you need to know exactly what you have.

Why NIS2 applies to digital infrastructure

NIS2 includes as essential entities (Annex I) digital infrastructure providers: internet exchange points (IXPs), DNS providers, TLD registries, cloud computing services, data centers, content delivery networks (CDNs), trust services, and electronic communications networks.

• Exhaustive asset inventory: every server, switch, firewall, and fiber cable must be documented
• Incident management: 24/72-hour notification with precise identification of affected assets
• Service continuity: recovery plans depending on knowing redundancy and location of every component
• Fines up to 10 million euros or 2% of turnover

Real incidents in digital infrastructure

• OVHcloud (France), 2021: The Strasbourg fire affected 3.6 million websites. Many customers discovered their backups were in the same datacenter as primary data. Without a detailed inventory of where each server and replica was located, recovery was chaotic.
• Fastly (global), 2021: A single customer’s misconfiguration caused a 49-minute global outage affecting Amazon, Reddit, Twitch, The New York Times, and thousands more. Lack of visibility into dependencies between configurations and assets delayed diagnosis.
• Dyn (USA), 2016: A massive DDoS attack using the Mirai botnet against DNS provider Dyn made Twitter, Spotify, Netflix, and PayPal inaccessible for hours. The compromised IoT devices forming the botnet were cameras and routers nobody had inventoried.

Why exhaustive asset control is essential

• Every component matters. In a datacenter, a misconfigured switch can cause a cascading failure. An unpatched server can be an attack entry point. You need to know every device, its configuration, and its status.
• Scale magnifies errors. A cloud provider may have tens of thousands of servers. Without inventory automation, documentation errors accumulate and create blind spots.
• Customers depend on your infrastructure. As a cloud or hosting provider, your customers trust that you know where their data is and what hardware supports it. A NIS2 audit will verify exactly that.
• Redundancy only works if documented. Having two redundant servers is useless if you don’t know they’re both in the same rack, powered by the same UPS. Asset inventory includes dependency relationships.

What you need to control

• Servers: Physical and virtual, with rack location, hardware config, OS, and services
• Network equipment: Switches, routers, firewalls, load balancers, with ports and VLANs
• Storage: SANs, NAS, disks, with capacity, RAID, and allocations
• Support infrastructure: UPS, PDUs, air conditioning, diesel generators
• Cabling: Fiber, copper, patch panels, with routes and connections
• Licenses and software: Hypervisors, orchestration systems, monitoring tools

Metrica Control offers the detailed inventory that digital infrastructure demands. Every server in its rack, every switch with its ports, every UPS with its coverage zone. Full traceability for NIS2 and DORA.