NIS2 Guide: How To Follow Your Data

Following your data is a big part of compliance with the new NIS2 directive issued by the EU. But... how do you track your data?

vBoxx Team

NIS2 Guides & Tips

Published on:

March 18, 2024

Last Update:

March 19, 2024

Share article

In today's world, knowing where your data travels is just as important as the data itself. Imagine data as the lifeblood of a business, essential for its day-to-day operations and long-term success. As businesses grow and produce more data, managing this data safely and following rules becomes a complex task. It is like trying to keep track of everything happening in a bustling city, where you do not necessarily control everything directly.


The European Union has introduced the NIS2 directive, shining a spotlight on the need for companies to have a clear picture of their data's journey. This is not just about locking data away safely; it's about understanding every step it takes, who sees it, and what they do with it. Think of it as knowing exactly where your data is traveling, who it's visiting, and what adventures it's having. This knowledge is crucial for keeping data safe and making sure businesses play by the rules.

The Importance of Following Your Data

NIS2 isn't just about checking boxes to say you're in line with the law. It's about really showing you're keeping data safe. That means you need to know your data's whole journey — from when it's made to when it's deleted.

NIS2 Article 21, Paragraph 2, Point d and Point e describes that as:


"(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosur"


What that means in normal English is that you have the responsibility to check where your data goes during the entirety of the journey. That means you need to know who your data processors are and which data processors they are using themselves.


Understanding where your data goes and how it gets there is key to spotting where things might go wrong, making sure it's protected, and stopping any information from getting out that shouldn't. Your business might handle data securely and you possibly even have a certification like ISO 27001, but what happens when data leaves your control?

The Benefits and Strategies

A major reason why it is important to follow data is that cyberattacks are getting increasingly smarter, and they're not just going after the data you have, but also the data that other companies hold of you. We all hear of a big hack from time to time, where you might even have been affected.


If you don't know exactly where your data is and how it's being kept safe, you can't really tell how safe you are from these threats. By keeping an eye on your data at every step of its journey, you're building a defense strategy against any cyberattacks.

Risk Management

Sometimes, data might end up being moved, used, or kept in ways or places you didn't plan for. Every new step your data takes can bring new dangers and by knowing where your data goes, you can spot these problems early on. This lets you come up with quick solutions to fix these issues before they turn into bigger problems.

Build Trust

These days, most people, from customers to business partners, want to know that their information is safe and that rules are being followed. Showing that you know where your data is at all times doesn't just help you stay in line with laws and keep things secure; it also helps build trust.

Challenges and Considerations

However, keeping track of your data can be tough. Every company that deals with your data, like cloud services or subcontractors, has its own way of doing things. Plus, digital businesses are always changing, which means the way your data moves can change too.


To deal with these challenges, you need to be thorough and pro-active in determining how you keep track of data. This means doing detailed checks to understand exactly how data moves and where it goes. Setting up strong rules for managing data helps make sure that everyone who touches your data handles it in a safe and legal way, and that is not just a one-time effort.

How to Follow Your Data

So now we know why it is important and even beneficial to follow your data, I am going to give you a few guidelines that can help you do it yourself.


The first thing you need to do to keep track of your data is to figure out how it moves, both inside and outside your company. This means mapping out every step of where data is created, kept, and worked on.


When you're mapping out the flow of data, also note down what data you're collecting, why you're collecting it, where it's stored, how it gets from one place or service to another, and who can get to it at each step. A map like this helps you understand and point out where there might be weak spots or potential problems.

Step 1: Engage with Service Providers

Step one of following your data is still quite straight forward. Your data often ends up being processed or stored by others, for example your cloud services, analytics tools, or customer management systems. It's really important to talk to those providers to get how they deal with your data. You should really research how they follow rules, what they do to keep data safe, and if they use any other companies to help them out.


A good transparent company will help you with questions you might have. Another way to ensure some things are processing agreements. Those are agreements that state obligations you and your service provider have to keep personal data safe. It is not always as easy to get and find these documents, as some companies make it quite difficult to find them, which already shows the importance of doing business with trustworthy service providers.


illustration of data flow through subprocessors

Step 2: Identify and Assess Subprocessors

The next step can get a bit more difficult. One big hurdle in keeping an eye on your data is tracking it as it moves through subprocessors. These are the third parties that your main service providers use to process data for them. It's crucial to figure out every one of these subprocessors that has a hand in dealing with your data to fully understand what happens to it from start to finish. Once you know who they are, you need to check how secure and compliant they are. This could mean looking at their security certifications (like ISO 27001), checking their operations through audits, or asking for proof of how they protect data. You want to make sure that every company that touches your data is as committed to keeping it safe and following the rules as you are.

Data Flow Beyond Direct Control

Your data often goes places beyond your direct control. The list of subprocessors is sometimes long and then we are not even talking about the subprocessors of the subprocessors. This long chain of where your data is processed and stored can turn tracking it into a tough task. You need to be proactive, keep a constant eye on things, and really understand the agreements between your company and the services it uses.

More Things to Consider

Something you should also note is that some companies might not only use subprocessor, but they might sell data too. One of many examples is Microsoft’s new Outlook app that, once you accept the privacy statement, is allowed to sell data from all emails you add to it, to over 750 third-parties.


Last week, the Dutch Intelligence Service (the CIA of the Netherlands), alerted us to security issues that arise related to the American government. It even got to the national news (Dutch article). It is about the fact that the American government can see all data of American companies under their Patriot Act and Cloud Act. That includes essential companies and governmental organizations too, in the Netherlands and the rest of the world.

Tracking Mechanisms

Beyond just knowing how data moves and checking on service providers, it's important to put in place both tech solutions and rules to keep an eye on your data as it happens. This could mean using data management tools that let you see where your data is going, setting up access controls to keep track of who's getting into your data and why, and encrypting your data whether it's just sitting there or moving around. It is easiest if your service provider allows you to manage this yourself, giving you more control.

It also isn't just a one-off task; it's an ongoing effort. Another key part of keeping tabs on your data that's sometimes missed is the human factor. Teaching your team why it's crucial to track data and stick to rules is very important. That could mean informing them about NIS2, how your organization expects data to be treated, and what to do if they spot a data breach. Having a team that knows what to do and is watchful helps your company manage data correctly.

Identifying Subprocessors

Let’s take a bit of a closer look at subprocessor, as this part of the data journey can be pretty vague.

The initial challenge for organizations is gaining clear insight into the subprocessor ecosystem, as specifics of these relationships might be hidden within service agreements or not shared at all. Or even worse, deliberately hidden. You might need to look through public sources, like the provider's website or reports from the industry, to get a fuller picture of their data handling. The aim is to put together a detailed list of subprocessors, setting the stage for more in-depth examination.

Risk Assessment and Engagement

After identifying subprocessors, the next move is to evaluate the data chain for any potential risks. That requires a close look at the security protocols and compliance levels of each subprocessor. Important factors to consider include where the data processing happens, the legal rules of those places, and the specific data protection and security certifications, like ISO 27001, that each subprocessor has.


Interacting directly with subprocessors, or doing so through your primary service providers, is key to getting the info you need. That might include using questionnaires or conducting audits.


This kind of engagement with providers possibly also opens up a line of communication for tackling any problems that could pop up. It is always good to document these interactions, as they contribute to the compliance proof you need under NIS2.

Example: Microsoft

The products Microsoft provides are still used by a lot of companies. Let’s look at how an analysis would look like with Microsoft, without going too much into detail about whether your data is actually safe from analysis by foreign governments and if you want your data to be with a company that got fined billions of euro’s, that is with a B, for privacy violations last year.


Firstly, Microsoft presents a significant challenge in terms of transparency, complicating the efforts of companies to ensure thorough cybersecurity and compliance. While Microsoft discloses a list that includes 47 subprocessors and 36 datacenters at the time of writing, the specifics regarding their operations, how they handle data, and their security protocols remain less clear.


This issue is made more complex by the global spread of subprocessors, which operate under different data protection laws depending on their location. Although Microsoft ensures that subprocessors comply with GDPR, we need to keep in mind that Microsoft itself keeps violating the GDPR, so you might ask yourself what their word actually means. It also does not necessarily say something about data security, as they have had a lot of hacks and breaches last year too.


It is actually very hard to check on subprocessors yourself, as parent companies of these subprocessors are from various countries, adding more complexity and potential security risks. While a subprocessor itself might be located in the United States, the parent company is not always. You can check this yourself too, but you end up with Chinese government owned companies more than once if you follow the trail.


In addition, a lot of these subprocessors do not provide a published list of subprocessors or privacy related policies, requiring you to seek contact with them in one way or another and that takes time too and might prove practically impossible.

Visible Shift in the Market

If it is your job to assess Microsoft in light of NIS2, you might be thinking about just quitting your job and moving to another country, and you would not be the only one that feels like this is a daunting task. What we notice is that this realization, together with privacy and security concerns, has prompted more and more companies and governmental organizations to create policies against their service providers using subprocessors for data handling and processing, or at least limiting them. This change is driven by an understanding that subprocessors add layers of complexity to data security, making it sometimes extremely difficult to ensure comprehensive protection.


By reducing or completely avoiding the involvement of subprocessors, you make your life a lot easier. As said by the Dutch Intelligence Service in last weeks article, it is currently unthinkable that ties with America deteriorate, but you never know what may happen in the future. We think the EU will keep investing in local infrastructure and with that, new laws and directives. So that may be another reason to consider having your data fully within EU borders.

How to Simplify Your NIS2 Compliance

If you consider all this, it is the perfect time to move away from providers you might be using now in order to save yourself and your company a lot of unnecessary work and at the same time improve your security and privacy standards.


There are a lot of companies in the EU that provide all kinds of services and have a lot of products for all different kinds of challenges your business might face. You just need to look for those companies, that align with your business policies.


If we would compare a simplified data journey with Microsoft, you would go from the situation in the image below, with dozens of subprocessors in different countries and the possible selling of your data...


illustration of data flow through subprocessors


... to the situation below, with fewer providers, fewer subprocessors and hosting in the EU. In the case of vBoxx that would mean products hosted in the Netherlands with no subprocessors and with personal support.


illustration of data flow through subprocessors within Netherlands

Your Next Steps

The Dutch Government has released a tool that helps you quickly check your NIS2 compliance (Dutch). We would highly recommend this tool.


If you would like to discuss your use-case we are happy to help you figure out what you might need. We offer a lot of what your business needs, like cloud storage, email, video conferencing, password management, but also servers, web hosting and way more.


We do not have any subprocessors, we and our datacenter are ISO 27001 certified and fully EU-owned, so no non-EU parent companies are involved. Just send us an email, call us, or start a chat and you will be helped immediately.

Try Our Cloud Solution vBoxxCloud 2 Weeks for Free!

ISO 27001 Certified
Hosted in The Netherlands
Developed for businesses
vBoxx logo icon

vBoxx Team

vBoxx is on a mission to make the corporate world a safer space with a focus on data and privacy. Sharing our knowledge is important to us and we try our absolute best to get to the bottom of topics about the online world and privacy.

Share article