← All posts

NIS2-Compliant Remote Access for MSPs: What You Need in 2026

What NIS2 actually requires from MSP remote access tools — audit logs, EU hosting, encrypted sessions — and why most legacy tools fall short.

NIS2 (EU Directive 2022/2555, transposed into national law across member states by October 2024) extends cybersecurity obligations to a significantly broader set of entities than its predecessor. For MSPs, this has two implications: your own operations must meet the standard, and your clients in scope sectors can include your remote access tooling in their own compliance audits.

This is not theoretical. MSP remote access tools are now a documented attack vector — the 2021 Kaseya incident and the 2024 TeamViewer breach both demonstrated that the tooling MSPs use to manage client infrastructure is a high-value target. NIS2 Article 21 explicitly names supply chain security as a managed risk.

What NIS2 Actually Requires for Remote Access

The directive does not name specific tools. It requires outcomes. For remote access, the relevant obligations under Article 21(2) are:

  • Access control: Multi-factor authentication or continuous authentication for remote sessions. Role-based access — not everyone gets access to everything.
  • Audit logging: All remote access events must be logged with sufficient detail to reconstruct who accessed what, when, and from where.
  • Incident detection: Ability to detect and respond to unauthorized access attempts.
  • Supply chain security: Vendors providing remote access tools must themselves be assessed for security posture.
  • Data residency: For many member states, logs and session data must remain within the EU. Practically this means your remote access infrastructure cannot be US-hosted.

Where Legacy Tools Fall Short

TeamViewer and AnyDesk are both German companies, but their relay infrastructure routes traffic through global points of presence including US data centers. In 2024, TeamViewer's corporate network was breached by APT29. AnyDesk had a separate production environment compromise in early 2024. Both companies disclosed the incidents, but for NIS2-covered entities and their MSPs, a breach of the remote access tool is a supply chain incident requiring 72-hour notification to the relevant national authority.

Beyond the breach risk, classic remote access tools have weak audit logging. TeamViewer logs connection times but not screen content. Session recordings are add-on features in higher tiers. Role-based device access is limited.

What a Compliant Architecture Looks Like

The cleanest NIS2-compliant remote access architecture eliminates third-party routing entirely. Traffic goes from the MSP engineer's browser to a relay server you control, through an encrypted WireGuard tunnel to the client router, and then to the target device. No third-party relay. No traffic leaving EU infrastructure.

On top of that foundation, compliance requires:

  • Session recording for all RDP and VNC sessions — full screen capture, timestamped, stored with access controls
  • Audit log capturing every connection attempt, device accessed, duration, and originating IP
  • Team-based access control — engineers access only the client sites assigned to them
  • MFA on the MSP platform itself — the login to your remote access tool must require a second factor
  • Incident evidence — recordings and logs must be exportable in formats usable for incident response

The Manager Liability Angle

NIS2 introduces personal liability for senior management. Article 20 requires that management bodies approve cybersecurity measures and can be held personally liable for non-compliance after an incident. This changes the procurement conversation with clients: it is no longer an IT decision, it is a board-level risk decision. MSPs who can demonstrate a compliant remote access stack — with EU hosting, audit logs, and session recordings — are in a fundamentally different position than those who cannot.

ProxyLink and NIS2

ProxyLink is hosted on Hetzner in Germany. Traffic does not leave EU infrastructure. Session recordings are stored on the same server with access controls matching the device ownership model. Audit logs capture all connection events. Team-based access control enforces least-privilege access. The WireGuard transport layer provides encrypted sessions with no third-party routing.

The compliance portal generates a report showing all remote access activity for a given client site — designed to be handed directly to a client's NIS2 auditor.

If you are an MSP evaluating your remote access stack against NIS2 obligations, get free early access — no card, no limits during Early Access.

ProxyLink is free during Early Access

One WireGuard tunnel on a router gives you browser RDP, VNC, and SSH to every device on the LAN. No agent on the target. No credit card. No trial countdown.

Get free access →
← Back to all posts