NIS2 Remote Access Compliance Checklist for MSPs (2026)
A practical NIS2 compliance checklist for MSP remote access: MFA, EU hosting, audit logs, session recording, supply chain documentation, and incident response. What the directive actually requires, and which tools meet it.
NIS2 (EU Directive 2022/2555, transposed into national law across member states by October 2024) extends cybersecurity obligations to a significantly broader set of entities than its predecessor. For MSPs, this has two implications: your own operations must meet the standard, and your clients in scope sectors can include your remote access tooling in their own compliance audits.
This is not theoretical. MSP remote access tools are now a documented attack vector, the 2021 Kaseya incident and the 2024 TeamViewer breach both demonstrated that the tooling MSPs use to manage client infrastructure is a high-value target. NIS2 Article 21 explicitly names supply chain security as a managed risk.
NIS2 Remote Access Compliance Checklist
The directive does not name specific tools. It requires outcomes. Use this checklist to assess your current remote access stack against Article 21 obligations:
- MFA on the remote access platform, All engineer logins must require a second factor (TOTP, hardware key). Passwords alone are not sufficient under NIS2 Article 21(2)(j).
- Role-based device access, Engineers must be limited to the client sites they are assigned. No engineer should have access to all clients by default.
- Full audit log with identity, timestamp, and target, Every remote session must log: who connected, to which device, when, from which IP, and for how long. Logs must be tamper-evident and exportable.
- Session recording for privileged access, RDP and VNC sessions to sensitive systems (servers, NVRs, PBX) should be recorded. Recording provides evidence for incident response and auditor review.
- EU-hosted infrastructure, Session metadata and recordings must not leave EU jurisdiction. US-hosted relay infrastructure (TeamViewer, AnyDesk, Splashtop) creates data residency exposure.
- Encrypted transport, All sessions must be encrypted in transit. WireGuard (ChaCha20-Poly1305) and TLS 1.2+ both satisfy this requirement.
- Supply chain documentation, Your remote access vendor must be documented as a third-party processor under Article 21(3). You need a data processing agreement and the vendor's own security posture on file.
- Incident response capability, If a session is compromised, you must be able to revoke access immediately, identify all sessions that occurred during the window, and notify the relevant national authority within 72 hours.
- Vendor breach history, NIS2 Article 21 explicitly names supply chain risk. TeamViewer was breached by APT29 in June 2024. AnyDesk had a production environment compromise in February 2024. Both incidents are supply chain events requiring assessment.
- No agents on critical network devices, NVR cameras, PBX systems, and managed switches cannot run remote access agents. Agentless access (WireGuard tunnel on the router) is the only architecture that covers these devices without creating additional attack surface.
Where Legacy Tools Fall Short
TeamViewer and AnyDesk are both German companies, but their relay infrastructure routes traffic through global points of presence including US data centers. In 2024, TeamViewer's corporate network was breached by APT29. AnyDesk had a separate production environment compromise in early 2024. Both companies disclosed the incidents, but for NIS2-covered entities and their MSPs, a breach of the remote access tool is a supply chain incident requiring 72-hour notification to the relevant national authority.
Beyond the breach risk, classic remote access tools have weak audit logging. TeamViewer logs connection times but not screen content. Session recordings are add-on features in higher tiers. Role-based device access is limited.
What a Compliant Architecture Looks Like
The cleanest NIS2-compliant remote access architecture eliminates third-party routing entirely. Traffic goes from the MSP engineer's browser to a relay server you control, through an encrypted WireGuard tunnel to the client router, and then to the target device. No third-party relay. No traffic leaving EU infrastructure.
On top of that foundation, compliance requires:
- Session recording for all RDP and VNC sessions, full screen capture, timestamped, stored with access controls
- Audit log capturing every connection attempt, device accessed, duration, and originating IP
- Team-based access control, engineers access only the client sites assigned to them
- MFA on the MSP platform itself, the login to your remote access tool must require a second factor
- Incident evidence, recordings and logs must be exportable in formats usable for incident response
The Manager Liability Angle
NIS2 introduces personal liability for senior management. Article 20 requires that management bodies approve cybersecurity measures and can be held personally liable for non-compliance after an incident. This changes the procurement conversation with clients: it is no longer an IT decision, it is a board-level risk decision. MSPs who can demonstrate a compliant remote access stack, with EU hosting, audit logs, and session recordings, are in a fundamentally different position than those who cannot.
ProxyLink and NIS2
ProxyLink is hosted on Hetzner in Germany. Traffic does not leave EU infrastructure. Session recordings are stored on the same server with access controls matching the device ownership model. Audit logs capture all connection events. Team-based access control enforces least-privilege access. The WireGuard transport layer provides encrypted sessions with no third-party routing.
The compliance portal generates a report showing all remote access activity for a given client site, designed to be handed directly to a client's NIS2 auditor.
If you are an MSP evaluating your remote access stack against NIS2 obligations, get free early access, no card, no limits during Early Access. For a full architecture breakdown and compliance checklist, see the ProxyLink NIS2 compliance page.
Frequently Asked Questions
Does NIS2 apply to MSPs directly?
Yes, in two ways. First, if your MSP manages infrastructure for entities in NIS2-covered sectors (energy, transport, health, digital infrastructure, etc.), your remote access tooling is in scope as part of their supply chain. Second, MSPs that exceed the NIS2 size thresholds (50+ employees or EUR 10M+ annual revenue) are directly subject to the directive as a digital service provider. In Greece, the transposing legislation is Law 5160/2024.
Is TeamViewer NIS2 compliant?
TeamViewer meets some requirements (encrypted transport, EU entity as processor) but fails on others. The June 2024 APT29 breach of their corporate IT environment is a documented supply chain incident. NIS2 Article 21 explicitly names supply chain security as a risk category. MSPs using TeamViewer need to assess whether that incident triggers their own notification obligations and document the risk acceptance decision. The relay architecture (all traffic transits TeamViewer's infrastructure) also creates GDPR questions for data on EU client networks.
What is the 72-hour notification requirement under NIS2?
If your MSP or a client you manage experiences a cybersecurity incident with significant impact, NIS2 requires early warning to the national authority within 24 hours, and a full incident notification within 72 hours. "Significant impact" includes incidents that cause or could cause substantial operational disruption. A compromised remote access tool that provides access to client infrastructure qualifies. Having session logs and recordings means you can determine the scope of any compromise quickly, which matters for meeting the 72-hour deadline.
What does NIS2 say about manager personal liability?
Article 20 requires management bodies (board, executives) to approve cybersecurity risk management measures and oversee their implementation. After an incident, management can be held personally liable if they failed to approve adequate measures or ignored expert advice. In practice, this means "we didn't know" is not a defense. MSPs who have documented their remote access security posture, EU hosting, audit logs, MFA, session recording, are in a much better position if an incident occurs.