SaaS Compliance: GDPR, NIS2 and Certifications

Compliance for SaaS companies is not a checkbox exercise. The rules are concrete, enforcement is increasing and your customers ask questions about it. GDPR has been in force for years, NIS2 was implemented in the Netherlands through the Cybersecurity Act in October 2024, and ISO 27001 is the most widely used standard to demonstrably meet both. Here is what you need to know and what it means for your hosting choice.

GDPR: what applies to SaaS providers

The General Data Protection Regulation (GDPR) applies when you process personal data of EU citizens. For SaaS companies, the position is almost always that of a processor: you process data on behalf of your customers, who are the data controllers.

This brings concrete obligations:

• Data Processing Agreement: you must sign a DPA with each customer before processing their personal data
• Technical and organisational measures: you must demonstrably have appropriate security. What is "appropriate" depends on the risk profile of the data
• Sub-processors: if you obtain hosting, databases or other services from third parties, they must also comply with GDPR. As a processor, you are responsible for your sub-processors
• Data breach notification: data breaches must be reported to the DPA (Data Protection Authority) within 72 hours if you are the data controller. As a processor, you must report this to your customer, who then reports it

Hosting outside the EU brings additional obligations. Data transfers to third countries (such as the US) are only permitted under specific legal bases: adequacy decision, Standard Contractual Clauses or Binding Corporate Rules. The Cloud Act makes this complex for US companies, regardless of which SCCs you sign.

NIS2: what is new from 2024

The NIS2 directive, transposed in the Netherlands through the Cybersecurity Act, sets additional cybersecurity requirements for organisations in sectors considered critical or important. Digital infrastructure providers, managed service providers and cloud computing services explicitly fall within scope.

The core obligations:

• Risk management: you must systematically identify, assess and manage cyber risks. No hard standards, but demonstrability is required
• Incident reporting: significant incidents must be reported to the NCSC within 24 hours, with a full report within 72 hours
• Supply chain security: you must know and assess the security practices of your suppliers
• Board accountability: board members can be held personally liable for insufficient compliance

NIS2 does not mandate specific certification, but the regulator looks at demonstrability. ISO 27001 is the most commonly used basis for this.

ISO 27001: the foundation under your compliance

ISO 27001 is an international information security standard. Certification proves you have implemented an Information Security Management System (ISMS) that meets the requirements of the standard. For NIS2 demonstrability, this is the most direct instrument.

What ISO 27001 requires:

• Risk analysis and risk treatment (documented)
• Statement of Applicability (which controls you apply and why)
• Internal audits and management reviews
• Incident management process
• Business continuity planning
• Annual external audit by an accredited certification body

Certification costs time, money and organisational attention. For small SaaS companies, it is not always immediately necessary. What is always necessary: documented measures and a demonstrable approach. That is the minimum with which you convince serious enterprise customers and satisfy a regulator.

Other relevant certifications

Besides ISO 27001, there are sector-specific and additional frameworks that may be relevant for SaaS companies:

SOC 2 Type II: American framework but common with international enterprise customers. Focuses on security, availability, processing integrity, confidentiality and privacy. Not a certification but an audit report.

NEN 7510: Dutch standard for information security in healthcare. Mandatory if you process health data. Based on ISO 27001 but with healthcare-specific extensions.

ISAE 3402 / SOC 1: relevant if you do financial processing for customers. Focused on internal controls around financial reporting.

CSA STAR: cloud-specific framework from the Cloud Security Alliance. More accessible than ISO 27001 but carries less weight in enterprise deals.

What hosting determines in this

Your hosting provider is a sub-processor. Choose a Dutch provider with ISO 27001 certification, and that part of your compliance demonstrability is directly covered. You can include their certificate in your own supplier documentation and refer customers to their audit reports.

Choose a hyperscaler outside the EU, and you must additionally justify why this transfer is permitted (SCCs), how you mitigate Cloud Act risks and how you monitor data you do not fully control yourself. This is not impossible, but it adds layers to your compliance file that are avoidable.

Getting started practically

The most effective starting point is not a certification process but a risk analysis. What data do you process, for whom, with what risk in case of a leak or outage? That analysis gives direction to which measures are urgent and which can come later. Then follows documentation, training and tooling. Certification is the formalisation of what you already do, not the starting point.