European regulators have raised the bar on cybersecurity and operational resilience. Organizations across the EU are now expected to prove that their IT environments are secure, recoverable, and under their own legal control. Complying with regulations such as the Digital Operational Resilience Act (DORA) has become an increasingly painstaking process. There are unclear definitions and demanding adherence requirements. Software that helps organizations meet these obligations has never been more critical.
VMware Cloud Foundation (VCF) is the software that powers a company’s private datacenter. It provides the technical foundations that IT professionals, compliance officers, auditors, and boards need to demonstrate adherence to the NIS2 Directive, DORA and EU data sovereignty expectations.
This article explains, how VCF helps EU organizations meet these obligations without sacrificing modern capabilities such as AI, automation, and cloud-style operations.
Why EU regulatory compliance matters now
The regulatory landscape in Europe has changed faster in the last two years than in the previous decade. Several rules now apply in parallel and reinforce each other:
- NIS2 Directive. The EU cybersecurity law that requires critical and important organizations to prove strong security, manage supply-chain risk, and report serious incidents within 24 hours. Boards are now personally accountable for cybersecurity oversight.
- DORA (Digital Operational Resilience Act). In force across the EU since January 17, 2025, DORA requires financial entities (banks, insurers, investment firms, and many of their IT suppliers) to prove they can withstand, respond to, and recover from Information and Communications Technology (ICT) incidents, including major cyberattacks.
- EU Data Act and sovereignty expectations. Customers, regulators, and partners increasingly require that sensitive data stays under EU legal control and that organizations are not locked into a single non-EU provider.
- Audit pressure is constant. Internal auditors, external auditors, and supervisory authorities now expect documented evidence. This should cover access, encryption, segmentation, recovery testing, and incident response.
- High Penalties. NIS2 and DORA both carry significant administrative fines, and NIS2 allows action against individual senior managers for non-compliance.
Under these conditions, the way an organization designs and runs its private datacenter becomes a central compliance question.
How VCF supports EU regulatory requirements
1) Sovereign control over data and encryption keys
VCF 9.1 runs in your own datacenter, under your own legal entity, on hardware you control. This is the strongest possible posture for data sovereignty as it keeps data under the legal control of a specific country or region.
VCF 9.1 includes native encryption for stored data, virtual machines, and backups. The encryption keys are managed by a KMS (Key Management Server) which is the system that stores and controls the keys used to lock and unlock data.
How it helps you with regulators:
- Keys stay in Europe: Encryption keys can be held in a KMS on EU soil, so no non-EU operator can technically read your data.
- Clear data location: Customer records, financial data, and other sensitive content never leave the perimeter you control.
- No hidden lock-in: Workloads can be moved between datacenters or to a sovereign cloud partner without rebuilding applications.
This brings you demonstrable sovereignty for NIS2, DORA, and EU Data Act conversations.
2) Network security and micro-segmentation (NIS2)
NIS2 expects organizations to limit how far an attacker can move once inside the network. VCF 9.1 ships with the tools to do exactly that.
NSX is VMware’s built-in network and firewall inside the datacenter. It controls which virtual computers are allowed to talk to each other. vDefend adds a threat-protection layer on top of NSX that watches for suspicious behavior between virtual computers and blocks it automatically.
Why it matters for regulators:
- Micro-segmentation by default: Micro-segmentation means splitting the internal network into small zones, so an attacker who lands in one zone cannot move freely across the rest of the environment.
- Visibility into east-west traffic: East-west traffic is the traffic that flows between servers inside the datacenter. This is where most attackers hide. VCF 9.1 makes it visible and policed.
- Network Detection and Response (NDR): With VCF, you get a security capability that watches network traffic for attack patterns and flags them in near real time. That is exactly the kind of evidence NIS2 supervisors look for.
The result is a defensible security architecture that maps directly to NIS2 risk-management requirements.
3) Operational resilience and ransomware recovery (DORA)
DORA states clearly that you must be able to recover. Recovery has to be planned, documented, and tested.
VCF 9.1 includes VMware Live Recovery, a built-in disaster recovery and ransomware recovery capability. It supports a stretched cluster (one logical datacenter spread across two physical sites) so workloads keep running even if a whole site goes down.
How it helps you with regulators:
- Defined RTO and RPO: RTO (Recovery Time Objective) is how fast a service must be backed up. RPO (Recovery Point Objective) is how much data loss is acceptable. VCF 9.1 makes both measurable and provable.
- Tested recovery workflows: Recovery plans can be rehearsed regularly with isolated test runs that do not disrupt production. DORA explicitly demands those recovery plans.
- Ransomware-aware restore: Backups can be scanned and validated before restoring, so encrypted or infected data is not brought back into production.
- Two-site continuity: A stretched cluster gives continuous availability even during a full site outage.
Especially for DORA, these capabilities give you operational resilience without you having to use a third-party recovery stack.
4) Auditability, logging, and evidence
Both NIS2 and DORA require organizations to produce evidence on demand: who did what, when, on which system, and what was the security state at the time of an incident.
VCF 9.1 includes Aria Operations and Aria Operations for Logs. They are the monitoring dashboard and the central log archive for the platform. Together they show how healthy each system is and what happened on it.
How this helps you with complying with EU regulations:
- Centralized, tamper-resistant logs: Security, configuration, and access logs land in a single archive that can be retained for the legally required period.
- Incident timelines on demand: When supervisors ask what happened during a breach, the answer is reconstructable from real evidence.
- Compliance reporting: Built-in dashboards map directly to common control frameworks. This reduces the manual effort to prepare an audit.
This results in faster audits, cleaner reports, and less last-minute spreadsheet work.
5) Identity, access, and least-privilege governance
Regulators consistently focus on one question: who can do what, and how do you prove it? VCF 9.1 supports a least-privilege model across the platform.
How the least-privilege model helps you with regulations:
- Role-Based Access Control (RBAC): Defines who is allowed to do what on the platform, so administrators only get the rights they actually need.
- Strong authentication: VCF integrates with enterprise identity providers and supports multi-factor authentication (MFA) on management access. This is a baseline expectation under NIS2.
- Separation of duties: Security, operations, and audit roles can be cleanly separated, which is essential for DORA-regulated entities.
- Privileged access logging: Every administrative action is logged and attributable to an individual, instead of a shared account.
With the least-privilege model you benefit from fewer security gaps, defensible access governance, and have much smoother audit conversations.
SCHNEIDER IT MANAGEMENT’s role for regulated organizations
Broadcom VMware offboarded more than 90 percent (%) of former partners and shifted to a small, highly specialized partner model.
SCHNEIDER IT MANAGEMENT is one of only three (3) registered Broadcom partners in Luxembourg following the April 2, 2026 partner consolidation, and we serve regulated customers across Europe, including financial services, public sector, and critical infrastructure. We ensure that your Broadcom VMware contracts deliver maximum regulatory coverage at minimum cost.
Summary
EU regulation has moved from principle to enforcement. NIS2, DORA, and EU data sovereignty now shape how organizations design and operate their core IT.
VMware Cloud Foundation (VCF) 9.1 supports these requirements through:
- Sovereign control over data and encryption keys.
- Micro-segmentation and east-west security aligned to NIS2 expectations.
- Tested operational resilience and ransomware recovery for DORA.
- Centralized logging and audit evidence across the platform.
- Least-privilege identity and access governance.
Ready to make your VCF 9.1 estate regulatory-defensible?
As leading Broadcom partner, SCHNEIDER IT MANAGEMENT supports medium and large organizations in licensing VMware environments with a clear focus on regulatory defensibility, security, and long-term value. Contact our Broadcom expert team today.