Automating NIS2 & GDPR Compliance: A CTO’s Guide to Immutable Infrastructure
If you are still manually editing /etc/ssh/sshd_config on production servers in 2025, you aren't just wasting time—you are creating legal liability. With the NIS2 directive now fully enforceable across the EEA and Datatilsynet (The Norwegian Data Protection Authority) ramping up audits, the "we'll fix it later" approach to infrastructure hardening is dead. It ceased to be an option the moment fines started hitting 2% of global turnover.
I learned this the hard way. Last year, during a due diligence audit for a fintech client in Oslo, we lost three days verifying if 500+ nodes were patched against a trivial glibc vulnerability. The servers were secure, but we couldn't prove it fast enough. That friction nearly killed the deal.
Compliance is not about being secure; it's about proving you are secure, continuously, without burning human cycles. Here is how we automated compliance scanning and remediation using standard open-source tools on CoolVDS NVMe instances.
The Architecture of continuous Compliance
We are not buying expensive "black box" security appliances. We are using the OpenSCAP ecosystem combined with Ansible. This setup allows us to scan against the CIS (Center for Internet Security) benchmarks and automatically remediate drift.
1. The Baseline: OpenSCAP
OpenSCAP parses SCAP (Security Content Automation Protocol) standards. On an Ubuntu 24.04 LTS instance (standard on CoolVDS), you don't need to compile anything. It is in the repos.
First, install the scanner and the security guides:
sudo apt-get update
sudo apt-get install libopenscap8 scap-security-guideOnce installed, you can list the available profiles. For a server handling personal data (GDPR relevance), we typically look at the standard or stiffened profiles.
oscap info /usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xmlTo run a scan against the CIS Level 2 Server profile (which is appropriate for backend processing nodes hosted in Norway), run this:
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_cis_level2_server \
--results-arf /tmp/arf.xml \
--report /tmp/report.html \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xmlThis command generates an HTML report showing exactly where you fail. On a fresh, unoptimized generic VPS, you will see a sea of red. On a CoolVDS instance, we pre-configure the hypervisor environment to mitigate lower-level risks, but the OS layer is yours to harden.
2. Automated Remediation with Ansible
Finding holes is easy. Patching them without breaking your app is the job. OpenSCAP can generate Ansible playbooks to fix the issues it finds, but I prefer writing a targeted remediation role to maintain control over the config files.
Here is a snippet from our `compliance-hardening.yml` playbook. It enforces SSH configurations strictly—essential for preventing brute-force attacks which remain the #1 vector for automated botnets targeting European IPs.
---
- name: Harden SSH Configuration for CIS Compliance
hosts: all
become: yes
tasks:
- name: Ensure SSH Protocol 2 is used
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Protocol'
line: 'Protocol 2'
state: present
validate: '/usr/sbin/sshd -t -f %s'
- name: Disable Root Login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
state: present
- name: Set Idle Timeout Interval
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^ClientAliveInterval'
line: 'ClientAliveInterval 300'
state: present
- name: Limit SSH Access to Specific Users
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^AllowUsers'
line: 'AllowUsers deploy_user admin_user'
state: present
notify: restart_sshd
handlers:
- name: restart_sshd
service:
name: sshd
state: restartedThis playbook is idempotent. You can run it every hour. If nothing changed, it does nothing. If a junior dev accidentally enabled root login to debug something, Ansible slams the door shut immediately.
3. Data Sovereignty and the "Schrems II" Reality
Technical hardening is useless if your data legality is flawed. Under GDPR and the subsequent Schrems II rulings, transferring personal data of EU/EEA citizens to US-controlled clouds is a legal minefield. Standard Contractual Clauses (SCCs) are often not enough.
Pro Tip: Latency and Legality often overlap. Hosting in Oslo isn't just about getting 3ms ping to local users; it's about keeping data under Norwegian jurisdiction.
When we architect systems on CoolVDS, we are leveraging a provider purely based in the Nordics. The physical hardware resides in Oslo. There is no hidden replication to a data center in Virginia. This simplifies the Record of Processing Activities (ROPA) significantly.
4. Advanced: FIM (File Integrity Monitoring)
For PCI-DSS or high-level NIS2 compliance, you need to know if system binaries change. We use Wazuh (open source) agents on our VDS instances.
Configuration for `ossec.conf` to watch critical directories:
/etc
/usr/bin
/usr/sbin
/etc/mtab
/etc/hosts.deny
Wazuh ties into the CoolVDS high-performance I/O. Because our NVMe storage offers massive IOPS, running real-time FIM checks doesn't degrade the performance of your database or application. On cheaper, spinning-disk VPS providers, enabling real-time file scanning can bring a server to its knees (high I/O wait).
5. The Trade-off: Convenience vs. Control
You could use a Managed PaaS that promises compliance. They will charge you a 400% premium for the privilege, and you will still share a kernel with noisy neighbors. Or, you can build a repeatable, auditable pipeline on raw, high-performance infrastructure.
The CoolVDS Advantage in Compliance:
- Isolation: KVM virtualization ensures no memory leakage between tenants—critical for multi-tenant security arguments.
- Network: DDoS protection is included, which ticks the "Availability" box in the CIA triad (Confidentiality, Integrity, Availability).
- Location: Norwegian datacenter guarantees reduce legal overhead.
Summary
Compliance isn't a one-time checkbox. It is code. By defining your security posture in Ansible and verifying it with OpenSCAP, you turn an annual panic into a daily routine.
Don't let legal ambiguity or slow I/O kill your business growth. Build your compliance fortress on infrastructure that respects your data sovereignty.
Next Step: Spin up a fresh Ubuntu 24.04 instance on CoolVDS today and run your first OpenSCAP scan. You might be surprised at what you find.