The NIS2 Directive (Network and Information Security 2) of 2022/2555 has dramatically expanded the scope of affected sectors compared to its 2016 predecessor: the category of "essential" or "important" organizations now includes medium-sized IT service providers, manufacturers, logistics companies, food chain actors and many B2B platforms.
What exactly do you require?
According to Article 21 of the directive, organizations must implement "state-of-the-art security measures proportionate to the risks." In practice, this means:
- Documented incident management process – preliminary report within 24 hours, detailed report within 72 hours
- Backup and recovery capability – verifiable RTO, RPO and recovery attempts
- Supply chain security – critical suppliers should also be audited
- Access management – principle of least privilege, multi-factor authentication
- Cryptography – at least industry standard encryption at rest and in transit
Backup as a cornerstone
NIS2 does not specifically state that "immutable backup is required" - but Article 21(2)(c) considers "business continuity management" and "backup management" capabilities as a mandatory basis. The Hungarian SZTFH (and fellow authorities in the EU) ask about the quality of the control implementation during the audit: it is not enough that there is a backup, it must also be immutable in the event of a ransomware attack.
Immutable, read-only backups are no longer an extra – they are a minimum requirement for every organization covered by NIS2.
How does ViVeSec Box help?
ViVeSec Box meets the NIS2 backup requirements out-of-the-box: immutable object storage, snapshots preserved even in case of compromised admin authentication, detailed audit log (export), RBAC + 4-eye principle for all data access. The Common Criteria Security Target and CE Declaration of Conformity are available for download - they can be attached to the documentation within 5 minutes after the first request by an auditor.