NIS2 Directive
What Is NIS2?
The NIS2 Directive (Directive 2022/2555, effective 18 October 2024) establishes cybersecurity requirements across the EU. It expanded the scope of the original NIS Directive significantly, covering more sectors and introducing stricter obligations for risk management, incident reporting, and supply chain security.
NIS2 is relevant to Flowtriq in two ways: (1) Flowtriq is a tool that helps your organisation meet NIS2 security obligations, and (2) Flowtriq as a company may itself fall within NIS2 scope as a managed security services provider.
Who NIS2 Applies To
NIS2 covers essential entities (Annex I) and important entities (Annex II) in the EU and EEA. Common sectors among Flowtriq's customer base that are covered:
Essential Digital Infrastructure
Internet exchange points, DNS providers, TLD name registries, cloud computing services, data centre services, content delivery networks, trust services.
Essential Energy & Transport
Electricity, gas, hydrogen, oil operators; air, rail, water, and road transport infrastructure operators.
Important Digital Providers
Online marketplaces, online search engines, social networking platforms. Hosting providers, managed service providers (MSPs/MSSPs).
Important Financial & Health
Banks, financial market infrastructure, healthcare providers, pharmaceutical manufacturers. Subject to NIS2 as important entities unless size thresholds trigger essential classification.
NIS2 Article 21 — Security Measures: Flowtriq Mapping
Article 21 requires covered entities to implement appropriate and proportionate technical, operational, and organisational measures to manage security risks. The ten mandatory measure categories and how Flowtriq addresses each:
| Art. 21 Measure | Requirement | Flowtriq Capability |
|---|---|---|
| 21(2)(a) | Risk analysis and information system security policies | Flowtriq's dynamic EWMA baselines continuously model normal traffic for each node and detect deviations. Confidence-scored attack classification (seven families) informs risk level. Incident severity (low/medium/high/critical) maps to policy thresholds you define. |
| 21(2)(b) | Incident handling — detection, analysis, containment, and recovery | Sub-second DDoS detection with automatic incident creation, classification, and severity assignment. Automated 4-level mitigation escalation (firewall rules, BGP FlowSpec, RTBH, cloud scrubbing). PCAP forensic capture for post-incident analysis. 12+ alert channel integrations notify response teams within 1 second. |
| 21(2)(c) | Business continuity and crisis management (backups, disaster recovery) | Flowtriq's auto-mitigation reduces service disruption duration. Maintenance windows prevent false alerting during planned outages. Escalation policies ensure traffic diversion to upstream scrubbing if local mitigation is insufficient. |
| 21(2)(d) | Supply chain security — security of relationships with suppliers and service providers | Flowtriq publishes a current sub-processor list at flowtriq.com/compliance/sub-processors. All sub-processors have contractual data protection obligations under the DPA. ftagent communicates with the Flowtriq API over TLS only, with API key authentication. |
| 21(2)(e) | Security in acquisition, development, and maintenance of network and information systems | Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) deployed. Secure session management. Input validation across all API endpoints. Change management tracked in the hash-chained audit log. |
| 21(2)(f) | Policies to assess effectiveness of cybersecurity risk management | Audit log exports provide an evidence trail for internal and external review. Incident timeline records detection-to-resolution duration. Baseline drift analysis shows whether threat landscape is changing over time. |
| 21(2)(g) | Basic cyber hygiene and cybersecurity training | Flowtriq University provides free DDoS and network security education. AI-generated incident summaries explain attack type, impact, and mitigation decisions in plain language, supporting security awareness across operations teams. |
| 21(2)(h) | Policies and procedures on use of cryptography and encryption | TLS enforced on all communications. Passwords stored as bcrypt hashes with per-password salts. API keys stored as one-way hashes. Webhook signing uses HMAC-SHA256 with timestamp replay protection. Audit log uses SHA-256 hash chaining. |
| 21(2)(i) | Human resources security, access control, and asset management | RBAC with four roles (Owner, Admin, Analyst, Readonly) ensures least-privilege access. Role changes are recorded in the audit log. API keys are scoped and rotatable. Node/asset inventory maintained per workspace. |
| 21(2)(j) | Multi-factor authentication, continuous authentication, secure communications | TOTP authenticator app and email-based 2FA available for all accounts. API communications authenticated via bearer tokens over TLS. Dashboard sessions use HttpOnly, SameSite=Lax, Secure cookies. |
NIS2 Article 23 — Incident Reporting
NIS2 Article 23 requires covered entities to notify their national CSIRT or competent authority of significant incidents within specific timeframes:
| Notification | Timeline | Flowtriq Support |
|---|---|---|
| Early warning | Within 24 hours of becoming aware | Flowtriq generates an incident record with timestamp at detection. The detection timestamp, attack family, severity, and node are available immediately in the dashboard and exportable for regulatory filings. |
| Incident notification | Within 72 hours | Full incident timeline is available: detection time, peak PPS/BPS, attack classification, source IP geographic distribution, mitigation actions taken, and resolution timestamp. Exportable as JSON/CSV for inclusion in regulatory notifications. |
| Intermediate report (if requested) | On competent authority request | AI-generated incident summary provides a plain-language description of attack type, impact, and response. PCAP captures provide packet-level forensic evidence. |
| Final report | Within 1 month of incident notification | Complete audit trail including all mitigation actions, escalation events, BGP announcements, notification dispatch logs, and chain-verified audit entries. |
Flowtriq as a Covered Entity
As a managed security services provider operating in the EU market, Flowtriq may itself qualify as an important entity under NIS2 Annex II, Category 6 (ICT service management). The following measures reflect Flowtriq's own security posture:
| Obligation | Flowtriq Status |
|---|---|
| Incident detection and response programme | Implemented Hash-chained audit logging, breach notification procedures, incident response contacts ([email protected]). |
| Business continuity plan | Implemented 99.9% uptime SLA. Cloudflare CDN provides redundancy. Status page at flowtriq.com/status. |
| Supply chain security programme | Implemented Sub-processor list published. All sub-processors have contractual data protection obligations. |
| MFA for all administrative access | Implemented TOTP and email 2FA available for all accounts. |
| Vulnerability disclosure | Implemented Contact [email protected] to report vulnerabilities. Acknowledged within 2 business days. |
Export audit logs (CSV/JSON), incident timelines, BGP mitigation records, and PCAP evidence directly from your dashboard. These artefacts map directly to Article 21 and 23 evidentiary requirements. For enterprise compliance support, contact [email protected].