—nis2 / dora
NIS2 (EU 2022/2555).
NIS2 applies to operators of essential and important services in the EU. The directive was transposed into Dutch law as the WIBI on 17 January 2025. Below is how the Paramant relay maps to the directive's technical requirements.
| NIS2 Article | Paramant control |
|---|---|
| Art. 21(2)(a) — Risk analysis & info security policies | Public threat model + audit trail via CT log |
| Art. 21(2)(b) — Incident handling | Zero-downtime key revocation, signed audit chain, /v2/audit JSON+CSV export |
| Art. 21(2)(c) — Business continuity, backup | Stateless RAM-only relay (no DB to back up beyond user accounts), CT log replicated across sectors |
| Art. 21(2)(d) — Supply chain security | BUSL-1.1 source available, SBOM published per release, no third-party JS in relay |
| Art. 21(2)(e) — Network/system security | TLS 1.3, post-quantum hybrid (ML-KEM-768 + ECDH P-256), HSTS preload |
| Art. 21(2)(f) — Vulnerability handling | security@paramant.app + 90-day coordinated disclosure, public SECURITY.md |
| Art. 21(2)(g) — Cryptography & encryption | AES-256-GCM, ML-KEM-768, ML-DSA-65, HKDF-SHA256, SHA3-256, Argon2id |
| Art. 21(2)(h) — HR security | TOTP MFA mandatory for admin; API keys never reach browser; argon2id hashed at rest |
| Art. 21(2)(i) — Access control | Per-API-key scoping, sector isolation, admin-token gated /metrics, hot-reload revocation |
| Art. 21(2)(j) — Authentication | No passwords. TOTP RFC 6238 SHA-256. Replay-proof via Redis 90s TTL. |
| Art. 23 — Incident reporting | In-app banner + email within 24h significant / 72h follow-up; integrates with NCSC NL |
| Art. 24 — Management accountability | Quarterly board review of CT log delta, audit findings, cryptographic posture |
dora coverage
DORA (Digital Operational Resilience Act, EU 2022/2554) for financial entities is covered by the same controls plus per-transaction Merkle proof on the finance.paramant.app sector relay. Suitable for ICT-risk Article 6, 8, and 17 evidence.
documentation
Enterprise customers receive a signed control-mapping PDF, technical addendum, and incident-response runbook. Email privacy@paramant.appwith subject "NIS2 audit pack" to request.