Compliance
NIS2 vendor readiness
We're not in the EU, but our customers often are. Here's how we help you stay compliant.
Last updated: 2026-05-19
NIS2 vendor readiness
NIS2 is the EU directive on the security of network and information systems, in force since October 2024. It expanded the scope of "essential" and "important" entities (banks, energy, healthcare, public administration, large digital service providers, and many more) and introduced strict vendor due-diligence requirements.
We're a Swiss provider, not subject to NIS2 directly — but our European customers often are. If you're a regulated entity using us as a vendor, you need:
- Evidence we meet the technical and organisational measures relevant to your supply-chain risk
- Contractual commitments that match NIS2 Article 21 obligations
- A breach notification commitment within timelines NIS2 requires (24h / 72h / 1 month)
We provide all of the above.
Mapping NIS2 measures to our controls
NIS2 Art. 21 lists 10 categories of measures. Here's how we land on each:
| NIS2 measure | Our control |
|---|---|
| Risk analysis & infosec policies | ISO 27001-aligned controls; annual review; documented in our Information Security Policy |
| Incident handling | 24/7 on-call; incident playbook; tabletop exercises twice/year |
| Business continuity / backup | Daily backups, offsite copy in Geneva; quarterly restore drill |
| Supply chain security | Subprocessor due-diligence, contractual flow-down, see nLPD |
| Security in network & info systems | Segmented L2/L3 with VLAN ACLs on QFX; firewall on MikroTik edge; private subnets for management |
| Vuln handling & disclosure | security@siati.ai; PGP key on first response; SLA: ack 24h, fix critical 7 days |
| Effectiveness assessment | Pen-test annual by independent Swiss firm |
| Crypto & encryption | TLS 1.3 in transit, LUKS at rest, key rotation every 6 months |
| HR security | Background checks (Swiss federal extract), security training, access reviews quarterly |
| Access control & MFA | TOTP MFA enforced for all admin accounts; SSO available enterprise |
Breach notification
Our DPA includes a 24-hour notification commitment to the customer (the controller) from the moment we become aware of a confirmed breach affecting their data. This gives you time to meet the 24h initial / 72h detailed / 1 month final NIS2 timeline.
Notification channels:
- Primary: email to your designated DPO + security contact
- Secondary: dashboard banner + SMS to phone numbers on file
What we exclude
We do not provide:
- A formal NIS2 audit (we are not in scope, can't be audited under NIS2)
- An ENISA / NCA certificate (no Swiss equivalent for the directive)
- Any commitment that we are NIS2 compliant (we aren't subject to it)
What we provide is NIS2 vendor readiness: the documentation and contractual hooks to make us a clean entry on your supply chain risk register.
CRA (Cyber Resilience Act) note
The EU CRA enters into force in stages from late 2026. Our managed service offering is not "a product with digital elements" in the CRA sense — we operate the infrastructure, you consume an API. But customers building AI agents that embed our API on user devices may be in scope. We can co-sign a vendor attestation if needed.