Sefthy and NIS2: how we help you, concretely

TL;DR

Point-by-point mapping between the 10 NIS2 Article 21 measures and Sefthy features. What we cover directly, what stays with the customer, what we document for their audits.

Mapping the 10 points

Point 1 — Risk analysis

Customer: must do the company-wide risk analysis. Sefthy: we provide an assessment template scoped to the DR perimeter.

Point 2 — Incident handling

Customer: defines internal procedure. Sefthy: we notify the customer within 4h of relevant incidents impacting their protected systems.

Point 3 — Business continuity

Sefthy covers fully: encrypted off-site backups, Italian sovereign cloud DR, custom runbook, documented quarterly drills, measured RTO.

Point 4 — Supply chain

Customer: manages own supply chain. Sefthy: we provide exportable security attestations. Our certifications (ISO 27001:2022, 27017, 27018, 9001) cover the "Sefthy" supply chain risk.

Point 5 — SDLC security

Sefthy: our platform is built with secure SDLC (SAST, vulnerability scanning, annual penetration test). For the customer: Sefthy is not subject to development, it is consumed as a service.

Point 6 — Effectiveness assessment

Sefthy: documented quarterly drills measure DR effectiveness. Exportable as audit evidence.

Point 7 — Cyber hygiene and training

Customer: trains own staff. Sefthy: Sefthy staff is trained annually on cyber. Attestation available.

Point 8 — Encryption

Sefthy: all data encrypted at-rest (AES-256) and in-transit (TLS 1.3). Keys managed with HSM.

Point 9 — HR security and access

Sefthy: for our environments, RBAC access management, mandatory MFA, centralised logs. Customer: manages own credentials for the Sefthy console.

Point 10 — MFA

Sefthy: MFA available and recommended for console; mandatory for administrator roles.

What Sefthy does NOT cover

To clarify for the customer:

• its internal governance;
• its staff training;
• security of its other platforms;
• documentation compliance of its non-DR processes.

Available documentation

Sefthy provides, on request:

• signed PDF certification attestation;
• exportable per-customer DR drill reports;
• platform logs (rolling 90 days);
• incident notification procedure.

FAQ

Is Sefthy "NIS2-compliant" by construction?

Sefthy is a NIS2-ready supplier. The customer is the subject, not Sefthy directly (unless the NIS2 customer is an essential entity that classifies us as a critical supplier).

Can I use Sefthy as a single answer to point 3?

Yes, for the DR sub-perimeter. The other 9 points need additional coverage.

Does Sefthy participate in customer audits?

Yes, one per year is included in PRO plans. Additional audits are billed separately.

For the ISO 27001 → NIS2 mapping, NIS2 minimum technical measures. For the checklist, NIS2 audit checklist.