NIS 2 compliance is the working basis for companies that are improving their data sovereignty, Nextcloud is directly involved, but the NIS 2 topic is poorly represented in this forum and unknown on Nextcloud compliance page ( thanks @tflidd )
The European NIS 2 Network and Information Security Directive (2022) is gaining importance by covering 15 sectors compared to 7 sectors for NIS 1.
I want to draw the Nextcloud communityâs attention to this directive because its file transfer requirements directly concern what Nextcloud does best : NIS 2 imposes enhanced security for file transfers, with strict technical and organisational obligations.
Nextcloud has strengths in the expected NIS 2 requirements:
1 - Encryption of data in transit and of data storage.
2 - Strict access control on shared files.
3 - Incident detection and notification.
4 â Tracking of file transfer activities.
1 & 2: OK
Nextcloud has real strengths when it comes to encryption and access control.
3: OK and Partial
Nextcloud partially fulfils the requirement for incident detection and notification. This can be supplemented by external tools (firewalls, etc.) that are not part of Nextcloudâs remit.
4: To improve
Nextcloud could improve in terms of activity tracking :
The activity log is a very useful tool, especially with RSS feeds. It allows you to set up simple monitoring methods such as âWho created a share todayâ or âWho downloaded what todayâ.
In version 32, the âActivities for shared file downloadsâ app files_downloadactivity is no longer maintained. It is a very bad news for tracking requirements. Up to version 31, it was possible to simply have the answer to âWho downloaded this file, on what date?â.
This is no longer possible with NC Version 32.+ and is a real obstacle to NIS 2 requirements.
The data Administration setting > Logging cannot be used directly and must be reprocessed.
.
Regarding NIS 2, do you have any further comments?
Do you think the Nextcloud community can leverage its strengths to meet the expectations of many companies subject to NIS 2 requirements?
Specifically, I have a client in the banking sector whose standard is NIS 2. They did not accept our Nextcloud 32 offer, mainly because of insufficience on tracking activity of downloads.
I feel that it would take little technical effort for the Nextcloud compliance page to add the keyword NIS2.
Based on your experience, are there any other points to consider for NIS2 compliance?
@tflidd The idea to make a feature request for NIS 2 compliance is good.
If we, community, want this request to be considered and approved by Nexcloud developers, we should provide a comprehensive study of the requirements that must be met to claim NIS 2 compliance.
If, as a community of users, we can say here that such and such feature are required to comply with NIS2 requirements, then our request can be strongly received given the stakes involved.
I am not a NIS 2 expert, so I cannot claim that the recommissioning and evolutive maintenance of the app files_downloadactivity alone is sufficient to help Nextcloud team to declare NIS 2 on his compliance page.
If someone have NIS 2 expertise, can you help with this question by sharing your knowledge?
You can already make a feature request. Even without the community, this compliance could be interesting for potential enterprise customers. In a second step you can add in more detail, what exactly is missing to fulfill all requirements and then further down the detailed implementation.
Thank you @tflidd
So Iâll submit asap a new feature request on github.
I have a question, where is the right place to submit this NIS 2 compliance feature request ?
Should I submit the Issue on github / nextcloud / server / issue or is there another better place.
I do not think that nextcloud / files_downloadactivity no longer maintained is the right place to submit the NIS 2 compliance issue
I would say the server repository would be the right place for such a request. However, I would also say that a feature request simply asking to âmake it NIS 2 compatibleâ will probably not be sufficient. You would likely need to specify exactly which requirements are currently missing. You have already done that to some extent in your post, but even then, completely different areas and apps may be affected, and many aspects are probably still open to interpretation to some degree.
Also, I have no idea if this is actually the case, but if some form of official certification is required, then you might not be able to use Nextcloud for that purpose even if the necessary technical features are implemented, at least not until it has gone through the bureaucratic process and Nextcloud GmbH has obtained the certification.
By the way, the requirement for a minimum number of characters in usernames is another typical piece of politician-bureaucrat nonsense, because it neither provides more security nor more privacy.
Why�
If you want security, you should enforce 2FA, or use some kind of SSO/identity provider, passkeys, or some other secure authentication method.
If you want privacy, a username like âjsâ is arguably more private than âjohnsmithâ.
And regarding the requirement to track what users are doing, such as who downloaded or uploaded files, or when someone logged in, Nextcloud has and Audit Log. That might already cover many of the relevant requirements for NIS 2 compliance, unless the specification explicitly requires a polished user interface for all of this. Which honestly wouldnât surprise me in a time when politicians propose things like operating systems having to âsignalâ the age of users to applications.
Thank you @bb77 for participating in the debate and confirm that the server repository would be the right place.
« if some form of official certification is required, then you might not be able to use Nextcloud for that purpose »
Like the GDPR directive, the NIS 2 directive does not require any software certification. They describe the requirements that an organisation must meet to protect data. The organisation then chooses the software that helps it meet the requirements of the directive.
For example, Nextcloudâs features enable it to declare compliance with GDPR requirements: locating data in Europe, limiting access to personal data to only those who are authorised to do so, setting an expiry date for personal data, etc.
For NIS 2, can we also declare Nextcloudâs compliance with NIS 2 requirements?
« regarding the requirement to track what users are doing, such as who downloaded or uploaded files, or when someone logged in, Nextcloud has and Audit Log. »
In the audit log, thanks to admin_audit app, it is possible to track « Preview accessed » events then handle the information with an external tool with a heavy user process. The audit log is not suitable for helping to ensure simple, daily monitoring, whereas the activity log is easily accessible to authorized users.
hi there, I have not read the whole issue, but this sounds like a feature request mostly interested for larger instances. I would suggest you raise this with your account manager at Nextcloud. This does not sound like a home-user request to me
i agree here. @amzen as you already mentioned in your first sentence of the opening-commentâŠ
this compliance is more important to certain companies than for homeusers. Youâre here on the forum for homeusers (at least itâs mostly intended for those).
on the other hand we already found out that you can open a feature-request on the server repo⊠which will be the correct place.
and please donât think that Iâm against meeting this NIS2 compliance, on the contrary, the forum isnât just the right place for that.
Iâm not against it either, and Im absolutely no expert when it comes to things like that either.
However, I find certain things, such as the minimum length of user names (this wasnât mentioned here, but in a GitHub issue that I donât have a link to at the moment), rather questionable, and I wonder what the actual benefits of this would be.
Either way, I agree with you here, that it makes sense to submit a feature request on GitHub, if you have any specific features in mind that would ensure NIS 2 compliance.
For broader discussions or when itâs unclear how exactly to implement NIS 2 compliance, as Daphne said, itâs probably best to contact the company. Compliance can often be achieved in a variety of ways, and tools to achieve it might already be available, as it may be the case here with the audit log. So, unless the requirements are very explicitly stated and mandated in a very specific way in the specification, there might not even be a need for additional features in Nextcloud.
@DaphneAll companies, even the smallest ones, are affected by GDPR. For NIS2, there are also small organisations with fewer than 50 employees that are affected, for example in the insurance sector. Are they classified as home users or large companies?
We all agree that NIS2 compliance is not a feature, it is an organisational requirement for a company, just like GDPR compliance.
As with GDPR, Nextcloud just needs to verify that its features properly serve the requirements of companies that are subject to NIS2 compliance.
My first observation is that GDPR compliance and NIS2 compliance are very similar topics.
GDPR compliance is widely promoted by the Nextcloud team, while there is no mention of NIS2 in Nextcloudâs communications, as@tfliddpoints out.
A company subject to NIS2 that google search âNIS2 compliance for file sharingâ has no chance of finding the Nextcloud solution. If it just searches for âNIS 2 Nextcloudâ, it will come across this one article, which just shows that Nextcloud is probably very close to achieving this without making any official announcement.
For example,@bb77 the ability of Nextcloud to set a minimum length for user names is an argument that supports Nextcloudâs NIS2 compliance.
You have mainly helped me to post the topic in the right place on GitHub, which I have not yet done, because I take time to explore the subject by studying NIS2. As soon as this is done, I will announce it here, probably within the next week.
Your questions and feedback are helping me to find the right way to formulate the feature request.
Thank you
