# NIS2 - Customer Operator Considerations Directive (EU) 2022/2555 — commonly called **NIS2** — is the European Union's framework for raising the cybersecurity of **operators of services** that are important to the economy and society. It replaces the original NIS Directive (Directive (EU) 2016/1148). This page explains how NIS2 relates to Flopsar. It is written primarily for **customers who are themselves subject to NIS2** and who operate, or plan to operate, Flopsar as part of their estate. ## Scope and an important clarification NIS2 places obligations on **essential entities** and **important entities** — organisations that *provide services* in the sectors listed in Annex I and Annex II of the Directive (for example energy, transport, banking, health, digital infrastructure, and public administration), and that meet the applicable size thresholds. NIS2 is a **directive**, not a regulation. It does not apply directly; it is transposed into the national law of each Member State. In Poland this is done through the Act on the National Cybersecurity System (*ustawa o krajowym systemie cyberbezpieczeństwa*, "KSC"). The obligations that bind any particular organisation are those of the transposing national law, not of the Directive in the abstract. **Flopsar Technology Sp. z o.o. is not, by virtue of developing and licensing Flopsar, an essential or important entity under NIS2.** The development and licensing of on-premise software is not, in itself, one of the service-provision activities listed in Annex I or Annex II of the Directive. The obligations described on this page are therefore the obligations of the **customer-operator**, not of Flopsar Technology Sp. z o.o. What this page does is show how the product, and the artefacts published by Flopsar Technology Sp. z o.o., can help a customer-operator discharge those obligations. {% hint style="info" %} **Flopsar is a tool, not a certificate of compliance.** Deploying Flopsar does not, by itself, make an organization NIS2-compliant. NIS2 compliance is achieved through the organization's own governance, risk management, and processes, of which a tool such as Flopsar may form one supporting part. {% endhint %} ## Whose obligation is whose Under NIS2, almost every obligation rests with the **customer-operator**, not with Flopsar Technology Sp. z o.o. The following responsibilities are the operator's alone, and Flopsar does not discharge them: * determining whether the organisation is in scope of NIS2; * registering with the national competent authority; * implementing the risk-management measures of Article 21; * reporting incidents under Article 23; * ensuring management oversight and accountability. Flopsar contributes to two of these — the risk-management measures and incident handling — by supplying observability data, audit records, and supply-chain artefacts, as described in Sections 3, 4, and 5. The only responsibility that rests with Flopsar Technology Sp. z o.o. is **securing the Flopsar product itself**, which it does under the Cyber Resilience Act; see CRA compliance. ## Support for Article 21(2) risk-management measures Article 21(2) of NIS2 lists the cybersecurity risk-management measures that in-scope entities must implement. Each measure remains the operator's responsibility; the notes below describe only how Flopsar, and the documentation published by Flopsar Technology Sp. z o.o., can **support** the operator in meeting it. **(a) Policies on risk analysis and information system security.** Flopsar provides visibility into the runtime behavior of Java systems, contributing data to the operator's risk analysis. **(b) Incident handling.** Audit logs, agent connection history, and configuration-change records support detection, triage, and post-incident analysis. See Audit Logging & Security Events and Incident Response Guidance. **(c) Business continuity, backup management and crisis management.** Documented backup and restore procedures for the Flopsar deployment are provided in Backup & Restore. **(d) Supply chain security.** Flopsar Technology Sp. z o.o. publishes a vulnerability disclosure policy, an SBOM, security advisories, and support-period commitments, which the operator can rely on in its supplier due diligence. See Section 5. **(e) Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.** The product's security documentation and the manufacturer's Vulnerability Disclosure Policy and Security Advisories feed directly into the operator's own vulnerability-management process. **(f) Policies and procedures to assess the effectiveness of risk-management measures.** The manufacturer's EU Declaration of Conformity and CRA documentation provide evidence the operator can use when assessing the security of a component in its estate. **(g) Basic cyber hygiene practices and security training.** The Hardening Checklist gives operators a concrete baseline for deploying Flopsar securely. **(h) Policies and procedures regarding the use of cryptography and, where appropriate, encryption.** Flopsar's cryptographic design is documented in Cryptography & Key Management, so the operator can account for it in its own cryptography policy. **(i) Human resources security, access control policies and asset management.** Role-based access control, LDAP integration, and audit logging support the operator's access-control and accountability requirements. See Authentication and Authorization & Roles. **(j) Use of multi-factor authentication or continuous authentication solutions, and secured communications.** Flopsar supports authentication integration with the operator's identity provider; the operator configures multi-factor authentication at that layer. See Authentication. ## Support for Article 23 incident reporting Article 23 of NIS2 requires in-scope entities to report significant incidents to their CSIRT or competent authority on a defined timeline: an **early warning** within 24 hours of becoming aware of a significant incident, an **incident notification** within 72 hours, and a **final report** within one month. **This reporting obligation is the operator's, not the manufacturer's.** Flopsar is not an incident-reporting tool and does not submit reports to any authority on the operator's behalf. What Flopsar can provide is data that helps the operator detect a significant incident and assemble the information its report must contain, such as: * audit-log records of administrative actions and access on the Flopsar deployment; * the timeline of agent connections and disconnections, which may correlate with an incident in a monitored application; * configuration changes that occurred around the time of an incident; * performance and error anomalies in monitored applications that may be symptoms of an incident. ## Supply chain due diligence Article 21(2)(d) and Article 22 of NIS2 require operators to manage the security risks arising from their supply chain, including from the suppliers of their software. To support a customer-operator's due diligence on Flopsar Technology Sp. z o.o. as a software supplier, a number of artifacts are available. Published openly on this documentation site: * the Vulnerability Disclosure Policy; * the Security Advisories feed; * the Support & Maintenance Lifecycle, including support-period commitments; * the EU Declaration of Conformity and the CRA compliance matrix; * the Third-party Components & SBOM. Available to licensed customers or on request, under the applicable agreement: * detailed hardening reference configurations; * threat-model details; * summaries of external penetration tests; * a description of the secure development lifecycle; * evidence of any information-security certification, where held. Because Flopsar is an **on-premise** product, Flopsar Technology Sp. z o.o. has no access to the operator's data or systems during normal operation, which materially limits the supply-chain attack surface that the operator must consider. There is no remote-management channel, no "phone home" telemetry, and no operational dependency on infrastructure operated by Flopsar Technology Sp. z o.o. See Privacy & Data Handling for details. ## Flopsar Technology Sp. z o.o. as a supplier — not a sub-processor or operator For the avoidance of doubt, in respect of an on-premise Flopsar deployment: * Flopsar Technology Sp. z o.o. is a **supplier of software** to the operator. It is not an operator of the customer's service, and it does not provide a managed or hosted service as part of the on-premise product. * Flopsar Technology Sp. z o.o. does not process the operator's data on the operator's behalf as part of the product (see GDPR Considerations). * Where Flopsar Technology Sp. z o.o. provides ancillary services — for example, professional services delivered by its staff — the cybersecurity and data-protection terms of those engagements are agreed separately and are outside the scope of this page. If an operator's interpretation of its national NIS2 transposition requires specific contractual security terms from software suppliers, those terms are addressed in the commercial agreement with the customer, not on this page. ## A note on national transposition The obligations that actually bind a customer-operator are those of the **national law transposing NIS2** in the Member State where the operator is established, not those of the Directive in the abstract. Transposition timing and detail vary between Member States, and some national laws extend the scope or add requirements beyond the minimum set by the Directive. Customers should therefore base their compliance work on the transposing law applicable to them — in Poland, the Act on the National Cybersecurity System (KSC) as amended — and treat this page as a guide to how Flopsar can support that work, not as a statement of the obligations themselves. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.flopsar.com/7/regulatory-compliance/nis2-customer-operator-considerations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.