Proteggiamo il tuo ambiente digitale da qualsiasi attacco informatico. Sfrutta tutte le potenzialità della piattaforma SGBox!

Gallery

Contatti

Via Melchiorre Gioia, 168 - 20125 Milano

info@sgbox.it

+39 02 60830172

Linkedin Facebook-f Twitter
Cyber Products NIS2 Directive
_ _ SGBox

NIS2 Compliance: security Log Management

Complaince with NIS2 and Log management

Why is log management central to NIS2 and security audits?

Log management plays a fundamental role in achieving compliance with the NIS2 Directive because it provides objective evidence that the necessary security measures have been adopted to fully meet the required standards.

These measures include data retention and integrity, continuous monitoring of security events, and the ability to promptly detect and respond to incidents.

Why Log Management is strategic for compliance purposes:

  • It enables continuous monitoring of access activities, configurations, and privileged operations.
  • Through reporting and auditing capabilities, it provides the verifiable trail required to reconstruct incidents, identify root causes, and demonstrate that security measures have been properly implemented.
  • It supports risk management and incident response, as logs form the foundation for forensic analysis, event correlation, and automated response activities through SOC, SIEM, and SOAR platforms.

What are the requirements for log collection under NIS2?

Requirement PR.PS-04 of Annex 1 requires NIS entities to generate, retain, and make log records available in a structured manner consistent with the organization’s risk level.

What PR.PS-04 requires in summary

According to interpretative practices and operational guidelines, PR.PS-04 essentially establishes four main obligations:

  • Critical access logging: all remote access to information systems and networks, as well as all access performed through accounts with administrative privileges (e.g., domain admin, root, privileged service accounts), must be tracked and recorded.
  • Secure and centralized retention: security-relevant logs must be stored securely to protect them against tampering and unauthorized deletion and, where possible, centralized through SIEM or log management solutions to facilitate monitoring and analysis.
  • Defined retention periods: log retention periods must be defined and documented based on risk assessment outcomes, applicable regulations (such as NIS2 and GDPR), and audit and investigation requirements.
  • Documented log management procedures: all activities related to log collection, storage, protection, and access must be formalized in documented procedures aligned with the organization’s security policies and incident response processes.

The three pillars of logs as evidence: retention, integrity, and availability

For compliance with the NIS2 Directive, logs must be considered formal evidence before authorities, auditors, and inspectors.

In this context, three fundamental pillars emerge: retention, integrity, and availability.

Retention: storing logs correctly

Retention ensures that logs are preserved for a period sufficient to satisfy regulatory requirements (NIS2, GDPR), audit needs, and forensic investigations.

  • Retention policies must be defined and documented according to risk assessments, log type, system category (critical or non-critical), and sector-specific obligations.
  • Typically, operational security logs are retained for 6–12 months, while audit records and severe incident logs may require retention periods of 12–24 months or longer, in line with PR.PS-04 requirements and overall security governance.

Integrity: logs must be trustworthy

Integrity ensures that logs cannot be altered and that any modifications are traceable and justified.

  • Logs must be stored in dedicated repositories with restricted access limited to authorized personnel only, alongside controls preventing unauthorized deletion or retrospective modification.
  • Any cleanup or log rotation activities should themselves be recorded in separate audit logs (for example, SIEM audit logs) to preserve traceability and maintain the integrity of the chain of evidence.

Availability: immediate access to required information

Availability ensures that, in the event of an audit, incident, or request from authorities, logs can be easily located, accessed, and extracted in a structured manner.

  • This requires centralized collection through SIEM or log management platforms, supported by indexing and metadata that allow rapid filtering by system, date, user, or event type.
  • A documented procedure must define where logs are stored, who is authorized to access them, and how they can be extracted (e.g., through reports, queries, or data dumps) in order to efficiently demonstrate NIS2 compliance.

SGBox Platform: from data to evidence

The SGBox Platform combines advanced Log Management, SIEM, and SOAR capabilities to transform logs into concrete evidence, proactively monitor events, and activate automated incident response processes, all essential activities for fully complying with the obligations introduced by NIS2.

Starting from log collection, retention, and protection, SGBox enables the creation of security event correlation rules to provide a centralized, real-time view of the security status of all devices generating logs.

The objective is not merely to collect data, but to transform it into actionable intelligence capable of anticipating threats, managing incidents, and triggering automated countermeasures in response to security events.

Thanks to detailed and intuitive dashboards, organizations can maintain complete visibility and control over the security posture of their digital infrastructure.

Discover SGBox support the compliance with NIS2>>
7

Leave a comment

Your email address will not be published. Required fields are marked *