Ensure that Nextcloud helps businesses meet the cybersecurity requirements of the European NIS2 Directive. #59113
Description
Tip
Help move this idea forward
- Use the 👍 reaction to show support for this feature.
- Avoid commenting unless you have relevant information to add; unnecessary comments create noise for subscribers.
- Subscribe to receive notifications about status changes and new comments.
FEATURE REQUEST DESCRIPTION
This feature request[ is related to this thread in help.netcloud.]
The NIS2 Directive sets out the new requirements and provides guidance for European businesses on managing their cyber risk. It applies to large organizations and their small business subcontractors, just as the GDPR did a few years ago.
There is no NIS 2 reference on the official Nextcloud compliance page and the NC forum gives more than 200 answers to GDPR Keyword ans only 6 answers to NIS 2 keyword.
Presently, anyone searching ‘NIS2 compliance for file sharing’ has no chance of finding the Nextcloud solution.
Nextcloud is involved and can be a good solution to NIS2 compliance for file sharing, because NIS 2 requires enhanced security measures for file transfers, with strict technical and organisational requirements.
Could the Nextcloud community add a statement on its official Compliance page confirming compliance with the requirements of the NIS2 Directive?
I think Nextcloud is very close to being able to do this if there’s just a slight improvement to the activity features.
To comply to NIS 2, I think the file sharing system of an enterprise have to meet theses 4 features.
1 - Encryption of data in transit and of data storage : NC is compliant
2 - Strict access control on shared files : NC is compliant
3 - Incident detection and management : Not only NC features are involved, it also relates to the security tools of the hosting environment.
4 - Managing risks related to document confidentiality : This requirement means having high-quality data for activities reports.
The present feature request draws attention to this fourth point, risk management. I think points 1, 2 and 3 are well handled by Nextcloud.
The risk related to Nextcloud’s technical vulnerabilities, is well treated elsewhere. The point here is that Nextcloud must provide a robust solution for identifying and addressing simple human error; we know very well that the risk N°1 lies between the seat and the keyboard. For example, when John Doe mistakenly shares a highly confidential file with all company staff or with external contacts.
As soon as the error is detected, we need to know the list of users who actually had access to the highly confidential file in order to take appropriate action.
Nextcloud’s features must allow
1/ Monitoring of shares that are created, on which folders, by which user and for the benefit of which user
2/ Record in the activity log which shares are created, with whom, by whom and when.
3/ Be able to find in the activity log which users have viewed a particular file or folder online, and which users have downloaded it.
Points 1 and 2 are already addressed in the NC activity log; point 3, regarding who accessed to which file, is not correctly handled in my view, specially since the the ‘Activities for shared file downloads’ app files_downloadactivity is no longer maintained.
PROPOSED SOLUTION
About 3/ “which users have accessed a particular file / folder”
Before Nextcloud 30 Hub 10, thanks to app files_downloadactivity, in the Activity tab of the file, we could see who accessed to the file and when. This feature disappears with files_downloadactivity’ end of life.
I’m not able to propose the best solution. I’m here to ask the question. I think an expert on the subject will be able to provide a fairly simple solution, provided that the Nis2 topic is of interest to the Nextcloud managers and community.
If you say that standard admin_audit app, in audit log makes it is possible to track « Preview accessed » events, you have to handle this information with an external tool and a heavy user process. The audit log is not suitable for helping to ensure simple, daily monitoring, whereas the activity log is easily accessible to authorized users.
Making a new files_downloadactivity app is perhaps not the right solution since this app provided features that weren’t available with the standard admin_audit app. IIs an admin_audit app enhancement the right solution ?
About others NIS 2 requirements :
1/ Monitoring of shares that are created.
Presently, thank’s to RSS feed, it’s easy to to filter activities containing the word ‘share’ and monitor them using an external tool that is accessible to everyone.
2/ Record which shares are created by who from the activity log.
This feature can be handled and registered thank’s to a RSS feed external process or processing activity log’s downloadable file.