How paramant helps you comply with NIS2

NIS2 Art. 21(2) requires entities to implement measures covering: encryption, multi-factor authentication, incident handling, supply chain security, and network security.

Encryption (Art. 21(2)(h)): Paramant encrypts all data client-side using ML-KEM-768 (post-quantum key encapsulation, NIST FIPS 203) combined with ECDH P-256. Ciphertext is padded to a fixed 5 MB block to prevent size-based traffic analysis. No plaintext ever leaves the sender’s device.

No data retention: Files exist in RAM only and are deleted immediately after the first download (burn-on-read). There is no database, no object storage, and no disk write path. A breached server contains no recoverable data.

Network security: All relay endpoints enforce TLS 1.3. The Ghost Pipe architecture routes sectors into isolated relay instances (relay, health, legal, finance, IoT) to limit blast radius.

NIS2 Art. 23 requires early warning within 24 hours of a significant incident, and a detailed report within 72 hours. Entities must be able to demonstrate what occurred and what data was affected.

Audit trail: Every public key registration is appended to a Certificate Transparency-style Merkle log. Each entry records a cryptographic hash, timestamp, and tree root — making the log tamper-evident. Any modification to a past entry invalidates all subsequent tree hashes.

Nothing to report: Because no payload content is ever stored, a server compromise produces no personal data breach. There is no data to exfiltrate. The obligation to notify data subjects under Art. 23(3) is structurally eliminated for transit events.

Operational logs: Every relay action is logged with timestamps and sector identifiers. Logs are available for export and can feed into your existing SIEM.

NIS2 Art. 24 requires management bodies to approve cybersecurity measures, oversee their implementation, and bear personal liability for non-compliance. Organisations must be able to demonstrate due diligence.

Demonstrable architecture: Paramant publishes its relay source code under a public licence (BUSL-1.1) on GitHub. The cryptographic design, threat model, and self-hosting guide are documented in the public security audit. An independent RAPTOR audit (April 2026) is publicly available.

Verwerkersovereenkomst: A data processing agreement (DPA / verwerkersovereenkomst) compliant with GDPR Art. 28 and NIS2 supply chain requirements (Art. 21(2)(d)) is available on request. Paramant acts as a data processor; you retain the role of data controller.

EU jurisdiction: All infrastructure runs on Hetzner servers located in Falkenstein, Germany. No US-based sub-processor is used. CLOUD Act requests cannot compel disclosure of data that does not exist.

NIS2 Art. 21(2)(d) requires entities to address security in the supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.

Minimal attack surface: Paramant’s relay software has 22 runtime npm dependencies — all audited at build time. The Docker image is built from a minimal Alpine Linux base (node:22-alpine). The relay process runs as a non-root user with a read-only filesystem.

Self-hostable: Organisations can deploy their own relay instance in their own infrastructure, eliminating any third-party dependency on paramant.app as a managed service. Docker images are available on Docker Hub (mtty001/relay) and the full source is on GitHub.