NIS 2 Compliance Declaration – LexCyberAi

Compliance Declaration with the NIS 2 Directive

Comprehensive LexCyberAI declaration of compliance with Directive (EU) 2022/2555 on measures for a high common level of cybersecurity.

1. Statement of Compliance

LexCyberAI Ltd declares that it has implemented and maintains cybersecurity risk management measures in accordance with Article 21 of the NIS 2 Directive.

Implemented measures (required by Article 21 of NIS 2)

  • Risk analysis policies — we conduct regular assessments of cyber threats
  • Incident handling — we have procedures for detecting, reporting, and handling incidents
  • Business continuity — we maintain continuity plans, backups, and recovery procedures
  • Crisis management — we have procedures for responding to crisis situations
  • Supply chain security — we assess and monitor the security of our suppliers and their secure development practices
  • System lifecycle security — we manage security throughout the acquisition, development, and maintenance of systems
  • Vulnerability management — we identify, manage, and remediate vulnerabilities in systems
  • Coordinated vulnerability disclosure — we have a process for receiving and handling vulnerability reports from external researchers
  • Effectiveness assessment — we regularly test and audit our safeguards
  • Training and cyber hygiene — all employees undergo cybersecurity training
  • Cryptography and encryption — we apply encryption to sensitive data in line with applicable policies
  • Human resources security — we vet employees, use NDAs, and apply onboarding/offboarding procedures
  • Access management — we control who has access to which data and systems
  • Asset management — we inventory and classify all IT assets
  • Multi‑factor authentication (MFA) — we require MFA for access to critical systems
  • Secure communications in emergency situations — we maintain alternative, secure communication channels in case of crisis
  • Management accountability — governing bodies approve risk management measures, oversee their implementation, and undergo regular cybersecurity training

2. Certifications and Competencies

Implemented Management Systems

IN PROGRESSISO 27001:2022 – Information Security Management System

Status: Under certification (planned completion: Q2 2025)

IN PROGRESSISO 22301 – Business Continuity Management System

Status: Under certification

The cybersecurity team holds certifications

Security Officer / CISO

  • ISO 27001:2022 Lead Auditor (Lead Auditor for ISMS)
  • ISO 22301 Lead Auditor (Business Continuity Lead Auditor)
  • CISSM (Certified Information Systems Security Manager, Mile2)
  • CCSK (Certificate of Cloud Security Knowledge, Cloud Security Alliance)

Security team

  • CISSO (Certified Information Systems Security Officer, Mile2)
  • CCZT (Certificate of Competence in Zero Trust, Cloud Security Alliance)
  • Other certifications: CEH, CISSP, CompTIA Security+

Total: 45 certified cybersecurity specialists

3. Security Audits and Tests

We regularly conduct comprehensive security audits and technical tests to verify the effectiveness of the safeguards in place.

Audits

  • Internal NIS 2 compliance audit: once per year
  • ISO 27001 certification audit: annually
  • Security reviews at key suppliers: every 6–12 months

Technical tests

  • Penetration tests (pentests): several times per year
  • Vulnerability scanning: quarterly
  • Backup tests: monthly
  • Disaster recovery exercises: quarterly
  • Phishing simulations: quarterly

4. Supply Chain Security

In accordance with Article 21(2)(d) of the NIS 2 Directive, we have implemented a comprehensive supplier security management process.

Before commencing cooperation

  • We verify the supplier’s security
  • We check certifications (ISO 27001 preferred)
  • We assess the risk associated with the supplier
  • We send data protection and cybersecurity compliance questionnaires
  • We hold discussions with the supplier’s CISO

During cooperation

  • Contracts include cybersecurity requirements
  • We conduct regular security reviews
  • We monitor incidents at suppliers
  • We have contingency plans in case of supplier issues

5. Incident Response

In accordance with Article 23 of the NIS 2 Directive, we have implemented procedures for detecting, reporting, and handling cybersecurity incidents.

Detection and response

  • Security monitoring: 24/7
  • Incident response team (CSIRT)
  • Response time for a critical incident: in line with the requirements of the draft National Cybersecurity System (KSC) Act

Incident reporting in line with NIS 2

  • 24 hours: early warning to the sectoral CSIRT
  • 72 hours: full notification with assessment
  • 1 month: final report with analysis

Transparency and Accountability

As members of the management board of LexCyberAI Ltd, we are aware of our personal responsibility for cybersecurity. We have approved and oversee the implementation of risk management measures, ensuring appropriate resources for their maintenance and continuous improvement.

Contact us about compliance

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking 'Accept All', you consent to our use of cookies.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by