IT EN
Client Portal →
sales@10punto10.eu · 02 87176855
· 10punto10

NIS2-Compliant Business Logs: Integrity, Timestamps, and Open Source for Real-World Compliance

NIS2Log ManagementCybersecurityOpen SourcePMI
NIS2-Compliant Business Logs: Integrity, Timestamps, and Open Source for Real-World Compliance

Why NIS2 makes log management a board-level concern

The NIS2 Directive, fully enforceable across EU member states since October 2024, has quietly turned log management from an IT housekeeping task into a compliance obligation. For small and medium businesses operating in essential or important sectors, this is not abstract regulation. It means your logs need to be trustworthy, tamper-proof, and auditable — or you risk fines that can reach €10 million or 2% of global turnover.

Yet most SMBs still treat logging as an afterthought. A 2024 survey by ENISA found that fewer than 35% of European SMEs had a structured log management policy in place. The gap between regulatory expectation and operational reality is wide, and it is exactly where risk lives.

The good news: you do not need enterprise-grade budgets to close that gap. Open source tools can get you there, provided you understand what NIS2 actually demands from your logs.

What NIS2 requires from your logs

NIS2 does not prescribe a specific logging technology. Instead, it sets outcome-based requirements under its broader incident reporting and risk management framework. In practice, three properties matter most.

Integrity and immutability

Logs must be protected against unauthorised modification or deletion. If an attacker — or a careless administrator — can alter log entries after the fact, those logs lose their evidentiary value. NIS2’s emphasis on incident detection and response assumes you can trust what your logs tell you.

Immutability means that once a log entry is written, it cannot be changed. This is the single most important technical property to implement. Without it, every other logging effort is built on sand.

Accurate timestamps

Every log entry needs a reliable, synchronised timestamp. When you are reconstructing an incident timeline — and under NIS2, you will need to report significant incidents within 24 hours — timestamps that drift by even a few seconds can make correlation across systems impossible.

NTP (Network Time Protocol) synchronisation is the baseline. For environments where precision matters, PTP (Precision Time Protocol) offers microsecond-level accuracy. The key point is consistency: all systems must reference the same time source.

Retention and availability

Italian implementing legislation and the broader NIS2 framework expect logs to be retained for a period sufficient to support incident investigation. While specific retention periods vary by sector and national transposition, a practical minimum for most SMBs is 12 to 18 months. Logs must also be searchable and accessible to authorised personnel and, when required, to national authorities such as Italy’s ACN (Agenzia per la Cybersicurezza Nazionale).

Building a compliant stack with open source tools

Enterprise SIEM platforms can cost tens of thousands of euros annually. For an SMB with 50 to 500 employees, that is often not realistic. Fortunately, the open source ecosystem offers mature alternatives that meet NIS2 requirements when configured correctly.

Log collection and forwarding

Fluentd or Fluent Bit are the workhorses here. Both are CNCF-graduated projects with broad community support. Fluent Bit is lighter and well-suited for edge collection on servers and endpoints, while Fluentd handles aggregation and routing at the central level.

Configure your agents to forward logs over TLS-encrypted channels. Unencrypted log transport is an integrity risk that auditors will flag immediately.

Centralised storage with immutability

OpenSearch (the open source fork of Elasticsearch) provides a solid foundation for centralised log storage and search. Critically, OpenSearch supports index state management policies that can enforce write-once behaviour and automated retention.

For true immutability, consider writing logs to WORM (Write Once Read Many) storage. MinIO, an open source S3-compatible object store, supports object locking, which prevents deletion or modification for a defined retention period. This gives you cryptographically verifiable immutability without cloud vendor lock-in.

Integrity verification

Hash chaining is a proven technique: each log entry includes a cryptographic hash of the previous entry, creating a chain that breaks visibly if any record is altered. Tools like sigstore or simple scripted SHA-256 hash chains can provide this layer.

At a minimum, generate daily integrity digests of your log archives and store those digests separately from the logs themselves. If your logs live on OpenSearch, store the digests on a different system — ideally one with restricted access.

Timestamp synchronisation

Deploy chrony (a modern NTP implementation) across all systems that generate logs. Chrony handles intermittent connectivity better than the legacy ntpd and is the default on most current Linux distributions. Configure it against at least two independent NTP sources, such as the Galileo-based time services available through European providers, to avoid single points of failure.

Practical steps for SMBs starting from zero

If your current logging consists of scattered syslog files on individual servers, here is a realistic path forward.

Week one: Inventory all systems that generate security-relevant logs. This includes firewalls, VPN gateways, authentication systems (Active Directory or LDAP), web applications, and database servers. NIS2 does not require you to log everything, but it does require you to log what matters for incident detection.

Week two to four: Deploy Fluent Bit agents on each source system, forwarding to a central OpenSearch instance. Enable TLS on all transport. Configure chrony on every machine.

Month two: Implement retention policies in OpenSearch. Set up WORM-locked archival storage with MinIO. Establish hash chain integrity checks on a daily cron schedule.

Month three: Document everything. NIS2 compliance is not just technical — it requires demonstrable policies and procedures. Write down your log management policy, your retention schedule, your integrity verification process, and your access controls. The ACN or your sector-specific authority will want to see documentation, not just infrastructure.

The cost of doing nothing

According to Clusit’s 2024 report, cyber attacks against Italian organisations grew by 65% compared to the previous year, with SMBs increasingly targeted. Log management will not prevent attacks, but it is what allows you to detect them early, respond effectively, and demonstrate to regulators that you took reasonable measures.

Under NIS2, the question is no longer whether you can afford to implement proper logging. It is whether you can afford not to. The tools are available, they are free, and they work. What they require is the decision to start.

Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.

Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.

💬

Need support on this topic?

Let’s assess your company’s situation together. First consultation is free.

Contact us
📩

Stay updated every week

Cybersecurity, AI and technology for SMBs. No spam, only useful content.

Subscribe to newsletter