DATE: 25 /January/2025
Yealink is a globally recognized leader in unified communications and collaboration solutions, focusing on video conferencing, voice communications, and collaboration. Yealink is committed to making communication easier and more efficient, insisting on technology as the core and quality as the foundation, constantly improving the company's business management, constantly optimizing the quality of products and services, and providing customers with advanced, high-quality, and secure high-tech products, and striving to achieve the following: Our products can achieve anything that customers can imagine.
As a company responsible to its users, Yealink attaches great importance to network information security. At Yealink, we are committed to providing high quality and secure products and services. We have implemented technical and organizational measures to facilitate compliance with the obligations set forth in NIS2.
EU NIS2 Directive
Overview
The Network and Information Systems Directive, also known as NIS2, is the one of the most important and latest cybersecurity legislations enacted in the EU member states, which aims to improve the level of cybersecurity of EU member states and their critical infrastructure, and has significantly reshaped the EU cybersecurity landscape. It came into force on January 16, 2023, replacing Directive 2016-1148, also known as the NIS. NIS2 requires member states to transpose it into national law by October 17, 2024, and to finalize the list of organizations that must comply by April 17, 2025.
Compliance Subject
NIS2 has expanded its scope compared to NIS. Not only does it cover more industries (listed in ANNEX I and ANNEX II), but it also introduces size standards. All organizations with more than 50 employees and an annual turnover of more than 10 million euros falling within the industries mentioned in Annex I and/or II, whether in the public or private sector, must comply. In addition, if certain smaller entities play a key role in the local economy or society, Member States may decide to include them in the scope of compliance requirements. According to NIS2, the term "entity" refers to any organization that must comply with the Directive, which divides entities into two categories: "Essential " and " important". Both categories are required to take security measures, but essential entities face more stringent regulatory requirements and higher penalties.
Network security measures included in NIS2
Each Member State will define the cybersecurity measures to be followed by the entities falling within the scope of NIS2 as part of the national implementation process. However, NIS2 prescribes a risk management approach and lists the basic security requirements to be implemented:
● policies on risk analysis and information system security;
● incident handling;
● business continuity, such as backup management and disaster recovery, and crisis management;
● supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
● security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
● policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
● basic cyber hygiene practices and cybersecurity training;
● policies and procedures regarding the use of cryptography and, where appropriate, encryption;
● human resources security, access control policies and asset management;
● the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
*NIS2 reporting obligations
In addition to the above security requirements (to be complemented by EU Member States legislation), the NIS2 introduces reporting obligations for "significant" security incidents, mainly consisting in the following:
● Early warning, which needs to be provided within 24 hours after the person becomes aware of a major incident;
● Incident notification, which needs to be provided within 72 hours after the CSIRT becomes aware of the major incident;
● Intermediate report, which needs to be provided upon request from the CSIRT or the competent authority;
● Final report, which needs to be provided within one month after the incident notification is submitted;
● Progress report: If the incident is still occurring when the final report is submitted, the final report should be submitted within one month after the incident is handled.
How does Yealink’s current practice uphold the standards and requirements of the EU NIS2 Directive?
Yealink has preliminarily established an information security management system in accordance with the compliance framework set forth in the NIS2 Directive, and is committed to continuously improving and enhancing the information security management system in accordance with specific and practical implementation measures, including but not limited to the guidelines, standards, and implementation rules related to the NIS2 Directive. Yealink is committed to responding to the ever-changing external security risks through long-term and continuous construction to comply with the legal requirements of each member state and the continuously updated requirements of the EU.
Following is Yealink’s preliminary assessment results and existing solutions in response to the network security requirements set forth in the NIS2 Directive.
NIS2 Network Security Requirements | Yealink Solution |
---|---|
Policies on risk analysis and information system security | Yealink has formulated internal network and information security policies, established and maintained appropriate security risk management procedures and vulnerability disclosure policies (VDP). In addition to regular internal audits, it also accepts external third-party information security audits such as SOC 2 audits and ISO 27001 certification audits every year. |
Incident handling | Yealink has developed a Security Incident Management Procedure and has clearly defined relevant plans for monitoring, responding, recording, classifying and reporting security incidents to ensure that security incidents can be handled in a timely and effective manner and that possible negative effects can be controlled. |
Business continuity, such as backup management and disaster recovery, and crisis management | Yealink has implemented robust business continuity management and disaster recovery procedures, and conducted real-time monitoring and alarm on the availability of various infrastructure within the company according to the procedures, and established an off-site disaster recovery center and conducts regular drills to test and validate the effectiveness of their disaster recovery plans, ensuring uninterrupted business operations. |
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers | Yealink has formulated relevant supply chain security policies. In addition to clarifying the security responsibilities and requirements of suppliers, it directly adopts on-site security technical means to detect and protect key suppliers to ensure that security risks are minimized throughout the supply chain. |
Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure | Yealink has formulated relevant specifications for secure coding, secure development and testing, and added a series of security tools to the software development lifecycle to implement DevSecOps with security shifted to the left to ensure the continuous security of products. |
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures | Yealink has established a security risk management system in accordance with relevant laws and regulations and ISO27001 standards, and has implemented regular monitoring, measurement, analysis and evaluation of security risks. |
Basic cyber hygiene practices and cybersecurity training | Yealink has established information security service management and human resources management procedures, based on which it regularly conducts internal security drills using phishing and other means, and conducts targeted security training and publicity to raise employees' security awareness. |
Policies and procedures regarding the use of cryptography and, where appropriate, encryption | Yealink has established policies and procedures regarding the use of encryption, verifies the complexity of internal company account passwords, and regularly updates the weak password library. It has also established specific regulatory requirements for the encryption mechanisms and algorithms used for static storage and dynamic transmission of data to ensure the confidentiality and integrity of data during storage and transmission. |
Human resources security, access control policies and asset management | Yealink's human resource management procedures and specifications have been integrated with information security requirements. In addition to the required background checks on employees, they are also required to sign relevant security commitment agreements to ensure that employees understand, demonstrate, and commit to their security responsibilities. Developed access management procedures and policies to ensure more secure access control. |
The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate | Yealink has implemented strong identity authentication mechanisms such as Multi-Factor Authentication in its internal key infrastructure, and has established secure access control strategies including system access and remote access. |
Benefit from ISO27001 to comply with NIS2
NIS2 emphasizes the use of international standards to ensure that entities within its scope implement effective network management measures.
ISO/IEC 27001 is an international standard for information security management systems (ISMS) developed jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is widely used by government agencies, financial institutions, technology companies, and the medical and manufacturing industries. The assessment of NIS2 also includes these services within the scope of ISO27001 certification. According to the latest "Implementation guidance on security measures (Draft for Public Consultation) published by the European Union Agency for CyberSecurity (ENISA), the NIS 2 control requirements are mapped to the details of ISO27001 control implementation. The core objectives of ISO27001 are to protect information security, reduce information security risks, improve business competitiveness, meet regulatory and legal requirements, and enhance customer confidence.
Implement ISO international standard for information security systems, ISO 27001, is a great help in achieving NIS2 compliance, as it covers most of the key requirements, such as information system security policy, risk analysis, supply chain security, access control, identity authentication, use of encryption, continuous monitoring, business continuity and disaster recovery, and so on. Yealink conducts internal audits and external third-party audits for ISO27001 every year to continuously follow up and meet the latest requirements of the standard.
Yealink's Compliance Commitment
NIS2 compliance is about more than deploying technical solutions. It also requires organizations to comprehensively evaluate existing network security practices, gain an in-depth understanding of potential risks, identify security vulnerabilities, and drive necessary improvements. After being aware of the compliance requirements in the NIS2 Directive that may be applicable to Yealink, Yealink immediately compares the compliance requirements in the NIS2 with Yealink's practice and current situation in network security, based on Yealink's understanding of the NIS2 Directive that has been promulgated and the implementation guidelines that are being solicited for comments. The above analysis and explanation are made in combination with Yealink's existing security management system and its implementation. Yealink notes that the implementation measures, such as guidelines and technical standards, related to the NIS2 Directive, will be continuously promulgated at the EU and EU member State level, and Yealink will remain vigilant in monitoring the adoption of the relevant measures, and review and adjust the existing security management system in a timely manner according to more specific guidelines and technical standards to ensure that Yealink's practices comply with the requirements of the NIS2 Directive and related implementation measures.
As an industry leader in unified communications and assistance solutions, Yealink is committed to continuously improving its network security management capabilities, minimizing security risks, and dedicating itself to providing secure and compliant products and services to customers in various industries around the world.
Below is a summary of the industries/sectors relevant for the NIS2.
Annex I sectors | Annex II sectors |
Energy ● Electricity * ● Gas * ● Oil * ● Hydrogen ● District heating and cooling | Manufacturing ● Medical devices ● Compute, electronics, and optical products ● Electrical equipment ● Machinery ● Motor vehicles, trailers, semi-trailers ● Other transport equipment |
Transport ● Air * ● Rail * ● Water * ● Road * | Digital providers ● Providers of online marketplaces ● Providers of online search engines ● Providers of social networking services platforms |
Digital infrastructure* | Postal and courier services |
Banking* | Waste management |
Financial market infrastructure* | Food production, processing, and distribution |
Health ● Healthcare providers * ● Pharmaceutical industry | Production and distribution of chemicals |
Drinking water* | |
Wastewater | |
Public administration | |
Information and communication technology | |
Space |
Contact US