Statement on NIS2 Compliance

2024-11-06

On 14 December 2022, European Union (EU) adopted an updated version of the NIS directive to replace the initial NIS directive that was established in 2016. The new NIS directive (“NIS2”) addresses the limitations of the initial NIS directive through establishing with stricter cybersecurity requirements, and expanding the scope of entities and sectors that fall within the scope of the new directive. Overall, the NIS2 Directive focuses on those organizations that are essential and important in the supply chain of critical infrastructure.


As NIS2 is an EU directive, the Member States shall transpose it into applicable national laws for implementation. NIS2 Directive applies to large and medium-sized organizations operating in critical industries such as energy, transportation, banking, finance, digital infrastructure, ICT service management, etc. Depending on the size and the industry, organizations fall into the “Essential” or “Important” categories must comply with the same security measures, the Member States shall establish a list of “Essential” or “Important” entities that must comply with laws before April 17, 2025.


As NIS2 outlined certain measures which require relevant organizations to implement. Dahua has adopted comprehensive measures to align with NIS2 standards.


1.      Dahua Product Security Management & Risk Assessments

Dahua is dedicated to enhancing Secure Software Development Life Cycle (sSDLC) by regulating and optimizing processes through comprehensive security activity maturity assessments throughout product development life cycle including the phases of product definition, product design, product development, product acceptance and product release phase.

2.      Privacy Protection-Privacy by Design

Dahua attaches great importance to customer’s personal data and privacy protection. With continued research on advanced privacy technologies, Dahua is committed to enhancing its privacy protection capabilities in order to provide customers with products and services that offer both user experience and privacy protection functions, by incorporating variety measures such as Privacy by Default principle throughout the design of technology specifications and business practices, Privacy Protection Technologies which help users comply with data protection obligations, and Privacy-friendly Settings which are designed to help users manage their devices.

3.      Vulnerability Management and Incident Reporting

Dahua Product Security Incident Response Team (PSIRT) has been established to solve cybersecurity issues using security vulnerability reporting, announcement/notice and cybersecurity knowledge sharing with global customers, providing more robust and secure products and solutions. Dahua attaches great importance to vulnerability management, and establishes a complete vulnerability management process with reference to ISO/IEC 30111, ISO/IEC 29147 and other standards, ensuring that vulnerabilities can be fixed in time and improving product security in a transparent and open manner. Dahua PSIRT monitors global cybersecurity incidents and provides 24/7 emergency response services to global users.

4.      Business Continuity Measures

Dahua conducts business impact analyses to identify critical operations and potential threats and establishes business continuity plans from risk assessment outcomes to minimize system interruptions, shield critical processes from severe disruptions, and ensure swift recovery. This involves regular testing, rehearsals, and updates to these plans. Key data is backed up to maintain integrity and availability.

5.      Supply Chain Security

Dahua has developed a comprehensive compliance management and control system to promote business compliance in supply chain, delivery and service, marketing, operation and maintenance, human resources and other areas of Dahua’s business. Dahua ensures supply chain security by implementing robust risk management framework that prioritize the security practices of suppliers and service providers when evaluating the competence of suppliers.

6.      Access Control Policy and Measures

Based on the RBAC (Role-Based Access Control) model, Dahua devices have a flexible and efficient authority management and control system that meets the needs of users in different scenarios. Dahua devices use the standard 802.1X network access control protocol to restrict unauthorized devices or hosts from accessing the dedicated network.

7.      Cryptography and Encryption Measures

To ensure the confidentiality, integrity, and reliability of data, Dahua adopts variety of encryption measures, such as implementing data signature and verification functions to ensure the integrity of target data based on PKI infrastructure and signature algorithm, using frame encryption technology to protect media stream frame data, implementing RTSP protocol to support TLS channel encryption, and using professional key management server to ensure the stability and security of keys.

8.      Trainings

Dahua deliver trainings and updates to employees, and when appropriate, contractors on a regular basis, covering legislation updates, organizational policies, strategies, and procedures to enhance compliance capacities. Security awareness and compliance training is fundamental to effective information and cybersecurity compliance management. Dahua has established its Cybersecurity Institute to provide security and privacy support for partners, customers and the industry. Additionally, Dahua shares best practice and guidance related to product security solutions.


As always, Dahua strongly values cybersecurity infrastructure and practices. In compliance with relevant laws and regulations in business operations, Dahua has established a sound cybersecurity management framework. Additionally, Dahua adheres to industry best practices, conducts stringent risk assessments, implements state-of-the-art security technologies, maintains robust vulnerability management, and conducts security training and audits to safeguard Dahua products and services against emerging threats. Dahua is committed to handling all cases with transparency and speed in line with industry best practices and international standards. The international standards Dahua has complied with including but not limited to ISO 27001, ISO 27701, ISO 28000, ISO 22301, ISO 27017, ISO 27018, ISO 20000-1. All these efforts are dedicated to fully assisting customers in improving Dahua cybersecurity defense capabilities. You may review the Dahua-Product-Security-White-Paper-V3.0.pdf to learn more details about Dahua’s compliance practices.


Dahua remains committed to supporting customers at all times. Should you have any questions or need further information regarding this statement, please feel free to contact at any time.


Thank you for your continued partnership and trust in Dahua.


Regards,

Dahua Technology