Does ipfire comply with the nis2 directive

Hello, does ipfire comply with the nis2 directive of the european union? Can ipfire be used by companies that require compliance with the nis2 directive?

Considering the NIS2 directive is rather complex

IPFire as an application can not, solely by its usage, ensure that.

Member States must ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems, and to prevent or minimise the impact of incidents on recipients of their services and on other services. The measures must be based on an all-hazards approach.

There are many more aspects involved than just a firewall.

Perhaps this can give you an insight as to what is required:

I understand that, the question is, is using ipfire suitable? Don’t necessarily need a commercial product?

There is no straight-forward answer to this because this directive will have to be implemented by all member states and therefore it will be different from country to country.

However, I don’t see any reason why IPFire should not comply with this.

No, the law does not specify that something most be obtained at a minimum cost, or that things cannot be obtained for free. Just because IPFire is an Open Source product does not mean it is not as good as any commercial product, in fact, it has been shown that Open Source software is usually more secure than commercial products.

If “free” software was ruled out, then no company could function any more, because who doesn’t use Apache, VLC, GCC, Firefox, you name it?

So, please let’s all combat the myth that commercial software is better. It isn’t.

Many people have the feeling that if something is free, it can’t be a good product. That is a problem we can fix. We have a donation page where you can donate as much as it would make you feel fixes this problem: - Donate

Maybe we should add next to the boxes the price of a Cisco license :slight_smile:


When it comes to security of an information system ( consisting of HW,OS,applications and configuration) I think an open source system with a big set of possible configurations is sometimes more suited than commercial solutions ( which implement the sight of the devs/producers to this field ).


I believe it’s the company that is supposed to be compliant with NIS2. So NIS2 compliance is depending on how the company is using software and security, not what software they use.

1 Like

This is called the configuration part of a system. :wink:

I agree, this directive requires business to comply with a “process” and not necessarily with a particular “brand of product”. So if properly implemented any IDS, Firewall, router, server, IoT device could be used. What is more important is to address both network and information systems as a whole.

Unfortunately, this “process” might be cost prohibitive to small businesses who can’t afford to hire a CISA or an auditor.
A similar US compliance called SOX drove a lot of small public companies out of business or forced them to be delisted from US stock exchange.