Suprema (hereinafter referred to as "the Company") is committed to ensuring the highest standards of cybersecurity and physical security by adhering to the European Union’s Network and Information Systems 2 (NIS2) Directive. As a provider of access control systems, the Company recognizes the critical importance of protecting customers' data, infrastructure, and assets. Below is a summary of the actions and commitments the Company is taking to comply with the NIS2 regulations, which come into effect in October 2024.

1. Scope

The NIS2 Directive applies to sectors such as energy, transport, banking, financial services, healthcare, drinking water, digital infrastructure, and public administration services. The Company supplies access control systems to these sectors and is committed to ensuring that its systems and services meet the requirements set out in the directive.

2. Governance and Risk Management

The Company's executive management and Board of Directors play an active role in overseeing cybersecurity and physical security strategies. The Company has established a security organization responsible for continuously assessing, monitoring, and mitigating risks in line with NIS2 requirements. Internal procedures have been implemented to prepare for disasters and breaches affecting key systems and services, ensuring that the impact on business operations is minimized. All products and services developed by the Company adhere to secure development procedures, ensuring that sensitive data is encrypted during storage and transmission. Security reviews are conducted at every stage, from planning to release. In the event that vulnerabilities are identified in products sold by the Company, corrective actions are taken, and information is disclosed on the Company’s website.

3. Access Control

The Company implements robust access control measures to secure both physical and digital access points. Using both biometric and card-based access control systems, the Company defines and protects facilities and sensitive zones, including data centers, system operation rooms, and R&D labs. Unauthorized access to offices and secure areas by external personnel is strictly controlled. Visitors must request and receive prior approval before entry, and all visitors are granted traceable access rights.

4. Incident Response

The Company has established an incident response plan to ensure the prompt detection, reporting, and mitigation of security incidents. Our key systems and services are monitored 24/7 by a specialized security organization. In the event of a security incident, procedures are in place to report and share information with relevant authorities and stakeholders within the stipulated timeframe. Following an incident, a detailed analysis is conducted to prevent recurrence and to improve the Company's overall security posture.

5. Supply Chain Management

The Company conducts security assessments or reviews the requirements for its supply chain partners to ensure compliance with NIS2 standards. When selecting supply chain partners, security requirements are included in contracts and evaluations to ensure that partners adhere to the Company’s security requirements and cybersecurity standards.

6. Outsourcing Management

The Company ensures that outsourced services and third-party providers comply with the same high security standards as the Company itself. Security evaluations are conducted at the time of contracting, and third-party security permissions and compliance are regularly assessed.

7. Security Training

The Company has implemented regular training programs to raise awareness among employees about cybersecurity threats and vulnerabilities, promoting safe practices.

8. Policies and Evaluation

The Company has established internal management plans and security policies to comply with global security regulations and address security threats and risks. These internal plans and security policies are reviewed and revised annually to align with evolving threats and regulatory requirements and are approved by the Board of Directors before being communicated to all employees. The Company operates its system infrastructure based on cybersecurity management frameworks such as ISO27001, ISO27701, and CSA STAR, and updates certifications through audits conducted by global certification organizations.

The Company is dedicated to meeting the requirements of the EU NIS2 Directive. Our proactive approach to cybersecurity and physical security not only ensures regulatory compliance but also strengthens trust and confidence among our customers and stakeholders.