Products
XyloTrust XyloNorm Soon XyloDocs
Resources
Pricing NIS2 & GDPR Agent SOP Onboarding Onboarding Kit 10-Minute Live Guarantee Freshworks Direct Sales Blog FAQ Documentation Status Contact
🌐 Nederlands Login

Compliance

NIS2 & GDPR, without the headache.

If you operate an IT helpdesk in the EU, two pieces of regulation matter for what you do every day: NIS2 (cyber-resilience) and GDPR (personal data). Here's what they require and how XyloSnap helps you tick both boxes.

NIS2 Directive

Strong authentication is mandatory.

NIS2 (Directive EU 2022/2555) applies to "essential" and "important" entities — including most MSPs, financial services, healthcare, government and education. Article 21 explicitly requires strong authentication on sensitive actions, including password resets and access to confidential systems.

What "strong" means in practice:

  • Knowledge factors alone (password, security questions) are insufficient.
  • SMS-OTP alone is considered weak (ENISA / NIST guidance).
  • Biometric or document-based verification meets the bar.
  • Every authentication must be logged and auditable.
GDPR / AVG

Data subject rights, by design.

GDPR (Regulation EU 2016/679) applies whenever you process personal data. For helpdesks, this means: every verification creates personal data (name, phone, verification result) that you must process lawfully, minimise and document.

The core requirements:

  • Lawful basis for processing (legitimate interest works for security checks).
  • Data minimisation — only what's strictly needed.
  • Storage limitation — delete when no longer required.
  • Data subject rights — access, rectification, erasure on request.
  • Sub-processor disclosure if you use external vendors.

How XyloSnap helps

Compliance, by default.

Both NIS2 and GDPR are addressed end-to-end in our flow. You don't need a side-project to become compliant — installing XyloTrust is the side-project.

Strong authentication on the helpdesk (NIS2 Art. 21)

XyloTrust adds biometric + document verification to your Freshdesk helpdesk flow. SMS is only the delivery channel — the actual check is a passport/eID scan and live selfie via our identity provider. This meets NIS2's "strong authentication" bar.

Automated audit-trail (NIS2 documentation requirement)

Every verification automatically lands in the Freshdesk ticket as a private note: who verified, when, result. Export the full trail in CSV for an auditor in 30 seconds.

Data minimisation (GDPR Art. 5)

We collect only the verification result (passed/failed) and a small set of identifiers. Biometric data (passport image, selfie) stays at the identity provider and never reaches our systems.

Storage limitation (GDPR Art. 5)

Verification records are automatically purged after 3 months. Backups within 30 days. Full erasure within 30 days of contract termination.

Data Processing Agreement (GDPR Art. 28)

We provide a signed DPA based on the EU Commission's Standard Contractual Clauses (Decision 2021/915), including the list of sub-processors. Read the DPA.

EU-only data residency

All processing happens within the EEA — AWS eu-central-1 (Frankfurt) for our infrastructure, EU-only identity provider. No routine transfers outside the EEA.

Start free trial → Compliance question?

Ready for €500 extra margin? Claim your 10 free verifications + rollout kit.

Start free now