Information security policy

This policy defines the general principles of the Information Security Management System (ISMS), whose objective is to protect the confidentiality, integrity, and availability of information assets, ensuring appropriate use of information systems against internal and external threats. Its scope includes all processes, systems, people, and assets involved in the organization’s operation, including internal personnel, collaborators, and suppliers with access to critical information or infrastructure.

We understand that information security is an essential component to guarantee the quality, continuity, and regulatory compliance of our activities.

This ISMS Policy is designed to accomplish the subsequent objectives:

  • Comply with the requirements established by the NIS2 Directive and applicable legal, regulatory, and contractual obligations.

  • Establish a governance and responsibility structure, designating a cybersecurity officer with defined functions and capacity for action.

  • Evaluate and manage cybersecurity risks that may affect critical systems, services, processes, and assets.

  • Implement appropriate technical and organizational measures to ensure the protection of information systems, the availability of services, and the continuity of operations.

  • Apply security controls in the acquisition, development, and maintenance of systems and networks, including cryptographic protection measures, authentication, and monitoring.

  • Establish mechanisms for incident management, including detection, analysis, response, notification, and learning.

  • Develop and maintain business continuity and recovery plans, which guarantee operability in the face of failures, cyberattacks, or other disruptive events.

  • Evaluate and control risks derived from the supply chain, ensuring that suppliers and partners comply with security requirements.

  • Promote a culture of training and awareness, ensuring that all personnel have the necessary knowledge to protect information and act against threats.

  • Establish a clear policy for the use of cryptography, applicable to the processing of sensitive data both in transit and at rest, in accordance with internationally accepted standards.

  • Ensure access and asset management, through updated inventory, minimal privilege control, and defined procedures for personnel onboarding, offboarding, and changes.

  • Implement multi-factor authentication (MFA) mechanisms for access to critical systems, and ensure the security of internal and emergency communications through the use of encryption and integrity measures.

  • Establish supervision and continuous improvement mechanisms, through reviews, audits, and corrective actions that ensure the effectiveness of the ISMS.

Furthermore:

  • Information is protected against unauthorized access, loss, manipulation, or interruption, guaranteeing its traceability, confidentiality, authenticity, and integrity.

  • Security incidents are communicated and managed appropriately in accordance with the deadlines established by the NIS2 Directive.

At Nektium Pharma S.L., information security is a collective responsibility. Top Management leads strategic implementation, allocates resources, and fosters a security-first culture, ensuring NIS2 compliance and robust asset protection. Middle Management translates this vision into actionable steps, applying policy diligently, ensuring team adherence, and conducting training while all personnel are integral contributors, adhering to protocols, reporting incidents, and participating in awareness programs to enhance best practices in protecting digital assets.

Committed to Information Security: Certified for NIS2 Compliance:

Our Information Security Management System (ISMS) has achieved certification in compliance with the EU’s NIS2 Directive. This milestone reflects our unwavering commitment to ensuring the highest standards of cybersecurity and operational resilience.

Last updated: Las Palmas, September 2025