Skip to main content

Figma Legal

The information provided here is for Figma customers and users who have questions about our terms, policies, intellectual property, and compliance.

EU NIS 2

Aim of the Directive

NIS 2 is an EU Directive, that aims to elevate and align cybersecurity and resilience standards across the EU, so that organisations operating in essential and important sectors are better prepared against modern cyber threats.

Who does it apply to?

NIS2 applies to organisations providing services in the EU and operating in industries considered essential or important, like energy, transport, healthcare, digital infrastructure, and public administration. It also applies to their key suppliers, including their technology providers.

Key Requirements

General obligations for in-scope organisations include:

  • adopting cybersecurity risk-management measures
  • assessing the cybersecurity risks within the supply-chain, including technology providers
  • reporting significant cybersecurity incidents quickly; and
  • other governance requirements.

How does it apply to Figma

A number of Figma's services are categorised as 'cloud computing services' under NIS2, and certain parts of the directive apply to it.

Overview of our compliance approach

Figma takes the responsibility of ensuring its services are secure and robust from cyber threats very seriously. Here is a summary of the measures we have in place that are designed to achieve this:

  • Security. Figma has a comprehensive Security framework, including SOC2 and ISO certifications and Business Continuity and Disaster Recovery plans. More details can be found on our Security Portal on the link below.
  • Incident Response. Figma maintains comprehensive incident response, encryption and crisis management policies. These policies set out our processes for assessing, evaluating and responding to cyber incidents.
  • Supply Chain Management. Figma conducts due diligence on all of its suppliers, with enhanced, mandatory security standards for any vendor that provides business critical services or who’s technology is essential to the operation of Figma’s own services.

Link to relevant existing resources

Figma Security Portal