WORM Logs: How They Work and Why NIS2 Requires Them

Logs are useful only if they can be trusted. If an attacker can modify or delete them after gaining access, they stop being evidence and become noise.

That is why WORM matters.

What WORM means

WORM stands for Write Once Read Many. In practice, it means log records can be written and read, but they cannot be altered or deleted during the configured retention period.

This protects the integrity of security evidence.

Why NIS2 raises the importance of immutable logs

NIS2 increases the expectation that organizations can:

• detect incidents
• reconstruct what happened
• prove when it happened
• support audits and regulatory reviews

That becomes difficult if logs live only on the same systems that may be compromised.

Why ordinary logging is not enough

A standard log setup often fails in three ways:

• logs remain on local servers
• retention is short or inconsistent
• administrators can still alter or remove records

That design may be acceptable for troubleshooting. It is weak for incident response and compliance.

What good WORM logging gives you

With immutable logging, the business gains:

• stronger forensic evidence
• better audit readiness
• more reliable incident timelines
• less dependence on memory or partial screenshots

It also reduces the risk that a compromise is followed by evidence destruction.

What should be logged

For SMEs, the minimum useful set usually includes:

• firewall events
• VPN access
• privileged activity
• system authentication events
• administrative changes
• critical application and infrastructure alerts

The exact scope depends on the business, but remote access and perimeter events should always be covered.

Conclusion

WORM logs are not just a storage feature. They are part of operational credibility. If a company wants to claim control over incidents, access, and audit evidence, it needs logs that cannot be rewritten after the fact.

Read the immutable logs manual