Compliance and regulation - FAQ
Welcome to our Compliance and Regulation FAQ section. Here, we've gathered all the essential questions and answers related to DORA (Digital Operational Resilience Act), NIS2 (Network and Information Security Directive), GDPR (General Data Protection Regulation) and CRA (Cyber Resilience Act).
This resource is designed to simplify your journey through regulatory frameworks, ensuring you have all the tools and insights necessary to remain compliant. If you notice any gaps or have additional questions, our compliance team is available to assist you via a simple email to regulatory@mixvoip.com.
Tag
Question
Answer
Publish
bullet:link
DORA
Within DORA the Legal Entity Identifier (LEI) is being used. Please head over to our Impressum to see the LEI codes for our entities.
Publish
DORA
RZECZKOWSKI Marcin & KISTINGER Clemens
70, rue des Pres
L-7333 Steinsel
regulatory@mixvoip.com
70, rue des Pres
L-7333 Steinsel
regulatory@mixvoip.com
Publish
DORA
Within DORA our type of services are the following, depending on the services we provide to you:
- ICT project management
- ICT help desk and first level support
- ICT security management services
- ICT, facilities and hosting services (excluding Cloud services)
- Non-Cloud Data storage
- Telecom carrier
- Network infrastructurre
- Hardware and physical devices
- Software licencing (excluding SaaS)
- ICT operation management
- ICT Consulting
- Cloud services: SaaS
- Cloud services: PaaS
- Cloud services: IaaS
- ICT project management
- ICT help desk and first level support
- ICT security management services
- ICT, facilities and hosting services (excluding Cloud services)
- Non-Cloud Data storage
- Telecom carrier
- Network infrastructurre
- Hardware and physical devices
- Software licencing (excluding SaaS)
- ICT operation management
- ICT Consulting
- Cloud services: SaaS
- Cloud services: PaaS
- Cloud services: IaaS
Publish
DORA
To obtain an updated contract that complies with DORA requirements, please be informed that our updated terms and conditions are fully DORA-compliant, specifically sections 1.5.3 and 1.12.8 address these requirements. To ensure that your inventory of Mixvoip services is current, please contact our billing department at billing@mixvoip.com. They will provide you with a contract quote listing all your existing services and service level agreements (SLAs), without modifying the duration of your contract. This quote, together with our terms and conditions, will form your contractual relationship with Mixvoip and will be fully compliant with DORA.
Publish
DORA
Yes, we rely on subcontractors for ICT service provisioning, in accordance with DORA requirements and GDPR standards. For detailed information about our subcontractors, including provisioning locations and storage details, please refer to our third-party providers.
Publish
DORA
ISO27001
GDPR
The impact of subcontracted ICT services depends on the substitutability of the service and how it is integrated into the customer’s operations. While some services may not be easily replaced, our mission is to provide reliable and consistent services to minimize potential disruptions for our customers. You can find the information on our subcontracted ICT services here.
Publish
DORA
We categorize the substitutability of third-party ICT service providers into four levels:
• Not substitutable: The service is unique, with no comparable alternatives available.
• Limited substitutability: Switching providers would require significant effort and high costs.
• Complex substitutability: Comparable providers exist, but switching would involve extra effort and costs due to dependencies.
• Easily Substitutable: The provider can be replaced easily, as there are several comparable options available in the market.
These levels help us assess the potential impact on service continuity and plan accordingly to maintain reliability for our customers.
These levels are used on our third party provider list.
• Not substitutable: The service is unique, with no comparable alternatives available.
• Limited substitutability: Switching providers would require significant effort and high costs.
• Complex substitutability: Comparable providers exist, but switching would involve extra effort and costs due to dependencies.
• Easily Substitutable: The provider can be replaced easily, as there are several comparable options available in the market.
These levels help us assess the potential impact on service continuity and plan accordingly to maintain reliability for our customers.
These levels are used on our third party provider list.
Publish
DORA
All our ICT subcontractors are classified as Rank 2 under the DORA (Digital Operational Resilience Act) framework.
Publish
DORA
We only select subcontractors who are compliant with the DORA for our critical and important ICT services.
Publish
DORA
ISO27001
The Information Security Program is comprehensively documented under our ISO 27001-certified ISMS and includes policies that have been formally approved by management and communicated to all relevant parties.
Publish
ISO27001
DORA
GDPR
In line with ISO 27001 guidelines, we have systems in place to monitor and detect security incidents. These are managed by our internal Incident Management Team. Customers can provide a designated contact for incident notifications through email, ticket submission or our web panel. If a security incident occurs, we ensure the designated contact is promptly informed with all relevant details.
Publish
ISO27001
ISO27001 is our short term for the ISO/IEC 27001 from the International Organization for Standardization and is the world`s best-known standard for information security management systems.
Publish
GDPR
DORA
Yes, Mixvoip stores and processes customer data in full compliance with GDPR. This data is securely stored on servers located within the European Union, ensuring adherence to the highest standards of data protection, privacy, and security. For more information, visit our GDPR page.
Publish
GDPR
DORA
Mixvoip manages its entire IT infrastructure, including installation, configuration, and operational management like backup and restore, using its own data centers and in-house personnel. While Mixvoip maintains contracts with selected external providers for limited support, such as advanced hardware replacement, these contracts do not grant access to any scoped systems, data, or processing facilities. This approach enables Mixvoip to retain full control over system access and aligns with our stringent security and compliance standards, minimizing reliance on external entities.
Publish
GDPR
EU AI Act
We leverage AI to generate summaries of phone calls, ensuring compliance with GDPR while enhancing customer service. According to guidance from the BfDI, storing AI-generated summaries without recording spoken word may not require consent. Mixvoip views this as an example of data minimization and justifies the practice under legitimate interests and contractual necessity. Click here to read the full answer.
Publish
NIS2
NIS2 stands for “Network & Information Security Directive” which is defined in the Directive on measures for a high common level of cybersecurity across the Union from the EU.
Publish
On our Impressum you can see in which countries we are registered as telecom operator including the regulatory body and our reference there.
In addition to that please check out Our accreditations page to find for example our ISO27001 certification.
In addition to that please check out Our accreditations page to find for example our ISO27001 certification.
Publish
As of November 1, 2024, Mixvoip employed approximately 63 full-time equivalents (FTEs) respecting local minimum wage regulation. This figure represents the combined employees of Mixvoip SA and its subsidiaries in which Mixvoip holds at least an 80% ownership stake. Outsourced consultants are excluded from this calculation.
Publish
Mixvoip generates over 12 million in annual revenue, including revenue from subsidiaries with at least 80% ownership.
Publish
We carry out regular audits and tests to maintain the security and compliance of our services. These include annual certifications like ISO 27001, regulatory audits, and internal vulnerability scans. For more details about our certifications and regulatory framework, please visit our accreditations page.
Publish
Whenever a legal requirement (e.g. Regulators, Law Enforcement, …) is given, Mixvoip grants matching inspection rights
For customers we refer to our Terms&Conditions, section 2.4.2
For customers we refer to our Terms&Conditions, section 2.4.2
Publish
Mixvoip is ISO 27001 certified, which requires us to have adequate and resilient technical infrastructure to support service continuity. As part of our certification, our technical equipment and continuity measures are reviewed and audited regularly to ensure compliance with ISO 27001 standards. This certification provides assurance that we meet internationally recognized requirements for the security, reliability, and resilience of our technical infrastructure.
Publish
Once a year, Mixvoip generates a report on its financial health to ensure continuity of performance. This report is prepared by a committee including one external accounting firm and our CFO. It includes key metrics such as debt burden, cash reserves, projected cash flow trends, and revenue. Additionally, the report provides recommendations for maintaining financial stability and resilience. This report is reviewed by the executive committee and the board of directors to ensure adequate funding and proactive risk management.
Publish
All employees within the company are receiving internal security trainings (GDPR, ISO, …) at a regular basis. Certifications including external and internal trainings are also provided to ensure that employees are following best practices. You can find various certifications under our accreditations page.
Publish
A formal risk governance framework is in place as part of our ISO 27001 certification and aligns with NIS2 and DORA requirements. In addition to that it is necessary to fulfill the german TKG and also SERIMA. Management has approved these policies, covering risk assessment, mitigation, monitoring, and review processes.
Publish
The Business Continuity and resilience framework is established per ISO 27001 and further developed under NIS2 and DORA guidelines to ensure ongoing resilience, with policies for response, continuity, and regular review.
Publish
While Mixvoip does not have a formalized environmental policy with specific targets, sustainability is a key focus, and the company is committed to minimizing its environmental impact. This includes initiatives such as going paperless, offering organic refreshments, using electric vehicles, and planting trees to offset its carbon footprint. Additionally, the data centers operate with 100% green electricity, utilize free cooling, recycle biomass, and continuously monitor energy efficiency to reduce CO₂ emissions and improve sustainability.
Publish
Mixvoip SA has a D-U-N-S number, available in our Impressum.
Our related companies in the different countries can all be identified by the VAT number and also the LEI code.
Our related companies in the different countries can all be identified by the VAT number and also the LEI code.
Publish
Mixvoip follows the EU Whistleblower Directive (Directive (EU) 2019/1937), which establishes common minimum standards for the protection of individuals who report breaches of EU law. This directive aims to create a safe and transparent framework across member states, ensuring whistleblowers are protected from retaliation and can report concerns securely. In Luxembourg, this directive has been transposed into national law through the Law of 16 May 2023, which Mixvoip fully complies with, alongside similar regulations in other countries where it operates.
Our whistleblowing policy guarantees confidentiality and safeguards the identity of whistleblowers, ensuring that their reports are handled securely and without fear of retaliation. To facilitate reporting, we have established a dedicated email address, whistleblowing@mixvoip.com, which provides an accessible and confidential channel for submitting concerns. Mixvoip guarantees compliance with all legal requirements to protect whistleblowers and encourages reporting in good faith to address breaches effectively.
Our whistleblowing policy guarantees confidentiality and safeguards the identity of whistleblowers, ensuring that their reports are handled securely and without fear of retaliation. To facilitate reporting, we have established a dedicated email address, whistleblowing@mixvoip.com, which provides an accessible and confidential channel for submitting concerns. Mixvoip guarantees compliance with all legal requirements to protect whistleblowers and encourages reporting in good faith to address breaches effectively.
Publish
Yes. Mixvoip maintains a formal risk assessment program as part of its ISO/IEC 27001-certified Information Security Management System (ISMS). All core services — including telephony, cloud PBX, connectivity, and call recording — are subject to regular risk assessments. These evaluations cover technical, operational, regulatory, and data protection risks, and they are reviewed and updated as part of our continuous improvement and compliance processes. e
Publish
Mixvoip is not subject to AML obligations under current Luxembourg or EU financial regulations, as we do not provide financial, payment, or fiduciary services. Therefore, we do not maintain a standalone AML policy. However, we fully support our regulated customers in meeting their compliance obligations, and we implement strong Know-Your-Customer (KYC) and due diligence practices where relevant to our operations.
Publish
Mixvoip has a clearly defined corporate governance structure supported by internal policies, including those related to information security, compliance, risk management, and operational oversight. Governance principles are embedded across our ISO/IEC 27001-certified management system and organizational practices.
Publish
Mixvoip has knowledge of the financial industry’s legal and regulatory requirements, ensuring compliance with its frameworks. As a trusted ICT partner for over 4,200 business and institutional customers across Luxembourg, Belgium, and Germany, Mixvoip adheres to key regulations such as GDPR, DORA, NIS2, TKG §109 and SERIMA.
Together with our ISO 27001 certification this highlights our commitment to secure information management systems and telecommunications security. In addition to that Mixvoip actively engages with national telecom regulatory bodies. All this allows Mixvoip to deliver solutions for its clients, including highly regulated sectors like finance.
Together with our ISO 27001 certification this highlights our commitment to secure information management systems and telecommunications security. In addition to that Mixvoip actively engages with national telecom regulatory bodies. All this allows Mixvoip to deliver solutions for its clients, including highly regulated sectors like finance.
Publish
Mixvoip has not been the subject of any formal enforcement action. However, we routinely engage with regulatory bodies (e.g., ILR, CNPD, IBPT, BNetzA, ARCEP) through audits, inspections, and compliance reporting as part of our obligations. Any findings have been resolved without penalty or escalation.
Publish
No, Mixvoip has never filed for bankruptcy. The company is financially stable and committed to ensuring business continuity. As part of this commitment, Mixvoip conducts regular checks of its financial situation to maintain operational stability and deliver reliable services to its customers.
Publish
Mixvoip does not formally commission a single annual penetration test on its own initiative. However, due to the nature of our customer base — including entities subject to DORA, NIS2, PSF and ISO 27001 requirements — our systems are regularly tested as part of their independent security assessments. Mixvoip proactively collaborates with these customers and their security partners, resulting in multiple penetration testing activities throughout the year that cover various layers of our infrastructure and services. Findings from these tests are tracked and addressed as part of our continuous improvement and ISO/IEC 27001-compliant risk management process.
Publish
Yes. Mixvoip has a formal, documented cybersecurity framework in place as part of its ISO/IEC 27001-certified Information Security Management System (ISMS). This includes policies, procedures, and controls addressing risk management, access control, incident response, business continuity, and other key areas of cybersecurity.
Publish
Mixvoip maintains a fully documented incident management process in line with ISO/IEC 27001 standards. All operational events — including any potential outages — are logged, reviewed, and, when required, notified to relevant regulatory authorities such as ILR, IBPT, BNetzA, ARCEP, and the appropriate data protection bodies.
As part of our commitment to transparency and compliance, we support regulated customers (including those under DORA) by providing incident-related information as contractually agreed or required by regulation. For confidentiality and security reasons, we do not publicly disclose complete incident history. Detailed information is shared only on a need-to-know basis, and only with the concerned customer, relating strictly to services they receive from Mixvoip. As a multi-service operator, we do not disclose incidents affecting unrelated services or other customers.
As part of our commitment to transparency and compliance, we support regulated customers (including those under DORA) by providing incident-related information as contractually agreed or required by regulation. For confidentiality and security reasons, we do not publicly disclose complete incident history. Detailed information is shared only on a need-to-know basis, and only with the concerned customer, relating strictly to services they receive from Mixvoip. As a multi-service operator, we do not disclose incidents affecting unrelated services or other customers.
Publish
Mixvoip has advanced fraud monitoring systems configured with strict parameters and multiple security rules to detect, analyze, and prevent fraudulent activities in real time, allowing us to offer our anti fraud protection. Additionally, our cybersecurity measures, including firewalls, DDoS protection, and DNS Shield, further enhance our ability to safeguard against evolving fraud tactics.
Mixvoip maintains an exceptionally low complaint rate. This reflects the high level of satisfaction among our customers and the reliability of our services. Our proactive approach to monitoring and resolving issues ensures continued trust and seamless operations for all clients.
Mixvoip maintains an exceptionally low complaint rate. This reflects the high level of satisfaction among our customers and the reliability of our services. Our proactive approach to monitoring and resolving issues ensures continued trust and seamless operations for all clients.
Publish
Tag
Question
Answer
Publish
bullet:link
DORA
We only select subcontractors who are compliant with the DORA for our critical and important ICT services.
Publish
DORA
To obtain an updated contract that complies with DORA requirements, please be informed that our updated terms and conditions are fully DORA-compliant, specifically sections 1.5.3 and 1.12.8 address these requirements. To ensure that your inventory of Mixvoip services is current, please contact our billing department at billing@mixvoip.com. They will provide you with a contract quote listing all your existing services and service level agreements (SLAs), without modifying the duration of your contract. This quote, together with our terms and conditions, will form your contractual relationship with Mixvoip and will be fully compliant with DORA.
Publish
DORA
ISO27001
The Information Security Program is comprehensively documented under our ISO 27001-certified ISMS and includes policies that have been formally approved by management and communicated to all relevant parties.
Publish
DORA
ISO27001
GDPR
The impact of subcontracted ICT services depends on the substitutability of the service and how it is integrated into the customer’s operations. While some services may not be easily replaced, our mission is to provide reliable and consistent services to minimize potential disruptions for our customers. You can find the information on our subcontracted ICT services here.
Publish
DORA
Within DORA the Legal Entity Identifier (LEI) is being used. Please head over to our Impressum to see the LEI codes for our entities.
Publish
DORA
Within DORA our type of services are the following, depending on the services we provide to you:
- ICT project management
- ICT help desk and first level support
- ICT security management services
- ICT, facilities and hosting services (excluding Cloud services)
- Non-Cloud Data storage
- Telecom carrier
- Network infrastructurre
- Hardware and physical devices
- Software licencing (excluding SaaS)
- ICT operation management
- ICT Consulting
- Cloud services: SaaS
- Cloud services: PaaS
- Cloud services: IaaS
- ICT project management
- ICT help desk and first level support
- ICT security management services
- ICT, facilities and hosting services (excluding Cloud services)
- Non-Cloud Data storage
- Telecom carrier
- Network infrastructurre
- Hardware and physical devices
- Software licencing (excluding SaaS)
- ICT operation management
- ICT Consulting
- Cloud services: SaaS
- Cloud services: PaaS
- Cloud services: IaaS
Publish
DORA
RZECZKOWSKI Marcin & KISTINGER Clemens
70, rue des Pres
L-7333 Steinsel
regulatory@mixvoip.com
70, rue des Pres
L-7333 Steinsel
regulatory@mixvoip.com
Publish
DORA
Yes, we rely on subcontractors for ICT service provisioning, in accordance with DORA requirements and GDPR standards. For detailed information about our subcontractors, including provisioning locations and storage details, please refer to our third-party providers.
Publish
DORA
We categorize the substitutability of third-party ICT service providers into four levels:
• Not substitutable: The service is unique, with no comparable alternatives available.
• Limited substitutability: Switching providers would require significant effort and high costs.
• Complex substitutability: Comparable providers exist, but switching would involve extra effort and costs due to dependencies.
• Easily Substitutable: The provider can be replaced easily, as there are several comparable options available in the market.
These levels help us assess the potential impact on service continuity and plan accordingly to maintain reliability for our customers.
These levels are used on our third party provider list.
• Not substitutable: The service is unique, with no comparable alternatives available.
• Limited substitutability: Switching providers would require significant effort and high costs.
• Complex substitutability: Comparable providers exist, but switching would involve extra effort and costs due to dependencies.
• Easily Substitutable: The provider can be replaced easily, as there are several comparable options available in the market.
These levels help us assess the potential impact on service continuity and plan accordingly to maintain reliability for our customers.
These levels are used on our third party provider list.
Publish
DORA
All our ICT subcontractors are classified as Rank 2 under the DORA (Digital Operational Resilience Act) framework.
Publish
ISO27001
DORA
GDPR
In line with ISO 27001 guidelines, we have systems in place to monitor and detect security incidents. These are managed by our internal Incident Management Team. Customers can provide a designated contact for incident notifications through email, ticket submission or our web panel. If a security incident occurs, we ensure the designated contact is promptly informed with all relevant details.
Publish
GDPR
DORA
Yes, Mixvoip stores and processes customer data in full compliance with GDPR. This data is securely stored on servers located within the European Union, ensuring adherence to the highest standards of data protection, privacy, and security. For more information, visit our GDPR page.
Publish
GDPR
DORA
Mixvoip manages its entire IT infrastructure, including installation, configuration, and operational management like backup and restore, using its own data centers and in-house personnel. While Mixvoip maintains contracts with selected external providers for limited support, such as advanced hardware replacement, these contracts do not grant access to any scoped systems, data, or processing facilities. This approach enables Mixvoip to retain full control over system access and aligns with our stringent security and compliance standards, minimizing reliance on external entities.
Publish
Tag
Question
Answer
Publish
bullet:link
DORA
ISO27001
The Information Security Program is comprehensively documented under our ISO 27001-certified ISMS and includes policies that have been formally approved by management and communicated to all relevant parties.
Publish
DORA
ISO27001
GDPR
The impact of subcontracted ICT services depends on the substitutability of the service and how it is integrated into the customer’s operations. While some services may not be easily replaced, our mission is to provide reliable and consistent services to minimize potential disruptions for our customers. You can find the information on our subcontracted ICT services here.
Publish
ISO27001
DORA
GDPR
In line with ISO 27001 guidelines, we have systems in place to monitor and detect security incidents. These are managed by our internal Incident Management Team. Customers can provide a designated contact for incident notifications through email, ticket submission or our web panel. If a security incident occurs, we ensure the designated contact is promptly informed with all relevant details.
Publish
ISO27001
ISO27001 is our short term for the ISO/IEC 27001 from the International Organization for Standardization and is the world`s best-known standard for information security management systems.
Publish
Tag
Question
Answer
Publish
bullet:link
DORA
ISO27001
GDPR
The impact of subcontracted ICT services depends on the substitutability of the service and how it is integrated into the customer’s operations. While some services may not be easily replaced, our mission is to provide reliable and consistent services to minimize potential disruptions for our customers. You can find the information on our subcontracted ICT services here.
Publish
ISO27001
DORA
GDPR
In line with ISO 27001 guidelines, we have systems in place to monitor and detect security incidents. These are managed by our internal Incident Management Team. Customers can provide a designated contact for incident notifications through email, ticket submission or our web panel. If a security incident occurs, we ensure the designated contact is promptly informed with all relevant details.
Publish
GDPR
DORA
Yes, Mixvoip stores and processes customer data in full compliance with GDPR. This data is securely stored on servers located within the European Union, ensuring adherence to the highest standards of data protection, privacy, and security. For more information, visit our GDPR page.
Publish
GDPR
DORA
Mixvoip manages its entire IT infrastructure, including installation, configuration, and operational management like backup and restore, using its own data centers and in-house personnel. While Mixvoip maintains contracts with selected external providers for limited support, such as advanced hardware replacement, these contracts do not grant access to any scoped systems, data, or processing facilities. This approach enables Mixvoip to retain full control over system access and aligns with our stringent security and compliance standards, minimizing reliance on external entities.
Publish
GDPR
EU AI Act
We leverage AI to generate summaries of phone calls, ensuring compliance with GDPR while enhancing customer service. According to guidance from the BfDI, storing AI-generated summaries without recording spoken word may not require consent. Mixvoip views this as an example of data minimization and justifies the practice under legitimate interests and contractual necessity. Click here to read the full answer.
Publish
Tag
Question
Answer
Publish
bullet:link
NIS2
NIS2 stands for “Network & Information Security Directive” which is defined in the Directive on measures for a high common level of cybersecurity across the Union from the EU.
Publish
Tag
Question
Answer
Publish
bullet:link
Couldn't find what you were looking for?
It may be covered in another FAQ section, or you can contact our support team for further assistance. Feel free to schedule a meeting with any member of our team here.