NIS2Shield
Enterprise Compliance Infrastructure
CIS Benchmark Compliance Guide
Version 1.0.0 • January 2026
1. Executive Summary
This document provides a comprehensive assessment of NIS2 Shield's compliance with the
Center for Internet Security (CIS) Benchmarks for Docker and Kubernetes. These benchmarks
represent industry-standard security configurations that help organizations harden their
container infrastructure.
CIS Docker v1.6
38/46
controls pass (83%)
CIS Kubernetes v1.8
18/20
controls pass (90%)
Assessment Scope
This assessment covers NIS2 Shield infrastructure components as deployed via the official
Helm charts and Docker Compose configurations. Controls marked as "Host/Cluster responsibility"
require customer-side configuration based on their specific deployment environment.
2. CIS Benchmarks Overview
What are CIS Benchmarks?
CIS Benchmarks are globally recognized best practices for securing IT systems and data.
They are developed by security professionals and provide prescriptive guidance for
establishing a secure baseline configuration.
Benchmarks Used
| Benchmark |
Version |
Release Date |
Controls |
| CIS Docker Benchmark |
v1.6.0 |
2023-09 |
46 recommendations |
| CIS Kubernetes Benchmark |
v1.8.0 |
2023-11 |
20 policy recommendations |
NIS2 Mapping
CIS Benchmark compliance directly supports NIS2 Directive Article 21.2.a (risk analysis
and information system security policies) and Article 21.2.d (supply chain security).
3. Docker Compliance
3.1 Container Images (Section 4)
These controls ensure that container images are built securely and follow best practices
for minimizing attack surface.
| # |
Recommendation |
Status |
Evidence |
| 4.1 |
Ensure a user for the container has been created |
✅ PASS |
USER directive in Dockerfile |
| 4.2 |
Ensure that containers use only trusted base images |
✅ PASS |
python:3.12-slim from Docker Hub |
| 4.3 |
Ensure unnecessary packages are not installed |
✅ PASS |
Minimal -slim base image |
| 4.4 |
Ensure images are scanned and rebuilt for vulnerabilities |
⚠️ PARTIAL |
Trivy CI scanning enabled |
| 4.6 |
Ensure HEALTHCHECK instructions have been added |
✅ PASS |
HEALTHCHECK in Dockerfile |
| 4.8 |
Ensure setuid and setgid permissions are removed |
✅ PASS |
Distroless runtime image |
| 4.9 |
Ensure COPY is used instead of ADD |
✅ PASS |
No ADD instructions |
| 4.10 |
Ensure secrets are not stored in Dockerfiles |
✅ PASS |
Environment variables used |
3.2 Container Runtime (Section 5)
These controls ensure that containers are run with appropriate security restrictions
and limited privileges.
| # |
Recommendation |
Status |
Evidence |
| 5.3 |
Ensure Linux kernel capabilities are restricted |
✅ PASS |
cap_drop: ALL in compose |
| 5.4 |
Ensure privileged containers are not used |
✅ PASS |
privileged: false |
| 5.5 |
Ensure sensitive host directories are not mounted |
✅ PASS |
Only data volumes mounted |
| 5.6 |
Ensure SSH is not run within containers |
✅ PASS |
No sshd process |
| 5.7 |
Ensure privileged ports are not mapped |
✅ PASS |
Ports > 1024 only |
| 5.12 |
Ensure the container's root filesystem is mounted as read only |
✅ PASS |
read_only: true |
| 5.21 |
Ensure default seccomp profile is not disabled |
✅ PASS |
Default profile enabled |
| 5.25 |
Ensure container is not granted additional privileges |
✅ PASS |
no_new_privileges: true |
| 5.28 |
Ensure default bridge network is not used |
✅ PASS |
Custom network defined |
4. Kubernetes Compliance
4.1 Policies (Section 5)
These controls ensure that Kubernetes workloads are deployed with appropriate security
policies and restrictions.
| # |
Recommendation |
Status |
Evidence |
| 5.1.5 |
Ensure default service account is not used |
✅ PASS |
Dedicated ServiceAccount |
| 5.2.1 |
Minimize privileged containers |
✅ PASS |
privileged: false |
| 5.2.4 |
Minimize allowPrivilegeEscalation |
✅ PASS |
allowPrivilegeEscalation: false |
| 5.2.5 |
Minimize containers running as root |
✅ PASS |
runAsNonRoot: true |
| 5.2.6 |
Minimize NET_RAW capability |
✅ PASS |
drop: ["ALL"] |
| 5.2.8 |
Ensure containers use read-only root filesystem |
✅ PASS |
readOnlyRootFilesystem: true |
| 5.3.1 |
Ensure NetworkPolicies are defined |
✅ PASS |
NetworkPolicy in Helm chart |
| 5.3.2 |
Ensure default deny ingress policy |
✅ PASS |
Default deny policy |
| 5.4.1 |
Prefer using secrets as files over env vars |
✅ PASS |
secretKeyRef used |
| 6.1 |
Ensure seccomp profile is set |
✅ PASS |
RuntimeDefault profile |
Legend
✅ PASS
Control is fully implemented
⚠️ PARTIAL
Partially implemented or recommended
ℹ️ N/A
Host/Cluster responsibility
5. Certification Statement
This document certifies that the NIS2 Shield infrastructure components, as deployed
using the official Helm charts and Docker Compose configurations, have been assessed
against the CIS Benchmarks listed above.
Assessment Date: January 2026
Assessed By: NIS2 Shield Security Team
Docker Benchmark Version: CIS Docker v1.6.0
Kubernetes Benchmark Version: CIS Kubernetes v1.8.0