1. Executive Summary
This document provides a comprehensive mapping of NIS2 Shield's compliance with the EU NIS2 Directive (2022/2555), specifically addressing Article 21 cybersecurity risk-management measures and Article 23 reporting obligations.
NIS2 Shield infrastructure meets or exceeds NIS2 Directive requirements across all mandatory domains.
Key Compliance Highlights
- Zero-trust architecture with encryption at rest (AES-256-GCM) and in transit (TLS 1.2+)
- SIEM-ready structured logging with HMAC integrity signatures
- Automated backup with GPG encryption and cloud replication
- OPA Gatekeeper for policy-as-code enforcement
- CIS Kubernetes Benchmark validation via automated probes
- Multi-Factor Authentication enforcement middleware
2. NIS2 Directive Overview
The NIS2 Directive (EU 2022/2555) establishes a high common level of cybersecurity across the European Union. It replaces the original NIS Directive of 2016 and significantly expands the scope of organizations and sectors covered.
Scope & Applicability
NIS2 applies to entities in essential and important sectors, including energy, transport, banking, healthcare, digital infrastructure, and public administration. Organizations must implement appropriate cybersecurity risk-management measures and report significant incidents.
Member States must transpose NIS2 into national law by 17 October 2024. Organizations in scope should be compliant by this date.
NIS2 Shield Approach
NIS2 Shield provides open-source infrastructure components (Docker Compose, Helm charts, Terraform modules) and backend middleware (Django, Spring, Express, .NET) that implement NIS2 requirements by design. This "compliance-by-architecture" approach ensures that organizations deploying NIS2 Shield automatically inherit compliant security controls.
| Component | Technology | NIS2 Coverage |
|---|---|---|
| Infrastructure | Docker, Kubernetes, Terraform | Art. 21.2.a, c, f, g |
| Django Middleware | Python / Django | Art. 21.2.b, h, Art. 23 |
| Spring Shield | Java / Spring Boot | Art. 21.2.b, h, Art. 23 |
| Express Middleware | Node.js / Express | Art. 21.2.b, h, Art. 23 |
| Compliance Engine | Python CLI | Verification & Audit |
3. Article 21 Compliance
Article 21 of the NIS2 Directive mandates that essential and important entities take appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks.
3.1 Risk Analysis (Article 21.2.a)
NIS2 Shield implements comprehensive risk analysis through documented threat models, hardened container configurations, and automated vulnerability management.
| # | Requirement | Implementation | Status |
|---|---|---|---|
| 21a.1 | Risk analysis performed | Documented threat model in SECURITY.md | ✓ PASS |
| 21a.2 | Security policies defined | CIS_COMPLIANCE.md with policy mappings | ✓ PASS |
| 21a.3 | Attack surface minimized | Read-only root filesystem in containers | ✓ PASS |
| 21a.4 | Configuration hardening | Non-root users, no-new-privileges flag | ✓ PASS |
| 21a.5 | Vulnerability management | CI pipeline with tfsec, trivy, gitleaks | ✓ PASS |
Risk posture is continuously validated via Probe F (CIS Kubernetes Benchmark) in the NIS2 Compliance Engine.
3.2 Incident Handling (Article 21.2.b)
NIS2 Shield provides comprehensive incident detection and response capabilities through structured logging, SIEM integration, and automated alerting mechanisms.
| # | Requirement | Implementation | Status |
|---|---|---|---|
| 21b.1 | Incident detection | SIEM-ready logging via Fluent Bit | ✓ PASS |
| 21b.2 | Structured audit logs | JSON and CEF format with HMAC signatures | ✓ PASS |
| 21b.3 | Log integrity | HMAC-SHA256 signing per log entry | ✓ PASS |
| 21b.4 | Incident response plan | Documented vulnerability disclosure process | ✓ PASS |
| 21b.5 | 24-hour notification capability | SIEM integration + webhook notifications | ✓ PASS |
Implementation Details
- Nis2AuditLogger: Django/Spring/Express middleware capturing all security events
- Multi-SIEM Connectors: Native support for Splunk, Elastic, Sentinel, QRadar
- Webhook Notifications: Real-time alerts to Slack, Teams, email
- Forensic Export: Tamper-evident log packages for incident investigation
3.3 Business Continuity (Article 21.2.c)
The Crypto-Replicator component ensures data sovereignty while enabling secure cloud backup with zero-trust encryption.
| # | Requirement | Implementation | Status |
|---|---|---|---|
| 21c.1 | Automated backups | Every 6 hours, 7-day retention | ✓ PASS |
| 21c.2 | Backup encryption | GPG encryption at source | ✓ PASS |
| 21c.3 | Offsite backup | Crypto-Replicator to S3/Azure/GCS | ✓ PASS |
| 21c.4 | Zero-trust cloud storage | AES-256-GCM + RSA-OAEP key wrapping | ✓ PASS |
| 21c.5 | DR testing | restore-test.sh validation script | ✓ PASS |
| 21c.6 | DR documentation | CRYPTOGRAPHY.md with procedures | ✓ PASS |
| 21c.7 | Key rotation | KeyRotationManager with versioning | ✓ PASS |
3.4 Supply Chain Security (Article 21.2.d)
| # | Requirement | Implementation | Status |
|---|---|---|---|
| 21d.1 | Verified base images | Official Docker Hub images only | ✓ PASS |
| 21d.2 | Dependency pinning | Versioned requirements.txt, package-lock.json | ✓ PASS |
| 21d.3 | Open source transparency | MIT license, public GitHub repositories | ✓ PASS |
| 21d.4 | SBOM generation | Recommended in CI (organizational) | ⚠ PARTIAL |
| 21d.5 | Vulnerability scanning | Trivy in CI, Hadolint for Dockerfiles | ✓ PASS |
Software Bill of Materials generation is supported but must be configured by the deploying organization. Sample CI/CD templates are provided.
3.5 Vulnerability Management (Article 21.2.e)
| # | Requirement | Implementation | Status |
|---|---|---|---|
| 21e.1 | Secure development | Code review, CI/CD pipelines | ✓ PASS |
| 21e.2 | Vulnerability disclosure | SECURITY.md, security@nis2shield.com | ✓ PASS |
| 21e.3 | Response timelines | SLAs by severity in SECURITY.md | ✓ PASS |
| 21e.4 | Patch management | Monthly recommended (organizational) | ⚠ PARTIAL |
NIS2 Shield provides updated images, but patch scheduling must be managed by the deploying organization according to their change management process.
3.6 Cryptography (Article 21.2.f)
NIS2 Shield implements NIST-approved cryptographic algorithms with documented key management procedures.
| Component | Algorithm | Key Size | Mode |
|---|---|---|---|
| Log field encryption | AES | 128-bit | Fernet (CBC+HMAC) |
| Cloud backup payload | AES | 256-bit | GCM (AEAD) |
| Backup key wrapping | RSA | 2048-bit | OAEP-SHA256 |
| Log signing | HMAC | 256-bit | SHA-256 |
| Transport | TLS | - | 1.2+ minimum |
Compliance Status
| # | Requirement | Implementation | Status |
|---|---|---|---|
| 21f.1 | Encryption at rest | AES-256, Fernet | ✓ PASS |
| 21f.2 | Encryption in transit | TLS 1.2+ mandatory | ✓ PASS |
| 21f.3 | Key management | Rotation, separation, versioning | ✓ PASS |
| 21f.4 | Algorithm selection | NIST SP 800-38D, FIPS 140-2 approved | ✓ PASS |
| 21f.5 | PII protection | Field-level Fernet encryption | ✓ PASS |
3.7 Access Control (Article 21.2.g)
| # | Requirement | Implementation | Status |
|---|---|---|---|
| 21g.1 | Access control policies | RBAC, database user separation | ✓ PASS |
| 21g.2 | Least privilege | Minimal container capabilities | ✓ PASS |
| 21g.3 | Secrets management | Vault-ready architecture | ✓ PASS |
| 21g.4 | Audit logging | All access attempts logged | ✓ PASS |
3.8 Multi-Factor Authentication (Article 21.2.h)
NIS2 Shield middleware provides MFA enforcement capabilities that integrate with existing identity providers.
| # | Requirement | Implementation | Status |
|---|---|---|---|
| 21h.1 | MFA support | MFAEnforcer middleware | ✓ PASS |
| 21h.2 | Session security | SessionGuard with fingerprinting | ✓ PASS |
| 21h.3 | Device validation | Device fingerprint binding | ✓ PASS |
MFA Middleware Features
- Configurable enforcement per route or user role
- Session invalidation on device fingerprint mismatch
- TOTP and WebAuthn support (organizational configuration)
- Audit logging of all MFA events
4. Article 23 - Reporting Obligations
| # | Requirement | Implementation | Status |
|---|---|---|---|
| 23.1 | Early warning (24h) | Timestamped logs, SIEM alerts | ✓ PASS |
| 23.2 | Structured reports | JSON and CEF format | ✓ PASS |
| 23.3 | CSIRT integration | SIEM forwarding to national CSIRTs | ✓ PASS |
| 23.4 | Evidence preservation | Immutable logs with HMAC signatures | ✓ PASS |
The NIS2 Compliance Engine can generate tamper-evident forensic packages suitable for submission to competent authorities and CSIRTs.
5. Verification & Audit
NIS2 Shield includes the Compliance Engine, a commercial tool that automates compliance verification and generates audit-ready PDF reports.
Automated Probes
| Probe | Tool | NIS2 Article | Description |
|---|---|---|---|
| Probe A | tfsec | 21.2.f | Infrastructure encryption verification |
| Probe B | trivy | 21.2.d | Supply chain CVE detection |
| Probe C | gitleaks | - | Secrets detection in code |
| Probe D | GitHub API | 21.2.c | Operational continuity checks |
| Probe E | HMAC Verifier | 21.2.h | Log integrity verification |
| Probe F | kube-bench | 21.2.a | CIS Kubernetes Benchmark |
Usage
python nis2_audit.py report --org "Your Organization" --period "Q1 2026"
6. Certification Statement
This compliance assessment was conducted against NIS2 Shield Infrastructure v1.0.0 and associated middleware packages. The assessment reflects the state of the open-source components as documented in the respective GitHub repositories.
Assessment Details
This document was generated from NIS2 Shield compliance tools.
© 2026 NIS2 Shield Contributors • nis2shield.com