95% Compliant

NIS2 Self-Assessment Checklist

Compliance verification for NIS2 Directive Article 21 & 23 requirements.

Full Compliance Guide

Compliance Summary

42
Total Requirements
40
Compliant
2
Partial
0
Gaps

Article 21(a) - Risk Analysis

"Policies on risk analysis and information system security"

# Requirement Implementation Status
21a.1 Risk analysis performed Threat model in SECURITY.md
21a.2 Security policies defined CIS_COMPLIANCE.md
21a.3 Attack surface minimized Read-only containers
21a.4 Configuration hardening Non-root, no-new-privileges
21a.5 Vulnerability management CI pipeline with linting

Article 21(b) - Incident Handling

"Incident handling"

# Requirement Implementation Status
21b.1 Incident detection SIEM-ready logging (Fluent Bit)
21b.2 Structured audit logs JSON/CEF format with HMAC
21b.3 Log integrity HMAC signing
21b.4 Incident response plan Vulnerability disclosure
21b.5 24h notification SIEM integration, webhooks

Article 21(c) - Business Continuity

"Business continuity, backup management and disaster recovery"

# Requirement Implementation Status
21c.1 Automated backups Every 6h, 7-day retention
21c.2 Backup encryption GPG encryption supported
21c.3 Offsite backup Crypto-Replicator to cloud
21c.4 Zero-trust cloud AES-256-GCM + RSA-OAEP
21c.5 DR testing restore-test.sh script
21c.6 DR documentation CRYPTOGRAPHY.md
21c.7 Key rotation KeyRotationManager

Article 21(d) - Supply Chain Security

"Supply chain security"

# Requirement Implementation Status
21d.1 Verified base images Official images
21d.2 Dependency pinning requirements.txt
21d.3 Open source transparency MIT license, public repo
21d.4 SBOM generation Recommended in CI ⚠️
21d.5 Vulnerability scanning Hadolint in CI

Article 21(e) - Vulnerability Handling

"Security in network and systems acquisition, development and maintenance"

# Requirement Implementation Status
21e.1 Secure development Code review, CI/CD
21e.2 Vulnerability disclosure security@nis2shield.com
21e.3 Response timelines SLAs by severity
21e.4 Patch management Monthly recommended ⚠️

Article 21(f) - Cryptography

"Policies and procedures regarding the use of cryptography"

# Requirement Implementation Status
21f.1 Encryption at rest AES-256, Fernet
21f.2 Encryption in transit TLS 1.2+
21f.3 Key management Rotation, separation
21f.4 Algorithm selection NIST-approved
21f.5 PII protection Fernet in logs

Article 21(g) - Access Control

"Human resources security, access control policies"

# Requirement Implementation Status
21g.1 Access control RBAC, DB separation
21g.2 Least privilege Minimal capabilities
21g.3 Secrets management Vault ready
21g.4 Audit logging All access logged

Article 21(h) - Multi-Factor Authentication

"Use of multi-factor authentication"

# Requirement Implementation Status
21h.1 MFA support MFAEnforcer middleware
21h.2 Session security SessionGuard, fingerprint
21h.3 Device validation Device fingerprint

Article 23 - Reporting Obligations

"Reporting obligations"

# Requirement Implementation Status
23.1 Early warning (24h) Timestamped logs
23.2 Structured reports JSON/CEF format
23.3 CSIRT integration SIEM forwarding
23.4 Evidence preservation Immutable, HMAC signed

Certification Statement

This self-assessment was conducted against NIS2 Shield Infrastructure v1.0.0.