Secure-by-Design Infrastructure for NIS2 Compliance.
This repository provides the "last mile" for NIS2 compliance: secure infrastructure. Deploy with Docker Compose, Helm (Kubernetes), or Terraform (Cloud). While django-nis2-shield, nis2-spring-shield, dotnet-nis2-shield, and @nis2shield/react-guard protect your code, this kit protects the execution environment.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Frontend β
β @nis2shield/{react,angular,vue}-guard β
β βββ SessionWatchdog (idle detection) β
β βββ AuditBoundary / SecureStorage β
β βββ β POST /api/nis2/telemetry/ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Backend (NIS2 Adapter) β
β Supported: Django, Express, Spring Boot, .NET β
β βββ ForensicLogger (HMAC signed logs) β
β βββ RateLimiter, SessionGuard, TorBlocker β
β βββ β SIEM (Elasticsearch, Splunk, QRadar, etc.) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Infrastructure β
β **nis2shield/infrastructure** β
β βββ Centralized Logging (ELK/Splunk) β
β βββ Compliance Reporting (Automatic PDF generation) β
β βββ Audited Deployment (Terraform/Helm) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π Full-Stack Support! Backend: Django, Spring Boot, Express, .NET. Frontend: React, Angular, Vue. Same JSON log format, same infrastructure.
- π Hardened Containers: Non-root execution, read-only filesystem
- π Log Segregation: Logs exported via sidecar (Fluent Bit)
- πΎ Automated Backups: PostgreSQL dumps with retention policy
- π Encrypted Twin: Zero-trust cloud backup (AES-256 + RSA)
- π‘οΈ Compliance Engine: Automated
tfsec&gitleakschecks in CI/CD - π Dynamic Reporting: Updates
NIS2_SELF_ASSESSMENT.mdautomatically - βΈοΈ Kubernetes Ready: Production Helm chart with NetworkPolicies
- βοΈ Multi-Cloud: Terraform modules for AWS, GCP, Azure
- ποΈ NIS2 Compliant: Addresses Art. 21 infrastructure requirements
graph TB
subgraph Docker["Docker Compose Stack"]
webapp["π/β/C# webapp<br/>(Django / Spring / .NET)"]
logs["π log-collector<br/>(Fluent Bit)"]
backup["πΎ db-backup<br/>(Cron)"]
db[(PostgreSQL)]
webapp --> |writes logs| logs
webapp --> db
backup --> |dumps| db
end
logs --> |forwards to| SIEM["π SIEM/Elasticsearch"]
backup --> |stores| Storage["π ./backups/"]
style webapp fill:#3b82f6
style logs fill:#10b981
style backup fill:#f59e0b
style db fill:#8b5cf6
Note: The JSON log format is identical for both Django and Spring Boot applications, ensuring seamless interoperability.
| Component | Protection |
|---|---|
| webapp | Non-root, read-only filesystem, tmpfs |
| log-collector | Read-only log access, SIEM forwarding |
| db-backup | 7-day retention, optional GPG encryption |
| PostgreSQL | Dedicated volume, health checks |
The Crypto-Replicator provides zero-trust cloud backup:
sequenceDiagram
participant DB as PostgreSQL
participant CR as Crypto-Replicator
participant Cloud as βοΈ Cloud Storage
DB->>CR: NOTIFY (change event)
Note over CR: 1. Generate AES session key
Note over CR: 2. Encrypt data with AES-GCM
Note over CR: 3. Wrap key with RSA public
CR->>Cloud: Encrypted Envelope
Note over Cloud: β οΈ Cannot decrypt!<br/>(no private key)
Key Features:
- π AES-256-GCM - Authenticated data encryption
- π RSA-OAEP - Asymmetric key wrapping
- π Forward Secrecy - Unique session key per message
- βοΈ Zero-Trust Cloud - Cloud cannot read your data
This infrastructure is designed to support the NIS2Shield business model:
-
The Truth (Open Source):
- Secure Infrastructure: All the Docker/Helm/Terraform code in this repo is free and MIT licensed.
- Static Guardrails: We provide configs for
tfsecandgitleaksto block insecurity in CI/CD. - Self-Assessment: The manual docs/NIS2_SELF_ASSESSMENT.md checklist.
-
The Proof (Auditor Kit - Commercial):
- Compliance Engine: The proprietary binary that connects to this infrastructure.
- Automated Reporting: It parses the logs generated by these containers to verify operational requirements (e.g., "Did backups run?").
- Legal PDF: Automatically generates the signed report for your auditor.
Note: This repository contains "The Truth" (the secure runtime). To get the automated "Proof" (Compliance Engine & Reports), see cur Pro Auditor Kit.
- Docker & Docker Compose v2+
- A Docker image of your application using:
- Django: django-nis2-shield
- Spring Boot: nis2-spring-shield
- .NET: dotnet-nis2-shield
# Clone the repository
git clone https://github.com/nis2shield/infrastructure.git
cd infrastructure
# Copy environment template
cp .env.example .env
# Edit .env with your values (IMPORTANT: change passwords!)
nano .env
# Start the stack
docker-compose up -d
# Check status
docker-compose psYour Django, Spring Boot, or .NET application, hardened with:
user: 1000:1000- Non-root executionread_only: true- Immutable filesystemtmpfs: /tmp- RAM-only writable directory
Spring Boot: See
examples/docker-compose.spring.ymlfor a Spring-specific example.
Reads logs from shared volume and forwards to:
- Console (default, for development)
- Elasticsearch (uncomment in config)
- HTTP/SIEM (Intrusa, Splunk HEC, etc.)
Edit monitoring/fluent-bit.conf to configure outputs.
Automated PostgreSQL backups:
- Schedule:
@every 6h00m(configurable) - Retention: 7 days (configurable)
- Location:
./backups/
Test that your backups can be restored (NIS2 Art. 21c requirement):
# Run the automated restore test
./scripts/restore-test.sh
# Or specify a backup file
./scripts/restore-test.sh ./backups/mybackup.sql.gzThe script will:
- Start an empty PostgreSQL container
- Restore the latest backup
- Validate the data integrity
- Generate a compliance report
Keep the generated report for your NIS2 audit documentation.
Visualize your NIS2 logs in a beautiful dashboard:
# Quick setup (starts ES + Kibana + configures index)
./scripts/elk-setup.sh
# Or manually
docker-compose -f docker-compose.yml -f docker-compose.elk.yml up -dOnce running:
- Kibana: http://localhost:5601
- Elasticsearch: http://localhost:9200
Go to Kibana β Analytics β Discover β Select "NIS2 Logs" to see your logs.
Note: ELK requires ~1.5GB RAM. Use the base stack for low-memory systems.
Real-time metrics and NIS2 compliance dashboard:
# Quick setup
./scripts/monitoring-setup.sh
# Or manually
docker-compose -f docker-compose.yml -f docker-compose.monitoring.yml up -dAccess:
- Grafana: http://localhost:3000 (admin/admin)
- Prometheus: http://localhost:9090
Pre-configured NIS2 dashboard includes:
- Request rate and error percentage
- Backup age monitoring
- System resource usage
For enterprise deployments, use our production-ready Helm chart:
# Install from local
helm install nis2shield ./charts/nis2shield -n nis2 --create-namespace
# With custom values
helm install nis2shield ./charts/nis2shield -f values-prod.yamlFeatures:
- π Security hardening (PSS restricted, runAsNonRoot)
- π Ingress with TLS support
- π NetworkPolicies for service isolation
- βοΈ Toggle modules (replicator, monitoring)
π Enterprise Deployment Guide
Infrastructure-as-Code for major cloud providers:
| Provider | Resources | Command |
|---|---|---|
| AWS | VPC, EKS, RDS, S3, KMS | cd terraform/aws && terraform apply |
| GCP | VPC, GKE, Cloud SQL, Storage | cd terraform/gcp && terraform apply |
| Azure | VNet, AKS, PostgreSQL, KeyVault | cd terraform/azure && terraform apply |
All modules include:
- Encrypted databases with managed keys
- Private networking (no public IPs)
- Secrets management integration
- High availability options
For organizations requiring automatic failover and business continuity, we offer a premium add-on:
ββββββββββββββββββββββββ ββββββββββββββββββββββββ
β π PRIMARY SERVER β sync β βοΈ CLOUD STANDBY β
β (ACTIVE) ββββββββββΆβ (DORMANT) β
β β β β
β App + DB (primary) β β App OFF + DB replicaβ
ββββββββββββββββββββββββ ββββββββββββββββββββββββ
β β
βββββββββ Health Monitor βββββββββ
(NIS2 Shield Cloud)
β
βΌ
π Automatic DNS Failover
(RTO < 5min, RPO < 1min)
Features:
- π Continuous health monitoring (every 30s)
- π Automatic DNS failover via Cloudflare/Route53
- π Slack/webhook notifications
- π AES-256-GCM encrypted replication
- β Satisfies NIS2 Art. 21.2.c (Business Continuity)
Pricing: β¬499 one-time license
π Learn More | Contact Sales
infrastructure/
βββ charts/nis2shield/ # βΈοΈ Helm Chart (K8s)
β βββ Chart.yaml
β βββ values.yaml
β βββ templates/ # Deployments, Services, etc.
β
βββ terraform/ # βοΈ Cloud IaC
β βββ aws/ # VPC, EKS, RDS, S3
β βββ gcp/ # VPC, GKE, Cloud SQL
β βββ azure/ # VNet, AKS, PostgreSQL
β
βββ docker-compose.yml # Base stack
βββ docker-compose.prod.yml # Production overrides
βββ docker-compose.elk.yml # ELK observability
βββ docker-compose.monitoring.yml # Prometheus + Grafana
β
βββ crypto-replicator/ # π Encrypted Twin
β βββ crypto_replicator/ # Python modules
β βββ docs/ # OpenAPI spec
β βββ tests/ # Unit + integration
β
βββ monitoring/ # Fluent Bit, Prometheus
βββ scripts/ # Setup & DR testing
| NIS2 Article | Requirement | Infrastructure Solution |
|---|---|---|
| Art. 21 (a) | Risk analysis & system security | Hardened containers, non-root |
| Art. 21 (b) | Incident management | Centralized, segregated logs |
| Art. 21 (c) | Business continuity | Automated backups with retention |
| Art. 21 (d) | Supply chain security | Verified base images |
| Art. 21 (e) | Security hygiene | Read-only filesystem |
Edit monitoring/fluent-bit.conf:
# Uncomment for Elasticsearch
[OUTPUT]
Name es
Host ${ELASTICSEARCH_HOST}
Port 9200
Index nis2-logsIn docker-compose.yml or .env:
SCHEDULE=@every 6h00m # Every 6 hours
BACKUP_KEEP_DAYS=7 # Keep 7 daysBackend Middleware:
- django-nis2-shield - Django middleware for NIS2 compliance
- nis2-spring-shield - Spring Boot starter for NIS2 compliance
- @nis2shield/express-middleware - Express.js middleware
- dotnet-nis2-shield - ASP.NET Core middleware
Frontend Guards:
- @nis2shield/react-guard - React 18+ client-side protection
- @nis2shield/angular-guard - Angular 14+ client-side protection
- @nis2shield/vue-guard - Vue 3 client-side protection
Resources:
- nis2shield.com - Documentation hub
MIT License - see LICENSE for details.
Subscribe to our Security Mailing List to receive immediate alerts about:
- Critical vulnerabilities (CVEs)
- NIS2/DORA regulatory logic updates
- Major breaking changes
For reporting vulnerabilities, see SECURITY.md.
Contributions welcome! See CONTRIBUTING.md.
Part of the NIS2 Shield ecosystem π‘οΈ