Add NIS2 Minimum Requirements (#947)

* Add NIS2 Minimum Requirements * Comply with stable URL policy * Fix typo * Also list out-of-scope NIS2 requirements * Make pre-commit happy
elastisys · Sep 5, 2024 · e3b22ff · e3b22ff
1 parent 0ce6f1e
commit e3b22ff
Show file tree

Hide file tree

Showing 19 changed files with 53 additions and 11 deletions.
diff --git a/ci/vale/styles/config/vocabularies/Elastisys/accept.txt b/ci/vale/styles/config/vocabularies/Elastisys/accept.txt
@@ -25,6 +25,7 @@ allowlisted
 (?i)autoscaling
 colocation
 CPU
+cyber
 cybersecurity
 Dockerfile
 (?i)downsampled
@@ -67,6 +68,9 @@ midsommardagen
 julafton
 skyddsklass
 
+# German terms
+Grundschutz
+
 # No clue why Vale doesn't recognize these words
 approver
 auditability

diff --git a/docs/ciso-guide/nis2.md → docs/ciso-guide/controls/nis2.md b/docs/ciso-guide/nis2.md → docs/ciso-guide/controls/nis2.md
@@ -8,7 +8,7 @@ description: Overview of what the Network and Information Security Directive 2 (
 # Network and Information Security Directive 2 (NIS2)
 
 {%
-   include-markdown './controls/_common.include'
+   include-markdown './_common.include'
    start='<!--legal-disclaimer-start-->'
    end='<!--legal-disclaimer-end-->'
 %}
@@ -30,6 +30,8 @@ These sectors include energy, transport, water, banking, financial market infras
 To uphold the directive's objectives, businesses identified by Member States as operators of essential services in the specified sectors must implement suitable security measures and promptly report significant incidents to relevant national authorities.
 Similarly, key digital service providers, such as search engines, cloud computing services, and online marketplaces, are obligated to adhere to the security and notification requirements outlined in the directive.
 
+The NIS2 Directive shares a strong connection with two additional initiatives: the Critical Entities Resilience (CER) Directive and the Regulation for Digital Operational Resilience in the Financial Sector, commonly known as the Digital Operational Resilience Act (DORA).
+
 ## Which sectors are covered by the NIS2 Directive?
 
 A lot more sectors than in the previous iteration.
@@ -44,11 +46,27 @@ The [official FAQ](https://digital-strategy.ec.europa.eu/en/faqs/directive-measu
 
 ## How does the NIS2 Directive relate to Compliant Kubernetes?
 
-The NIS2 Directive shares a strong connection with two additional initiatives: the Critical Entities Resilience (CER) Directive and the Regulation for Digital Operational Resilience in the Financial Sector, commonly known as the Digital Operational Resilience Act (DORA).
+NIS2 Article 21(2) lists 10 so-called minimum requirements.
+These minimum requirements need to be translated into policies for your organization, which can then be technically implemented.
+Below is a list of pages, which help you translate such policies into implementation on top of Compliant Kubernetes.
+
+[TAGS]
+
+### Out of Scope NIS2 Requirements
+
+Note that, some requirements are out-of-scope for Compliant Kubernetes, as listed below:
+
+|                                      NIS2 Minimum Requirement                                     |                                                        Justification for Exclusion                                                       |
+|:-------------------------------------------------------------------------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------:|
+| (a) policies on risk analysis and information system security                                     | This is a requirement on the management team, which a container platform product, like Compliant Kubernetes, cannot fulfill.             |
+| (f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures | This is a requirement on the management team, which a container platform product, like Compliant Kubernetes, cannot fulfill.             |
+| (g) basic cyber hygiene practices and cybersecurity training                                      | Compliant Kubernetes is not a training solution. However, Elastisys can help. Check out [our training](https://elastisys.com/training/). |
+
+## Country- and Sector-Specific Requirements
 
-The directives and regulations affect how Compliant Kubernetes is composed on an architectural level and configured for specific use-cases, depending on industry needs.
-Please see the following pages, also linked in the side bar, for specific implementations made to meet these demands:
+Please see the following pages, also linked in the side bar, for country- and sector-specific rules on top of the NIS2 minimum requirements.
+Note that these rules were enacted under NIS1, as NIS2 still needs to be implemented in some EU Member States:
 
-- [KRITIS](controls/kritis.md) (Germany)
-- [BSI IT Grundschutz](controls/bsi-it-grundschutz.md) (Germany)
-- [MSBFS 2018:8](controls/msbfs-20188.md) (Sweden)
+- [KRITIS](kritis.md) (Germany)
+- [BSI IT Grundschutz](bsi-it-grundschutz.md) (Germany)
+- [MSBFS 2018:8](msbfs-20188.md) (Sweden)
diff --git a/docs/ciso-guide/index.md b/docs/ciso-guide/index.md
@@ -18,7 +18,7 @@ We've drawn inspiration from, and based architectural decision on information ga
 Resources for the Chief Information Security Officer (CISO) or similar:
 
 - [ISO 27001](./controls/iso-27001.md)
-- [NIS2](./nis2.md)
+- [NIS2](./controls/nis2.md)
 
 Resources for the Data Protection Officers (DPO) or similar:
 

diff --git a/docs/ciso-guide/vulnerability.md b/docs/ciso-guide/vulnerability.md
@@ -9,6 +9,7 @@ tags:
   - NIST SP 800-171 3.11.2
   - NIST SP 800-171 3.14.4
   - NIST SP 800-171 3.14.5
+  - NIS2 Minimum Requirement (e) Vulnerability Handling
 ---
 
 # Vulnerability Dashboard

diff --git a/docs/operator-manual/access-control.md b/docs/operator-manual/access-control.md
@@ -7,6 +7,7 @@ tags:
   - MSBFS 2020:7 4 kap. 3 §
   - MSBFS 2020:7 4 kap. 4 §
   - HSLF-FS 2016:40 4 kap. 3 § Styrning av behörigheter
+  - NIS2 Minimum Requirement (i) Access Control
 ---
 
 # Access control

diff --git a/docs/operator-manual/cryptography.md b/docs/operator-manual/cryptography.md
@@ -5,6 +5,7 @@ tags:
   - HIPAA S47 - Access Control - Encryption and Decryption - § 164.312(a)(2)(iv)
   - NIST SP 800-171 3.13.10
   - NIST SP 800-171 3.13.11
+  - NIS2 Minimum Requirement (h) Cryptography
 ---
 
 # Use of Cryptography

diff --git a/docs/operator-manual/disaster-recovery.md b/docs/operator-manual/disaster-recovery.md
@@ -8,6 +8,7 @@ tags:
   - MSBFS 2020:7 4 kap. 22 §
   - HSLF-FS 2016:40 3 kap. 13 § Säkerhetskopiering
   - NIST SP 800-171 3.6.3
+  - NIS2 Minimum Requirement (c) Disaster Recovery
 ---
 
 # Disaster Recovery

diff --git a/docs/operator-manual/provider-audit.md b/docs/operator-manual/provider-audit.md
@@ -17,6 +17,7 @@ tags:
   - HSLF-FS 2016:40 3 kap. 14 § Fysiskt skydd av informationssystem
   - GDPR Art. 28 Processor
   - NIST SP 800-171 3.13.16
+  - NIS2 Minimum Requirement (d) Security of direct suppliers
 ---
 
 # Infrastructure Provider Audit

diff --git a/docs/operator-manual/troubleshooting.md b/docs/operator-manual/troubleshooting.md
@@ -1,3 +1,7 @@
+---
+tags:
+  - NIS2 Minimum Requirement (b) Incident Handling
+---
 # Troubleshooting for Platform Administrators
 
 {%

diff --git a/docs/user-guide/alerts.md b/docs/user-guide/alerts.md
@@ -4,6 +4,7 @@ search:
   boost: 2
 tags:
   - ISO 27001 A.16 Information Security Incident Management
+  - NIS2 Minimum Requirement (b) Incident Handling
 ---
 
 # Alerts via Alertmanager

diff --git a/docs/user-guide/backup.md b/docs/user-guide/backup.md
@@ -10,6 +10,7 @@ tags:
   - MSBFS 2020:7 4 kap. 15 §
   - HSLF-FS 2016:40 3 kap. 12 § Säkerhetskopiering
   - GDPR Art. 17 Right to erasure ("right to be forgotten")
+  - NIS2 Minimum Requirement (c) Backup Management
 ---
 
 # Backups

diff --git a/docs/user-guide/delegation.md b/docs/user-guide/delegation.md
@@ -15,6 +15,7 @@ tags:
   - NIST SP 800-171 3.1.4
   - NIST SP 800-171 3.1.5
   - NIST SP 800-171 3.1.6
+  - NIS2 Minimum Requirement (i) Access Control
 ---
 
 # How to Delegate?

diff --git a/docs/user-guide/demarcation.md b/docs/user-guide/demarcation.md
@@ -12,6 +12,7 @@ tags:
   - HSLF-FS 2016:40 4 kap. 3 § Styrning av behörigheter
   - NIST SP 800-171 3.1.15
   - NIST SP 800-171 3.13.3
+  - NIS2 Minimum Requirement (i) Access Control
 ---
 
 <!-- markdownlint-disable-file first-line-h1 -->

diff --git a/docs/user-guide/how-many-environments.md b/docs/user-guide/how-many-environments.md
@@ -54,7 +54,7 @@ In particular, production data should not be compromised, no matter what happens
 Similarly, some regulations -- such as Medical Devices Regulation (MDR) -- require you to take a risk-based approach to changing the tech stack.
 Depending on your risk assessment, this implies **verifying** changes in a non-production Application Deployment before going into production.
 
-Some regulations, such as [NIS2](../ciso-guide/nis2.md), require that the organization takes measures related to "security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure".
+Some regulations, such as [NIS2](../ciso-guide/controls/nis2.md), require that the organization takes measures related to "security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure".
 This is commonly implemented using a concept called Security Zones.
 If two applications are in different Security Zones, then Cluster isolation might be required.
 

diff --git a/docs/user-guide/log-based-alerts.md b/docs/user-guide/log-based-alerts.md
@@ -4,6 +4,7 @@ search:
   boost: 2
 tags:
   - ISO 27001 A.16 Information Security Incident Management
+  - NIS2 Minimum Requirement (b) Incident Handling
 ---
 
 # OpenSearch Alert

diff --git a/docs/user-guide/network-model.md b/docs/user-guide/network-model.md
@@ -18,7 +18,8 @@ tags:
   - NIST SP 800-171 3.4.7
   - NIST SP 800-171 3.13.1
   - NIST SP 800-171 3.13.6
-  - NIST SP 800-171 3.13.8
+  - NIS2 Minimum Requirement (e) Security in Network
+  - NIS2 Minimum Requirement (h) Encryption-in-transit
 ---
 
 # Network Model

diff --git a/docs/user-guide/prepare-idp.md b/docs/user-guide/prepare-idp.md
@@ -7,6 +7,8 @@ tags:
   - MSBFS 2020:7 4 kap. 5 §
   - NIST SP 800-171 3.1.1
   - NIST SP 800-171 3.3.2
+  - NIS2 Minimum Requirement (i) Access Control
+  - NIS2 Minimum Requirement (j) Multi-Factor Authentication
 ---
 
 # Prepare your Identity Provider (IdP)

diff --git a/docs/user-guide/troubleshooting.md b/docs/user-guide/troubleshooting.md
@@ -2,6 +2,8 @@
 description: Troubleshooting help for Application Developers on Elastisys Compliant Kubernetes, the security-hardened Kubernetes distribution
 search:
   boost: 2
+tags:
+  - NIS2 Minimum Requirement (b) Incident Handling
 ---
 
 # Troubleshooting for Application Developers

diff --git a/mkdocs.yml b/mkdocs.yml
@@ -84,6 +84,7 @@ plugins:
         "operator-manual/safespring.md": "operator-manual/on-prem-standard.md"
         "operator-manual/qa.md": "quality-criteria.md"
         "operator-manual/air-gapped-environment.md": "operator-manual/air-gapped.md"
+        "ciso-guide/nis2.md": "ciso-guide/controls/nis2.md"
 
 markdown_extensions:
   - attr_list
@@ -231,7 +232,7 @@ nav:
       - "Public sector":
           - "MSBFS 2020:7 (SE)": "ciso-guide/controls/msbfs-20207.md"
       - "NIS2":
-          - "Overview": "ciso-guide/nis2.md"
+          - "Overview": "ciso-guide/controls/nis2.md"
           - "KRITIS (DE)": "ciso-guide/controls/kritis.md"
           - "BSI IT-Grundschutz (DE)": "ciso-guide/controls/bsi-it-grundschutz.md"
           - "MSBFS 2018:8 (SE)": "ciso-guide/controls/msbfs-20188.md"