Automating NIS2 Compliance in Kubernetes with Kyverno: A Practical Guide
Guest Contributors: Cristian Klein (Elastisys)
2025 is the year when NIS2 measures will start to bite. Is your platform team ready for the challenge?
This post gives a brief overview of NIS2 in the context of platform engineering. Then it gives some practical implementation examples using Kyverno. At the end of this post, you will know how to avoid “analysis paralysis” and get started with making your organization NIS2 compliant.
Crash Course to NIS2
As many of you already know, security is hard. This is due to two factors:
the budget gap: security is chronically under-funded, due to it being seen as an “overhead” and not a “feature”;
the knowledge gap: even for a well-funded organization it is hard to create an overall threat landscape and understand where to best invest its security budget.
NIS2 is an EU Directive which aims to improve security by closing the budget and knowledge gap. It improves on a previous EU Directive – retrospectively called NIS1. NIS2 defines “essential” and “important” entities, which are organizations critical to society, such as energy, healthcare and public administration. So how exactly does NIS2 improve the overall security of such organizations?
NIS2 closes the knowledge gap by requiring all essential and important entities to report cybersecurity incidents and near-misses to competent authorities. These authorities review these reports and issue:
mandatory security measures; at the time of writing, these are still being drafted, but expectations are that they will look similar to the Swedish MSBFS 2020:7 or the German BSI IT-Grundschutz.
Note that these security measures are not just “paperwork”. They need to be documented with solid evidence, such as audit reports, reports on implementation, reports on effectiveness, screenshots, dashboards, etc.
But how does NIS2 plug the budget gap to ensure that organizations will allocate the necessary resources and implement mandated security measures? Simply put, NIS2 includes fines of up to 2% of total global annual revenue or €10,000,000 – whichever is higher – for essential entities. Important entities may be fined up to 1.4% of total global annual revenue or €7,000,000 – whichever is higher. Note that EU Member States may include additional penalties. For example, under the proposed Swedish Cybersecurity law, CEOs may get a ban on business if found to have acted negligently when it comes to cybersecurity.
As already mentioned, NIS2 is a follow-up on a previous EU Directive – retrospectively called NIS1. Already under NIS1, energy, transportation, and financial services were in scope. With NIS2, more entities are in scope, such as public administration, manufacturing, and research. Yes, your city’s mayor will need to care about cybersecurity. Furthermore, NIS2 adds ten so-called “minimum requirements”, which are expected to have a huge impact on improving the security of essential entities.
For more details on NIS2, we recommend you read these excellent posts from Elastisys on NIS2:
This section will help you understand the impact of NIS2 on platform engineering and platform security.
One of the most important security measures an organization needs to take under NIS2 is to perform risk management. In brief, risk management consists of:
Listing out risks, i.e., brainstorming with experts on what could go wrong given the threats;
Assessing the severity of those risks, i.e., how bad those risks are if they become reality;
Taking measures to reduce the severity of the worst risks;
Collecting evidence to show that the security measures have been implemented and are effective.
When it comes to security measures, NIS2 wants you to consider organizational, operational and technical measures.
Let us make this more concrete through an example. Say you work for a healthcare provider. A core process of your organization is to keep patient journals to ensure high-quality care. Your patient journals are stored using an application, which is hosted by a Kubernetes-based application platform.
Let us now apply risk management. Your CISO (Chief Information Security Officer) opens up ISO 27005:2022 and reads that one threat is “equipment malfunction”. The CISO gathers a team of experts to brainstorm. Your organization realizes that there is a risk for the patient journal system to go down, due to a server failure. This is a core process of your organization, so your CISO assesses the severity is high. Next, your CISO with the team of experts will consider measures to take to reduce the risk:
The chief of staff is tasked with implementing a method for manual journaling, so the organization can tolerate a downtime of the patient journaling application of two hours.
The application team is tasked with running their application replicated across at least two servers.
This is where platform engineering comes in. If you already operate a Kubernetes-based application platform, the effort required to replicate the application on two servers is significantly lower.
Set replicas: 2 in the Deployment of the application;
This sounds simple enough, but how do you make sure that application teams won’t forget to replicate? Guardrails! You use guardrails to warn (or deny) application developers from deploying an application with a single replica. In other words, you make it easy for them to do the right thing. This is where Kyverno, a Kubernetes-native policy engine comes into play.
How Kyverno Addresses NIS2 Requirements
Kyverno, created by Nirmata, allows you to enforce guardrails as policies in a declarative way. For instance, you can create a Kyverno policy that checks if a Deployment specifies at least two replicas. If an application developer tries to deploy an application with only one replica, Kyverno can either warn them during the deployment process or block the deployment altogether until the requirement is met.
Here’s a simple example of such a Kyverno policy:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-min-two-replicas
spec:
rules:
- name: check-replicas
match:
resources:
kinds:
- Deployment
validate:
message: "Deployments must specify at least 2 replicas to ensure high availability."
pattern:
spec:
replicas: ">=2"
With this policy in place, your platform engineering team can ensure that all applications deployed on your Kubernetes-based platform adhere to the NIS2 minimum requirement of mitigating risks, such as server failures, through redundancy.
Practical Implementation Examples
Kyverno plays a critical role in addressing NIS2 requirements.
For example, NIS2 Article 21(2)(d) “supply chain security” can be fulfilled by enforcing image verification. Specifically, the Kyverno policy below validates that only signed container images are used in deployments.
As another example, NIS2 Article 21(2)(h) “use of cryptography” can be fulfilled by making sure that all Ingresses have certificates properly configured to them. The Kyverno policy below enforces this by making sure that the field spec.tls and required annotations are properly set up.
As another example, NIS2 Article 21(2)(a) “information system security” will likely lead to your organization implementing a principle of least privilege. In Kubernetes, this means ensuring that all namespaces are configured with the restricted Pod Security Standard. The Kyverno policy below will enforce this policy, except for namespaces that legitimately need elevated permissions:
Refer to this GitHub repository for a curated list of Kyverno policies.
Best Practices & Recommendations
Getting started with NIS2 compliance requires both strategic planning and practical steps. Here’s how your organization can begin its journey:
Build the right foundations: Begin by hiring a Chief Information Security Officer (CISO) and allocating a dedicated budget for cybersecurity. While the CISO leads the effort, success requires collaboration across teams. Promote awareness of NIS2, risk management, and platform security among all stakeholders to create a culture of shared responsibility.
Assess and educate: Use tools like Kyverno to evaluate your current security posture by running policies in Audit mode. Share the results with development teams to help them understand the risks and implications of misconfigured workloads. Education is key – empower teams with the knowledge to fix vulnerabilities and deploy secure workloads.
Enforce and streamline: Once workloads are compliant, switch to Enforce mode to prevent misconfigurations and ensure continuous compliance. Streamline reporting and evidence gathering using tools like Nirmata Control Hub, which provides centralized dashboards and real-time insights. This simplifies audits and ensures your organization has the needed evidence to demonstrate compliance with NIS2.
Build vs buy: If you don’t have an in-house platform team (or don’t want to invest in one), consider using an application platform with built-in guardrails, such as Elastisys Welkin®.
Conclusion
Kyverno offers a comprehensive solution for ensuring compliance with NIS2 minimum requirements, helping organizations enforce policies, and prevent misconfigurations, in Kubernetes environments. By leveraging Kyverno, you can seamlessly integrate security and compliance controls into your platform, enabling continuous enforcement without adding complexity for developers or platform teams.
Ready to take your NIS2 compliance to the next level? Learn more about Nirmata Control Hub and how it simplifies Kyverno policy management, enhances security, and facilitates NIS2 minimum requirements for your Kubernetes workloads. Request a demo today! You may also download our Control Hub datasheet to take with you.
Looking for a turnkey application platform? Navigating NIS2 compliance while ensuring security and operational resilience can be complex, but Elastisys Welkin® makes it easier. As a turnkey application platform designed for organizations operating software critical to society, Elastisys Welkin enables seamless compliance, reduces risk, and strengthens security – without adding unnecessary complexity.
By combining Elastisys Welkin with Elastisys’ expert consulting and training services, your organization can achieve resilience by design, ensuring compliance with EU regulations while accelerating innovation. Want to see how Elastisys Welkin® can support your NIS2 compliance journey? Get in touch with Elastisys today
Radhesh is Managing Partner of Arka Venture Labs. Arka Venture Labs is an Accelerator fund which assists Indian B2B Startups to foray into US by providing a combination of Funding, Mentoring and access to Silicon Valley Ecosystem. Arka Venture Labs was formed in August 2018 and has made 9 investments so far. Prior to starting Arka, Radhesh was Venture Advisor to Blume Ventures, focusing on early stage B2B Startups investments. Before this he was leading the Global Entrepreneur Program, for IBM India and South Asia. He exhibited strong leadership in steering the Startup initiative of IBM from scratch to one of the companies to be reckoned by the Startup ecosystem in India and generating strong revenues for IBM India Cloud business. He has helped many B2B startups scale in their journey by mentoring them, facilitating access to funds and customers.
He has core competency in evaluating startups leveraging technology and advising them on areas of improvement from business and technology standpoint. He conceptualized IBM India`s Startup challenge called IBM India Smartcamp and successfully executed the same. Radhesh has personally curated the startups for the finals, many of whom got funding either for the first time or for their subsequent rounds.He also worked with large enterprises in assisting them in identifying the next generation innovations through joint hackathons and startup challenges.
Prior to this role at IBM he was working as a Software Architect where he was designing Software solutions for Enterprise Clients, ISVs and System Integrators. He created many First of its kind solutions and led several key Sales wins for IBM. Radhesh has strong skills in building strategic relationships with Partner organizations.
Anubhav is VP of Business Development and Customer Success. He has 20+ years of experience in building and growing businesses across service provider, enterprise and commercial sectors. He has led functions in business development, product management, marketing, delivery and operations through his career, and most recently served as GM for the $250M Web-scale Services business at Cisco.
Anubhav is passionate about building new solutions and teams, and growing new market segments. At Cisco, he grew business 30-40% annually for many years while also building new offers, a world class team and a global delivery model.
Throughout his career, Anubhav has straddled technical, operational and business domains to bring new solutions around real-time analytics, operational assessments and network lifecycle management. Most recently, he was involved in bringing in new offers around recently launched Business Critical Services, a $2.5B business for Cisco. Before leaving Cisco, Anubhav signed off with a $350M multi-year deal built entirely around new solutions and engagement model with an innovative commercial structure.
Anubhav brings to Nirmata’s product development and organization an extensive experience developing both custom and standard subscription services, which was significantly formed by his time spent building analytics solutions at Cisco. This perspective on building bleeding edge solutions is evident in his business outlook, which recognizes that best solutions are built with the customers, by listening to them and partnering in risk taking when breaking new ground.
Anubhav holds bachelor’s degrees in both physics and electronics and telecommunications from Mumbai University and an MBA from San Jose State University.
Ritesh Patel, Founder & VP of Products
Ritesh Patel is co-founder of Nirmata and has 20+ years experience building and delivering enterprise software solutions and has led highly successful software and business development teams. Ritesh began his career in engineering for high tech firms, and has since migrated to the business side of the operation. In his founding of Nirmata, Ritesh sought to bring his broad spectrum of experience to a single previously unaddressed industry problem through the creation of a new business. To Nirmata’s leadership, Ritesh brings a rare skill set incorporating experience with the entire chain of software development activities. This background has contributed to Nirmata’s commitment to empowering all employees to do the hard work required to deliver tools that solve tough problems.
Prior to Nirmata, Ritesh led business development at Brocade, where he was responsible for defining the firm’s cloud strategy, and oversaw developments that advanced the entire cloud “as-a-service” market. Through cloud and security-related initiatives, Ritesh and his team at Brocade were able to package Brocade’s plethora of IT infrastructure products into enterprise-ready solutions including OpenStack and CloudStack that pioneered widespread cloud computing implementation. In addition to these technical achievements, Ritesh succeeded in creating an extensive partner ecosystem to efficiently match these solutions with urgent customer needs.
Ritesh has also held key technical positions at Trapeze Networks (where he created industry award-winning products), Nortel, and Motorola. Ritesh holds an MBA from UC Berkeley and a master’s degree in computer engineering from Michigan State University.
Damien Toledo, Founder & VP of Engineering
Damien Toledo is Co-Founder and Vice President of Engineering, overseeing research and development, operations, maintenance, and delivery of Nirmata products. Damien brings over 20 years experience leading global engineering teams and delivering Enterprise grade solutions.
Since 1998 when he arrived in Silicon Valley from France to pursue the possibilities of US startup culture, Damien has held a number of engineering positions at high tech firms, each of which playing a role in the concept development for Nirmata. Building on lessons learned in management transformation at Jetstream Communications in the early 2000s, Damien built the Meru Networks Network Management team and Network Management solution from the ground up as one of the firm’s original members. Meru Networks went public in 2010 (NASDAQ:MERU).
Subsequent to his work at Meru, Damien led the transformation of the engineering team at Netscout to build an agile organization. At Netscout, he championed the adoption of Continuous Integration best practices across a team of 200+ engineers and 7 development sites, which resulted in reducing the software release cycles by 300%. While at Netscout and together with Nirmata co-founder Jim Bugwadia, Damien oversaw the adoption of microservices while searching for solutions to operating quickly in the cloud, and developed the foundations for what would become Nirmata.
Damien holds a master’s degree in computer science from University of Technology of Compiègne.
Jim Bugwadia, Founder & CEO
Jim Bugwadia has 20+ years experience building and leading effective teams and has created software that powers communications systems around the world.
Jim was among the original architects and business leaders within Cisco’s cloud automation practice, where he helped grow revenues to over $250M. During Jim’s tenure, IDC recognized the practice as #1 in global cloud services.
Prior to his work at Cisco, Jim led engineering teams at startups including Pano Logic, a desktop virtualization startup recognized for its innovative design by Wired magazine; Trapeze Networks, a wireless pioneer; and Jetstream Communications, a telecom equipment manufacturer. Jim started his career developing C++ software at Motorola for cellular network infrastructure where his team launched the world’s first cellular telephony that used code division multiplexing to optimize radio frequency usage.
Jim’s passion is to simplify the use of complex systems by providing well designed products that drive mass adoption of new technologies. As software has become mission critical to all businesses, Jim and his co-founders started Nirmata to help enterprises automate the delivery and management of applications. Jim currently develops software in Java, Golang, and Javascript, and is a Certified Kubernetes Administrator who actively participates in Nirmata’s full product lifecycle.
Over the course of his career, Jim has logged over $1.3B in revenue, 6 patent filings, 8 major product launches, and 29 years experience coding.
Jim holds a bachelor’s degree in engineering from Chicago State University and a master’s degree in computer science from the University of Illinois at Chicago.
Sorry, the comment form is closed at this time.