I didn't want compliance to be a barrier to entry or a bureaucracy nightmare. I wanted it to be an engineering problem.
The core concept: compliance as code. Instead of expensive consultants, we mapped legal requirements directly to code functions.
- Law: "Cryptography & HR security" (Art. 21.e)
- Code: Middleware that handles forensic logging (HMAC-signed), PII encryption, and session guarding automatically.
Why use it (even if you are not subject to NIS2)? Even if you are a small startup and the law doesn't apply to you yet, these are simply sane security defaults. We made features like forensic logging, rate-limiting, and encrypted auditing "plug-and-play". Since it's now trivial to implement (e.g., just adding a middleware), there is no reason not to have "Enterprise-grade" security from Day 1. It makes your product better and "future-proofs" you for when you eventually land that big Enterprise client.
The stack (MIT licensed):
- Backend: Middleware for Django, Express, Spring Boot, and .NET.
- Infra: Terraform modules for AWS/Azure/GCP with security hardening baked in (and toggles to save costs in dev).
- Frontend: React/Vue/Angular guards for client-side telemetry.
Business model (transparency):
- The Truth (Free): All the code to be secure is MIT Open Source. You can use it freely.
- The Proof (Paid): We sell the "Auditor Kit" — an engine that generates the legal PDF reports and audit dashboards for your CISO/Management.
In short: The security is free, the bureaucracy is paid.
I’d love your feedback on the repo structure and the Terraform modules!
Repo: https://github.com/nis2shield Docs: https://nis2shield.com