NIS2 .NET Shield

🛡️ Security-First Middleware for ASP.NET Core NIS2 Compliance

Companies subject to NIS2 Directive need demonstrable compliance. This middleware provides:

1. Forensic logging with HMAC-SHA256 integrity and PII encryption (Art. 21.2.h)
2. Rate limiting to prevent DoS/Brute Force attacks (Art. 21.2.e)
3. Session Guard to detect hijacking via IP/User-Agent validation (Art. 21.2.a)
4. Multi-SIEM Presets: Native connectors for Splunk, Datadog, Elasticsearch

Part of the NIS2 Shield Ecosystem: Use with @nis2shield/react-guard, @nis2shield/angular-guard, or @nis2shield/vue-guard for client-side protection and nis2shield/infrastructure for a full-stack implementation.

┌─────────────────────────────────────────────────────────────┐
│                        Frontend                              │
│  @nis2shield/{react,angular,vue}-guard                      │
│  ├── SessionWatchdog (idle detection)                       │
│  ├── AuditBoundary (crash reports)                         │
│  └── → POST /api/nis2/telemetry/                           │
└─────────────────────────────────────────────────────────────┘
                            │
                            ▼
┌─────────────────────────────────────────────────────────────┐
│                  Backend (NIS2 Adapter)                      │
│  **Nis2Shield.AspNetCore**                                  │
│  ├── ForensicLogger (HMAC signed logs)                     │
│  ├── RateLimiter, SessionGuard, TorBlocker                 │
│  └── → SIEM (Elasticsearch, Splunk, Datadog)               │
└─────────────────────────────────────────────────────────────┘
                            │
                            ▼
┌─────────────────────────────────────────────────────────────┐
│                    Infrastructure                            │
│  nis2shield/infrastructure                                  │
│  ├── Centralized Logging (ELK/Splunk)                       │
│  └── Audited Deployment (Terraform/Helm)                    │
└─────────────────────────────────────────────────────────────┘

📦 Installation

dotnet add package Nis2Shield.AspNetCore

⚙️ Quick Start

Program.cs

var builder = WebApplication.CreateBuilder(args);

// 1. Register NIS2 Shield
builder.Services.AddNis2Shield(builder.Configuration);

var app = builder.Build();

// 2. Activate Middleware (before Auth)
app.UseNis2Shield();

app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();

app.Run();

appsettings.json

{
  "Nis2": {
    "Enabled": true,
    "IntegrityKey": "your-hmac-secret-key",
    "Logging": {
      "Enabled": true,
      "AnonymizeIp": true,
      "EncryptPii": true
    },
    "ActiveDefense": {
      "RateLimitEnabled": true,
      "RateLimitThreshold": 100,
      "RateLimitWindowSeconds": 60,
      "BlockTorExitNodes": true
    },
    "SessionGuard": {
      "Enabled": true,
      "SubnetTolerance": 24,
      "AllowUserAgentChange": false
    }
  }
}

🔒 Features

Forensic Logging

• Standardized logs (NIS2-JSON-SCHEMA v1.0) with HMAC-SHA256 integrity signature
• Automatic PII field encryption (GDPR compliant)
• IP anonymization for privacy compliance

Active Defense

• Rate Limiting: Sliding window protection against application-level DoS attacks
• Session Guard: Session hijacking prevention via IP/User-Agent fingerprinting
• Tor Blocker: Automatic blocking of Tor exit nodes

Multi-SIEM Integration

• Elasticsearch: Bulk API with daily index rotation
• Splunk: HTTP Event Collector (HEC) support
• Datadog: Logs API v2 integration

Webhook Notifications

• Real-time alerts to Slack, Microsoft Teams, Discord
• Configurable event filtering

📖 Recipes

Banking App with Strict Security

builder.Services.AddNis2Shield(options =>
{
    options.IntegrityKey = Environment.GetEnvironmentVariable("NIS2_HMAC_KEY")!;
    
    // Rate Limiting
    options.ActiveDefense.RateLimitEnabled = true;
    options.ActiveDefense.RateLimitThreshold = 50;
    options.ActiveDefense.RateLimitWindowSeconds = 60;
    
    // Session Guard - strict mode
    options.SessionGuard.Enabled = true;
    options.SessionGuard.SubnetTolerance = 32; // exact IP match
    options.SessionGuard.AllowUserAgentChange = false;
});

Healthcare API with Full PII Protection

builder.Services.AddNis2Shield(options =>
{
    options.IntegrityKey = Environment.GetEnvironmentVariable("NIS2_HMAC_KEY")!;
    options.Logging.EncryptPii = true;
    options.Logging.AnonymizeIp = true;
    options.Logging.PiiFields = new List<string> { "email", "patient_id", "ssn" };
});

Enterprise with Splunk HEC

{
  "Nis2": {
    "IntegrityKey": "your-hmac-key",
    "Siem": {
      "Enabled": true,
      "Provider": "Splunk",
      "Endpoint": "https://splunk.company.com:8088/services/collector",
      "ApiKey": "your-hec-token",
      "IndexName": "nis2-security"
    }
  }
}

Slack Alert for Security Events

{
  "Nis2": {
    "Webhooks": {
      "Enabled": true,
      "Targets": [
        {
          "Name": "Security Alerts",
          "Url": "https://hooks.slack.com/services/xxx/yyy/zzz",
          "Provider": "Slack",
          "Events": ["rate_limit_exceeded", "tor_node_blocked", "session_hijack_detected"]
        }
      ]
    }
  }
}

🧪 Testing

dotnet test

🛡️ Security & Updates

Subscribe to our Security Mailing List to receive immediate alerts about:

• Critical vulnerabilities (CVEs)
• NIS2/DORA regulatory logic updates
• Major breaking changes

For reporting vulnerabilities, see SECURITY.md.

📄 License

MIT License - see LICENSE for details.

🤝 Related Projects

Project	Technology	Package
django-nis2-shield	Django	pip install django-nis2-shield
nis2-spring-shield	Spring Boot	Maven Central
@nis2shield/express-middleware	Express	npm install @nis2shield/express-middleware
@nis2shield/react-guard	React	npm install @nis2shield/react-guard

---

Documentation · NuGet · Changelog