BaSyx provides technical controls that can support NIS2-aligned integrity, auditability, traceability, recovery, and tamper-detection requirements when deployed and operated correctly. Enabling history evidence does not make an operator NIS2 compliant by itself.
- Canonical
content_hash,payload_hash,previous_hash, androw_hashvalues protect history row integrity. - Append-only PostgreSQL history rows and optional guarded PostgreSQL mode support traceability.
- Per-row WORM
history_eventartifacts provide tamper-evident recovery material for acknowledged writes while evidence storage is enabled. - Activation-time WORM
abac_policy_versionartifacts preserve the configured and materialized access-rule version that produced auditedpolicy_idandmatched_rule_idvalues. - Signed manifests and range digests support independent verification of selected history ranges.
- CLI verification and recovery export detect missing, modified, reordered, conflicting, or unverifiable evidence.
- Audit context fields record request, OIDC, ABAC, route, and trusted proxy metadata when configured and available.
- Perform risk analysis and maintain information security policies.
- Define incident handling, escalation, crisis management, and evidence preservation processes.
- Operate backup management, disaster recovery, and restore drills.
- Configure and monitor S3 Object Lock or equivalent WORM storage, including retention, versioning, IAM, MFA, and least privilege.
- Generate, rotate, back up, and distribute signing and verification keys through controlled trust processes.
- Monitor verifier findings and alert on critical drift or signature failures.
- Manage vulnerability handling, patching, and dependency updates.
- Assess infrastructure and provider supply-chain security.
- Train staff and maintain cyber hygiene practices.
- Validate legal and regulatory compliance with the operator's security and legal teams.
- Use
history.evidence.signing.publicKeyPathorBASYX_HISTORY_EVIDENCE_SIGNING_PUBLIC_KEY_PATHfor manifest signature verification. - Run
cmd/historyevidenceverifierfrom cron, Kubernetes CronJobs, or an equivalent scheduler. Treat non-zero exits andseverity: errorfindings as alert conditions. - Use
history.fullSnapshotInterval: 1when each history row must be recoverable as a full WORM snapshot without diff replay. - With
history.fullSnapshotInterval: N, recovery starts from the nearest WORM snapshot and replays WORM diff artifacts up to the requested row. - Recovery is bounded by the retention period and by the rows for which evidence storage was enabled.
- The built-in recovery command exports verified JSON only. PostgreSQL restore should be performed through an operator-approved disaster-recovery procedure.
Avoid describing a deployment as "NIS2 compliant" based only on BaSyx configuration. The accurate statement is that BaSyx supplies technical controls that may support NIS2-aligned operation when combined with the required organisational and operational measures.