How GitLab helps meet NIS2 requirements

Government and regulatory bodies across the world are continuously seeking to enact new laws and requirements to address the growing risk posed by global digitization and the resulting cybersecurity threat landscape. The European Union's NIS2 Directive is legislation that aims to increase cybersecurity by focusing on core competencies, including resilience, incident response, and risk management.

As the most comprehensive AI-powered DevSecOps platform, GitLab is used globally to develop better software faster. GitLab’s diverse feature set makes it a unique and valuable asset, capable of addressing many of our customers’ security and compliance needs. Let’s explore how customers can leverage the GitLab platform to support their NIS2 compliance efforts.

Article 7: National Cybersecurity Strategy

Section 2(a) - addressing cybersecurity in the supply chain for ICT products and ICT services used by entities for the provision of their services.

NIS2 requires member states to adopt policies that address cybersecurity in the supply chain. While the policies are yet to be defined by each member state, GitLab’s Secure stage offers a suite of features that enable customers to manage the security of their offered services as well as their supply chain.

• Static Application Security Testing (SAST), Infrastructure as Code Security Scanning, and Dynamic Application Security Testing (DAST) enable customers to scan their source code, infrastructure definition files, and running applications for vulnerabilities. Then, findings can be triaged and addressed in accordance with each organization’s processes.

• GitLab’s Container Scanning feature helps customers identify known vulnerabilities in their container images.

• For the supply chain, Dependency Scanning helps identify known vulnerabilities in our customers’ application dependencies. License Compliance serves as an extension of Dependency Scanning by validating whether the licenses of dependencies meet a set of criteria determined by the organization.

• GitLab’s Dependency List also enables organizations to create a CycloneDX software bill of materials (SBOM). To learn more, view this tutorial on how to export an SBOM.

Together, these scanning features help create a holistic and strong testing suite to support robust application development and supply chain management processes. DAST, Dependency Scanning, and License Compliance are available with a GitLab Ultimate subscription.

Try GitLab Ultimate free for 30 days.

Article 21: Cybersecurity Risk Management Measures

NIS2 requires member states to ensure that essential and important entities implement appropriate technical, organizational, and operational measures to properly manage risk and mitigate the impact that the users of their services incur as a result of incidents to their service.

Section 2(d) - supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.

As noted above, GitLab’s Secure stage enables customers to implement a broad range of detective and responsive capabilities that improve the security of their code and address risk within their supply chains.

Those features can be leveraged to address the requirements that member states will pass down as part of this section.

Section 2(e) - security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.

As a comprehensive DevSecOps platform, GitLab’s features help secure our customers’ software delivery lifecycles from beginning to end.

• GitLab’s planning tools can be used to support your project management efforts and ensure that information security is appropriately considered through all phases of a project’s lifecycle. To learn more, read How GitLab can support your ISO 27001 compliance journey.

• Through features such as Protected Branches, Merge Request Approvals, Push Rules, and Signed Commits, GitLab’s Create Stage implements a secure foundation for developers to work from as they iterate and build secure code.

• GitLab’s Secure stage features, as mentioned above, deliver security-based value to GitLab’s Verify, Package, and Deploy stages. These stages include core Continuous Integration/Continuous Delivery features, such as MR Pipelines and Protected Runners, as well as several artifact registries to meet your organizational needs.

• GitLab’s Monitor stage offers features such as Alerts and Incidents to help organizations become aware of incidents and track them to remediation all within GitLab.

• GitLab’s Govern stage features, as the name implies, set the standard for who can use a GitLab instance and in which way. They also help support an organization’s overall compliance efforts.

  • Features such as SCIM, SSO, and Custom Roles effectively support authentication and authorization lifecycles.
  • MR Approval Policies are a powerful tool for implementing a security gate in your software development lifecycle. Using MR Approval Policies, an organization can require additional approvals for events such as when vulnerabilities are detected after a commit, certain license types are detected in dependencies, or for any MR made against a particular protected branch. MR Approval Policies are available with a GitLab Ultimate subscription.
  • With GitLab Duo, organizations can leverage the Vulnerability Explanation feature to:
    • summarize the vulnerability
    • help developers and security analysts understand the vulnerability, how it could be exploited, and how to fix it
    • provide a suggested mitigation
  • Streaming Audit Events enable organizations to send audit events from their top-level group to an external location to receive all events about the group, subgroups, and projects. Streaming Audit Events are available with a GitLab Ultimate subscription.
  • A strong insider threat program combines multiple layers of detective, preventive, and reactive controls. Git Abuse Rate Limiting automatically notifies administrators when a user downloads, clones, pulls, fetches, or forks more than a specified number of repositories of a group in a given timeframe. Organizations can go a step further and enable automatic banning to ban the offending user from the group and its subgroups. Git Abuse Rate Limiting is available with a GitLab Ultimate subscription.
  • To dive deeper on detected vulnerabilities, GitLab’s Vulnerability Report provides information about vulnerabilities from scans of the default branch. Vulnerability Reports are available with a GitLab Ultimate subscription.

Section 2(j)- the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity, where appropriate.

GitLab offers several multi-factor authentication options to support a stronger authentication process. Customers can leverage the multi-factor authentication option that meets their requirements, or they can implement SSO to enhance the authentication process even further.

What’s next for NIS2?

While member states have yet to issue broad guidance in response to the NIS2 directive, the GitLab platform is well positioned to address software development lifecycle requirements as they arise.

To learn more about the features throughout this article, see our library of tutorials.

To get started, sign up for a free 30-day trial of GitLab Ultimate.