NIS-2 Compliance for .NET Developers

Duration: 2 days

Who Should Attend

This workshop targets .NET developers, software architects, and technical leads working in organizations subject to the NIS-2 Directive (EU 2022/2555). It is suitable for developers building or maintaining applications in sectors classified as essential or important entities under NIS-2, as well as developers working for managed service providers or digital infrastructure companies operating in the EU.

Prerequisites

• Solid experience with C# and .NET (6 or later)
• Basic familiarity with ASP.NET Core and REST APIs
• General awareness of web application security concepts (HTTPS, authentication, authorization)
• No prior NIS-2 or compliance knowledge required

Workshop Goals

By the end of this workshop, participants will be able to:

• Understand the scope, structure, and obligations of the NIS-2 Directive (EU 2022/2555)
• Map the ten Article 21 risk management measures to concrete .NET implementation patterns
• Implement secure authentication and authorization using Microsoft Entra ID and ASP.NET Core
• Apply cryptography and key management best practices using .NET and Azure Key Vault
• Build incident detection, logging, and audit trail capabilities compliant with Article 23
• Implement supply chain security practices in .NET dependency management and CI/CD pipelines
• Integrate Azure security services (Defender for Cloud, Microsoft Sentinel, Azure Monitor) into .NET applications
• Design resilient systems with backup, disaster recovery, and business continuity in mind
• Conduct security testing and vulnerability assessments for .NET applications
• Prepare technical documentation and evidence for NIS-2 audits and supervisory authorities

Contents

Day 1: NIS-2 Foundations and Core Security Measures

Module 1: NIS-2 Directive Overview

• History and motivation: NIS-1 (2016) vs. NIS-2 (2022/2555)
• Essential entities (Annex I) vs. important entities (Annex II): scope and size thresholds
• Ten Article 21 risk management measures at a glance
• Article 23 incident reporting obligations: 24-hour early warning, 72-hour notification, 1-month final report
• Governance and accountability: management body liability, CISO responsibilities
• Penalties: up to €10M or 2% of global annual turnover for essential entities
• How NIS-2 interacts with GDPR, DORA, and sector-specific regulations

Module 2: Risk Analysis and Security Policies (Article 21.2.a)

• Establishing a formal risk analysis process for .NET applications
• Threat modeling with STRIDE for ASP.NET Core services
• Documenting information security policies: templates and tooling
• Integrating risk assessment into the software development lifecycle
• Hands-on: threat model an ASP.NET Core API using STRIDE

Module 3: Identity, Access Control, and Authentication (Articles 21.2.i and 21.2.j)

• Multi-factor authentication (MFA) with Microsoft Entra ID
• Conditional access policies: location, device state, sign-in risk
• Privileged access management and least-privilege principle in .NET services
• Service-to-service authentication with managed identities and workload identity federation
• ASP.NET Core authorization policies, roles, and claims
• Continuous Access Evaluation (CAE) for real-time session revocation
• Hands-on: secure an ASP.NET Core API with Entra ID, MFA, and managed identity

Module 4: Cryptography and Data Protection (Article 21.2.h)

• .NET cryptography APIs: symmetric encryption (AES), asymmetric (RSA, ECDSA), hashing
• ASP.NET Core Data Protection API: key management, key rotation, purpose isolation
• Azure Key Vault integration: storing secrets, keys, and certificates
• TLS configuration best practices in .NET: minimum versions, cipher suites, HSTS
• Encrypting data at rest: Entity Framework Core with column-level encryption
• Key lifecycle management: rotation, expiry, and revocation workflows
• Hands-on: implement end-to-end data protection with Azure Key Vault and ASP.NET Core Data Protection

Module 5: Secure Development Practices (Article 21.2.e)

• Secure software development lifecycle (SSDLC) for .NET teams
• Dependency management and SCA with NuGet audit and Dependabot
• SAST with Roslyn analyzers and security-focused code analysis
• DAST and penetration testing integration in CI/CD pipelines
• Container security: .NET image hardening, non-root users, distroless base images
• GitHub Advanced Security and Azure DevOps security scanning
• Hands-on: configure a NuGet audit pipeline and integrate a Roslyn security analyzer

---

Day 2: Incident Response, Supply Chain, Resilience, and Compliance

Module 6: Incident Handling and Detection (Article 21.2.b)

• NIS-2 Article 23 reporting workflow: timeline, notification content, and responsible parties
• Structured logging with Serilog and Microsoft.Extensions.Logging for audit trails
• Distributed tracing with OpenTelemetry in .NET: correlating incidents across services
• Anomaly detection and alerting with Azure Monitor and Application Insights
• Microsoft Sentinel: creating detection rules from .NET application logs
• Incident response runbooks: detection, containment, recovery steps
• Hands-on: configure OpenTelemetry-based audit logging and create a Sentinel detection rule

Module 7: Supply Chain Security (Article 21.2.d)

• NIS-2 supply chain requirements: assessing direct suppliers and service providers
• NuGet package security: auditing for known vulnerabilities (dotnet nuget audit), lock files, private feeds
• Software Bill of Materials (SBOM) generation: dotnet sbom-tool and CycloneDX format
• Third-party API and SDK risk assessment
• CI/CD pipeline security: protecting build secrets, signed commits, artifact signing with Sigstore/notation
• Evaluating cloud providers against NIS-2: Microsoft compliance certifications (ISO 27001, SOC 2, BSI C5)
• Hands-on: generate an SBOM, run a vulnerability audit, and configure signed packages in a pipeline

Module 8: Business Continuity and Resilience (Article 21.2.c)

• Backup strategies for .NET applications: Azure Backup, geo-redundant storage
• Disaster recovery patterns: active-passive, active-active, pilot light
• Resilience in .NET with Microsoft.Extensions.Resilience (Polly v8): retry, circuit breaker, timeout, hedging
• Health checks in ASP.NET Core: liveness, readiness, and dependency health endpoints
• Chaos engineering basics: testing resilience with Azure Chaos Studio
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) planning
• Hands-on: add resilience policies with Microsoft.Extensions.Resilience and configure health check endpoints

Module 9: Cyber Hygiene and Security Training (Article 21.2.g)

• Baseline cyber hygiene for .NET development teams: patch management, endpoint security, password policies
• Security awareness integration into developer onboarding and sprint processes
• Penetration testing and red team engagement planning for .NET applications
• Measuring security posture: Secure Score in Microsoft Defender for Cloud
• Automated compliance checks with Azure Policy for .NET workloads
• Hands-on: configure Azure Policy for a .NET workload and review Secure Score recommendations

Module 10: Audit Readiness and NIS-2 Documentation

• Evidence collection for NIS-2 audits: logs, policies, test results, risk registers
• Azure compliance documentation: Compliance Manager, audit reports, certifications
• Mapping .NET application security controls to Article 21 measures
• Supervisory authority interactions: what to expect during an inspection
• Building a NIS-2 compliance dashboard with Azure Monitor Workbooks
• Ongoing compliance: integrating NIS-2 checks into sprint reviews and architecture decision records
• Hands-on: build a compliance mapping document for a sample .NET application

---

Hands-on Labs

Each module includes at least one hands-on lab. Participants work with a realistic multi-service .NET reference application (ASP.NET Core Web API, a background worker service, and a React frontend) deployed on Azure throughout the workshop. Labs build on each other to produce a progressively hardened, NIS-2-aligned system.

Day 1 Labs:

• Lab 1: Threat model an ASP.NET Core API with STRIDE
• Lab 2: Secure an API with Microsoft Entra ID, MFA, and managed identity
• Lab 3: Implement data protection and Azure Key Vault integration
• Lab 4: Configure a NuGet vulnerability audit pipeline with Roslyn security analyzers

Day 2 Labs:

• Lab 5: Set up OpenTelemetry audit logging and a Microsoft Sentinel detection rule
• Lab 6: Generate an SBOM and configure artifact signing in a CI/CD pipeline
• Lab 7: Add Microsoft.Extensions.Resilience policies and ASP.NET Core health checks
• Lab 8: Build a NIS-2 compliance mapping document and Azure Monitor Workbook

Outcomes

After completing this workshop, participants will be equipped to:

• Assess their organization's .NET applications against all ten Article 21 NIS-2 measures
• Implement concrete security controls in C# and ASP.NET Core addressing each requirement
• Integrate NIS-2 compliance activities into existing DevSecOps workflows
• Leverage Azure security services to fulfill NIS-2 obligations (monitoring, incident reporting, audit)
• Produce audit-ready documentation and evidence for supervisory authorities
• Act as a NIS-2 technical lead within their development team

Advanced Learning Paths

• Zero Trust Architecture with .NET and Azure – deep-dive into identity-centric security beyond NIS-2 basics
• DORA Compliance for .NET Financial Services – Digital Operational Resilience Act requirements for the financial sector
• Azure Security Architecture – designing defense-in-depth for cloud-native .NET workloads
• Secure DevOps and Supply Chain Security – advanced SBOM, SLSA framework, and pipeline hardening