Operators declare compliance.frameworks.nis2.entityType = "essential" or
"important". Thresholds adjust accordingly. The values below are Nix
option values, evaluated at system build time. DORA has an analogous "critical
provider" flag, ISO 27001 uses certificationScope = "full" | "partial",
and ANSSI uses a four-tier level (minimal | intermediary | reinforced | high).
| Parameter | Essential | Important |
|---|---|---|
| Evidence collection frequency | Hourly | Daily 06:00 |
| SSH idle timeout | 15 min | 30 min |
| Input staleness warning | 14 days | 30 days |
| Audit log retention | 730 days | 365 days |
| Backup retention | 730 days | 365 days |
| Backup verification interval | Daily | Weekly |
| Hardening level | strict | standard |
| Minimum rollback generations | 10 | 5 |
| RTO target | 4 hours | 24 hours |
| Max nixpkgs age | 14 days | 30 days |
| Block on critical CVE | Yes | No |
| MFA required | Yes | No |
Defaults encoded in frameworks/nis2.nix in the compliance repo. Each parameter can be overridden per-host via the corresponding compliance.controls.<name>.* option.