Introduction to NORS

PreviousNode Operator Risk Standard (NORS)NextNORS Qualified Assessor Policy

Last updated 8 months ago

Introduction to NORS

The Node Operator Risk Standard (NORS) is an enterprise-grade certification framework designed to ensure the operational security and reliability of Ethereum validator infrastructure. Developed by a working group of industry leaders and experts, NORS establishes rigorous, objective criteria for risk management in the Ethereum staking ecosystem.

By achieving NORS certification, node operators can demonstrate their commitment to professional and secure validation practices, thereby enhancing the trustworthiness and resilience of the Ethereum network.

The core of the NORS certification is the Risk Control Matrix (RCM), which outlines specific control objectives designed to address relevant risks, illustrative control activities, testing procedures, and examples of evidence documentation. Node operators must ensure documentation exists to prove that the objectives are suitably met.
The controls are categorized into key areas:
- Anti-slashing
- Change Control
- Disaster Recovery / Business Continuity
- Entity Level Control
- Infrastructure
- Private Key Management
Each control objective within the RCM is designed to be flexible, allowing node operators to document multiple activities or relevant certifications that meet the control objectives. The RCM is comprehensive yet adaptable, permitting updates and expansions as the Ethereum ecosystem evolves.
Included in the RCM is a document request list. This resource is meant to help illustrate the types of documents that could be provided by a node operator as part of their assessment.

To ensure objectivity and credibility, NORS certification requires receiving a passing assurance report completed by a NORS Qualified Assessor. These assessors have expertise in evaluating risk management and operational security.
Assessors must be licensed and adhere to stringent guidelines to maintain their qualification status, as defined in the NORS Qualified Assessor Policy.
Node operators may also choose to engage with a separate NORS Qualified Readiness Assessor to complete readiness. NORS Qualified Readiness Assessors can perform advisory services against the NORS control objectives, but cannot participate in audit or attestation engagements.

Conduct readiness with the Qualified Assessor (or a separate NORS Qualified Readiness Assessor, at your discretion) to prepare your company for its assessment, ensuring you are prepared to provide the appropriate attestation documentation.
Complete any remediation as an output from the readiness assessment.
Receive an official custom assurance report from your Qualified Assessor.
If your Qualified Assessor has attested that your operations meet the NORS control objectives, apply for NORS certification, including your passing assurance report.
Successfully complete a compliance screening and agree to the NORS Certification Terms and Conditions.
Receive and display NORS certification from NORS, if your Qualified Assessor has attested that your operations meet the NORS control objectives.

PreviousNode Operator Risk Standard (NORS)NextNORS Qualified Assessor Policy

Last updated 8 months ago

The core of the NORS certification is the Risk Control Matrix (RCM), which outlines specific control objectives designed to address relevant risks, illustrative control activities, testing procedures, and examples of evidence documentation. Node operators must ensure documentation exists to prove that the objectives are suitably met.
The controls are categorized into key areas:
- Anti-slashing
- Change Control
- Disaster Recovery / Business Continuity
- Entity Level Control
- Infrastructure
- Private Key Management
Each control objective within the RCM is designed to be flexible, allowing node operators to document multiple activities or relevant certifications that meet the control objectives. The RCM is comprehensive yet adaptable, permitting updates and expansions as the Ethereum ecosystem evolves.
Included in the RCM is a document request list. This resource is meant to help illustrate the types of documents that could be provided by a node operator as part of their assessment.

To ensure objectivity and credibility, NORS certification requires receiving a passing assurance report completed by a NORS Qualified Assessor. These assessors have expertise in evaluating risk management and operational security.
Assessors must be licensed and adhere to stringent guidelines to maintain their qualification status, as defined in the NORS Qualified Assessor Policy.
Node operators may also choose to engage with a separate NORS Qualified Readiness Assessor to complete readiness. NORS Qualified Readiness Assessors can perform advisory services against the NORS control objectives, but cannot participate in audit or attestation engagements.

Engage with a NORS Qualified Assessor. View the full list of Qualified Assessors .
Conduct readiness with the Qualified Assessor (or a separate NORS Qualified Readiness Assessor, at your discretion) to prepare your company for its assessment, ensuring you are prepared to provide the appropriate attestation documentation.
Complete any remediation as an output from the readiness assessment.
Complete attestation with Qualified Assessor, providing relevant materials to show that your company adequately meets NORS control objectives. View full NORS Risk & Controls Matrix .
Receive an official custom assurance report from your Qualified Assessor.
If your Qualified Assessor has attested that your operations meet the NORS control objectives, apply for NORS certification, including your passing assurance report.
Successfully complete a compliance screening and agree to the NORS Certification Terms and Conditions.
Receive and display NORS certification from NORS, if your Qualified Assessor has attested that your operations meet the NORS control objectives.

For more information, visit the