Introduction to NORS

The Node Operator Risk Standard (NORS) is an enterprise-grade certification framework designed to ensure the operational security and reliability of Ethereum validator infrastructure. Developed by a working group of industry leaders and experts, NORS establishes rigorous, objective criteria for risk management in the Ethereum staking ecosystem.

By achieving NORS certification, node operators can demonstrate their commitment to professional and secure validation practices, thereby enhancing the trustworthiness and resilience of the Ethereum network.

NORS Pathways

NORS has two distinct certification pathways for Node Operators:

NORS

NORS is the comprehensive certification framework, which is a rigorous, peer-reviewed standard designed to objectively evaluate and certify operational practices, security, and reliability in staking. This pathway is designed for established node operators with mature operational practices.

NORS Entry

NORS Entry is a streamlined certification tier designed to make professional-grade staking security standards more accessible to node operators across the blockchain ecosystem. This pathway provides a more accessible entry point while maintaining core security and operational standards.

NORS Components

NORS Risk Control Matrix

  • The core of the NORS certification is the Risk Control Matrix (RCM), which outlines specific control objectives designed to address relevant risks, illustrative control activities, testing procedures, and examples of evidence documentation. Node operators must ensure documentation exists to prove that the objectives are suitably met.

  • The controls are categorized into key areas:

    • Anti-slashing

    • Change Control

    • Disaster Recovery / Business Continuity

    • Entity Level Control

    • Infrastructure

    • Private Key Management

  • Each control objective within the RCM is designed to be flexible, allowing node operators to document multiple activities or relevant certifications that meet the control objectives. The RCM is comprehensive yet adaptable, permitting updates and expansions as the Ethereum ecosystem evolves.

  • Included in the RCM is a document request list. This resource is meant to help illustrate the types of documents that could be provided by a node operator as part of their assessment.

View the NORS Risk Control Matrix here

NORS Entry Risk Control Matrix

  • NORS Entry has its own dedicated Risk Control Matrix (RCM) that is streamlined and focused on essential security and operational controls. This RCM is designed to be more accessible while maintaining core security standards.

  • The NORS Entry RCM covers the same key control areas as the full NORS RCM but with a reduced scope:

    • Anti-slashing

    • Change Control

    • Disaster Recovery / Business Continuity

    • Entity Level Control

    • Infrastructure

    • Private Key Management

  • The NORS Entry RCM is designed to provide a clear pathway for node operators to achieve professional-grade certification while being more achievable for organizations with smaller teams or newer operations.

  • Like the full NORS RCM, the NORS Entry RCM includes a document request list to help illustrate the types of documents that could be provided during assessment.

View the NORS Entry Risk Control Matrix here

Qualified Assessor Policy

  • To ensure objectivity and credibility, NORS certification requires receiving a passing assurance report completed by a NORS Qualified Assessor. These assessors have expertise in evaluating risk management and operational security.

  • Assessors must be licensed and adhere to stringent guidelines to maintain their qualification status, as defined in the NORS Qualified Assessor Policy.

  • Node operators may also choose to engage with a separate NORS Qualified Readiness Assessor to complete readiness. NORS Qualified Readiness Assessors can perform advisory services against the NORS control objectives, but cannot participate in audit or attestation engagements.

View the Qualified Assessor Policy here

Steps to Achieve NORS and NORS Entry Certification

The certification process is the same for both NORS and NORS Entry pathways:

  1. Choose your pathway: Determine whether you're pursuing full NORS certification or NORS Entry certification based on your organization's maturity and operational complexity.

  2. Engage with a NORS Qualified Assessor: View the full list of Qualified Assessors here.

  3. Conduct readiness assessment: Work with the Qualified Assessor (or a separate NORS Qualified Readiness Assessor, at your discretion) to prepare your company for its assessment, ensuring you are prepared to provide the appropriate attestation documentation.

  4. Complete remediation: Address any gaps identified during the readiness assessment.

  5. Complete attestation: Work with your Qualified Assessor, providing relevant materials to show that your company adequately meets the control objectives for your chosen pathway:

    • For NORS: View the full NORS Risk & Controls Matrix here

    • For NORS Entry: View the NORS Entry Risk & Controls Matrix here

  6. Receive assurance report: Obtain an official custom assurance report from your Qualified Assessor.

  7. Apply for certification: If your Qualified Assessor has attested that your operations meet the control objectives, apply for NORS certification, including your passing assurance report.

  8. Complete compliance screening: Successfully complete a compliance screening and agree to the NORS Certification Terms and Conditions.

  9. Receive certification: Receive and display your NORS or NORS Entry certification from NORS.

For more information, visit the NORS website at nors.global

PreviousNode Operator Risk Standard (NORS)NextNORS Qualified Assessor Policy

Last updated