Introduction to NORS
The Node Operator Risk Standard (NORS) is an enterprise-grade certification framework designed to ensure the operational security and reliability of Ethereum validator infrastructure. Developed by a working group of industry leaders and experts, NORS establishes rigorous, objective criteria for risk management in the Ethereum staking ecosystem.
By achieving NORS certification, node operators can demonstrate their commitment to professional and secure validation practices, thereby enhancing the trustworthiness and resilience of the Ethereum network.
The core of the NORS certification is the Risk Control Matrix (RCM), which outlines specific control objectives designed to address relevant risks, illustrative control activities, testing procedures, and examples of evidence documentation. Node operators must ensure documentation exists to prove that the objectives are suitably met.
The controls are categorized into key areas:
Anti-slashing
Change Control
Disaster Recovery / Business Continuity
Entity Level Control
Infrastructure
Private Key Management
Each control objective within the RCM is designed to be flexible, allowing node operators to document multiple activities or relevant certifications that meet the control objectives. The RCM is comprehensive yet adaptable, permitting updates and expansions as the Ethereum ecosystem evolves.
Included in the RCM is a document request list. This resource is meant to help illustrate the types of documents that could be provided by a node operator as part of their assessment.
View the Risk Control Matrix here
To ensure objectivity and credibility, NORS certification requires receiving a passing assurance report completed by a NORS Qualified Assessor. These assessors have expertise in evaluating risk management and operational security.
Assessors must be licensed and adhere to stringent guidelines to maintain their qualification status, as defined in the NORS Qualified Assessor Policy.
Node operators may also choose to engage with a separate NORS Qualified Readiness Assessor to complete readiness. NORS Qualified Readiness Assessors can perform advisory services against the NORS control objectives, but cannot participate in audit or attestation engagements.
View the Qualified Assessor Policy here
Engage with a NORS Qualified Assessor. View the full list of Qualified Assessors here.
Conduct readiness with the Qualified Assessor (or a separate NORS Qualified Readiness Assessor, at your discretion) to prepare your company for its assessment, ensuring you are prepared to provide the appropriate attestation documentation.
Complete any remediation as an output from the readiness assessment.
Complete attestation with Qualified Assessor, providing relevant materials to show that your company adequately meets NORS control objectives. View full NORS Risk & Controls Matrix here.
Receive an official custom assurance report from your Qualified Assessor.
If your Qualified Assessor has attested that your operations meet the NORS control objectives, apply for NORS certification, including your passing assurance report.
Successfully complete a compliance screening and agree to the NORS Certification Terms and Conditions.
Receive and display NORS certification from NORS, if your Qualified Assessor has attested that your operations meet the NORS control objectives.
For more information, visit the NORS website at nors.global
Last updated