The NIS baseline Protection domain (PR) translates risk decisions into concrete safeguards over identities, data, platforms, and infrastructure. For compliance teams, the goal is to implement protection controls that are risk-based, consistently enforced, and supported by operational evidence.
Sources: ACN baseline obligations determination, ACN baseline reading guide
Key takeaways
- PR controls are the main execution layer for reducing likelihood and impact of cyber incidents.
- Baseline requirements cover identity and access, training, data security, platform security, and infrastructure resilience.
- Several controls are explicitly risk-conditioned and must be justified through risk-assessment outputs.
- Documentary evidence is required for implementation, monitoring, and periodic review.
Sources: ACN baseline obligations determination
PR control model in practice
1. Identity, authentication, and access control (PR.AA)
Define and manage identities, credentials, permissions, and physical/logical access controls, including stronger authentication where risk requires it.
2. Awareness and training (PR.AT)
Adopt an approved training plan, execute recurring awareness programs, and maintain completion evidence for relevant personnel.
3. Data security and backup (PR.DS)
Protect confidentiality, integrity, and availability of data at rest/in transit, and implement protected backups with restoration testing.
4. Platform security (PR.PS)
Manage software lifecycle, log generation and retention, and secure development practices aligned to organizational risk.
5. Infrastructure resilience (PR.IR)
Protect networks and environments from unauthorized use and maintain resilience-focused safeguards for critical services.
Sources: ACN baseline obligations determination, ACN baseline reading guide
Minimum evidence set for PR readiness
| PR area | Practical objective | Typical evidence |
|---|---|---|
| PR.AA | Controlled access lifecycle and authentication governance | Access policy, account lifecycle records, privilege reviews |
| PR.AT | Demonstrable security awareness execution | Approved training plan, attendance/completion logs |
| PR.DS | Data protection and recoverability | Data-protection procedures, backup records, restore test logs |
| PR.PS | Secure platform operation and traceability | Patch/change records, logging configuration, secure-dev procedures |
| PR.IR | Protected and resilient infrastructure | Network protection procedures, segmentation/access records |
Sources: ACN baseline obligations determination
90-day execution checklist
- Reconcile access-control policies with identity lifecycle and privileged-access governance.
- Confirm risk-based authentication requirements and document exceptions where justified.
- Validate backup strategy and schedule restoration tests with documented outcomes.
- Review logging, retention, and secure software maintenance practices.
- Consolidate PR evidence packs by control family for audit readiness.
FAQ
Are PR controls purely technical?
No. The PR domain combines technical safeguards with organizational controls such as training, policy enforcement, and governance-approved procedures. Source: ACN baseline obligations determination
Is multifactor authentication always mandatory everywhere?
Implementation is risk-conditioned in the baseline model. Scope and modality should be aligned to risk assessment outcomes and documented rationale. Sources: ACN baseline reading guide, ACN baseline obligations determination
What is the minimum backup evidence expected?
At minimum, organizations should maintain backup protection records and periodic restore-test outputs demonstrating recoverability. Source: ACN baseline obligations determination