Back to Frameworks
NATO Cyber Defence Policy and NATO Computer Incident Response Capability (NCIRC)
International (NATO — 32 members)
v2024
19 domains
31 controls
The NATO cyber defence framework is defined by the NATO Cyber Defence Policy (original 2014, updated 2021) and operationalised through the NATO Computer Incident Response Capability (NCIRC) managed by the NATO Communications and Information Agency (NCI Agency). The CCDCOE provides research and the Tallinn Manual on the International Law Applicable to Cyber Operations, but these are not NATO policy documents. Key references: NATO Cyber Defence Policy (2021), NCIRC Handbook (2022), NCI Agency publications.
Verified
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (19)
Access Control
1 controls
| Code | Title |
|---|---|
| NATO-CYB-14 | Access Control to Classified Systems |
Assurance
1 controls
| Code | Title |
|---|---|
| NATO-CYB-18 | Annual Self Assessment Reporting |
Audit and Accountability
1 controls
| Code | Title |
|---|---|
| NATO-CYB-13 | Logging and Retention |
Configuration Management
1 controls
| Code | Title |
|---|---|
| NATO-CYB-12 | Configuration Baselines |
Cryptography
1 controls
| Code | Title |
|---|---|
| NATO-CYB-06 | Cryptographic Material Handling |
Cyber Defence Integration
3 controls
| Code | Title |
|---|---|
| NCIRC-4.1 | Collective Defence Integration |
| NCIRC-4.2 | Cyberspace as Operational Domain |
| NCIRC-4.3 | Cyber Defence Exercises |
Cyber Defence Policy and Governance
3 controls
| Code | Title |
|---|---|
| NCIRC-1.1 | Cyber Defence Policy |
| NCIRC-1.2 | Cyber Defence Committee Governance |
| NCIRC-1.3 | NC3 Board Technical Oversight |
Governance
1 controls
| Code | Title |
|---|---|
| NATO-CYB-01 | Cyber Defence Policy Alignment |
Incident Management
2 controls
| Code | Title |
|---|---|
| NATO-CYB-02 | NCIRC Reporting Channel |
| NATO-CYB-05 | Incident Triage and Categorisation |
Media Handling
1 controls
| Code | Title |
|---|---|
| NATO-CYB-15 | Media Sanitisation and Destruction |
NCIRC Operations
4 controls
| Code | Title |
|---|---|
| NCIRC-2.1 | Centralised Cyber Defence Support |
| NCIRC-2.2 | Incident Handling and Reporting |
| NCIRC-2.3 | Rapid Reaction Teams |
| NCIRC-2.4 | Threat Intelligence Sharing |
National Cyber Defence Capabilities
3 controls
| Code | Title |
|---|---|
| NCIRC-3.1 | National Cyber Defence Development |
| NCIRC-3.2 | Cyber Defence Pledge Compliance |
| NCIRC-3.3 | CCDCOE Standards Development |
Network Security
2 controls
| Code | Title |
|---|---|
| NATO-CYB-03 | Classified Network Segregation |
| NATO-CYB-16 | Cross Domain Solutions |
Personnel Security
1 controls
| Code | Title |
|---|---|
| NATO-CYB-07 | Personnel Security Clearances |
Resilience Testing
1 controls
| Code | Title |
|---|---|
| NATO-CYB-10 | Cyber Exercises and Tabletops |
Security Monitoring
1 controls
| Code | Title |
|---|---|
| NATO-CYB-08 | Security Operations Centre Monitoring |
Supply Chain
1 controls
| Code | Title |
|---|---|
| NATO-CYB-11 | Supply Chain Risk Management |
Threat Intelligence
1 controls
| Code | Title |
|---|---|
| NATO-CYB-04 | Cyber Threat Intelligence Sharing |
Vulnerability Management
2 controls
| Code | Title |
|---|---|
| NATO-CYB-09 | Vulnerability Management |
| NATO-CYB-17 | Coordinated Vulnerability Disclosure |
Your Compliance Coverage
If you comply with NATO Cyber Defence Policy and NATO Computer Incident Response Capability (NCIRC), you already cover:
HKMA Cyber Resilience Assessment Framework (C-RAF)
6%
2 controls mapped
Compare →BS 65000:2014 - Guidance on Organizational Resilience
6%
2 controls mapped
Compare →FFIEC Cybersecurity Assessment Tool (CAT)
6%
2 controls mapped
Compare →+ 146 more: ILO Nursing Personnel Convention C149 (1977) (6%), 6th Anti-Money Laundering Directive (AMLD6, Directive (EU) 2018/1673) - superseded by AMLD7 (6%)
See all 149 mapped frameworks ↓Maps to 149 other frameworks
31 total controls
HKMA Cyber Resilience Assessment Framework (C-RAF)
2 source controls mapped|3 target controls covered
6%
BS 65000:2014 - Guidance on Organizational Resilience
2 source controls mapped|4 target controls covered
6%
FFIEC Cybersecurity Assessment Tool (CAT)
2 source controls mapped|4 target controls covered
6%
ILO Nursing Personnel Convention C149 (1977)
2 source controls mapped|3 target controls covered
6%
6th Anti-Money Laundering Directive (AMLD6, Directive (EU) 2018/1673) - superseded by AMLD7
2 source controls mapped|3 target controls covered
6%
ISO 8000 - Data Quality
2 source controls mapped|3 target controls covered
6%
FATF Recommendation 16 - Virtual Asset Travel Rule
2 source controls mapped|3 target controls covered
6%
Privacy by Design (PbD) - Seven Foundational Principles
2 source controls mapped|3 target controls covered
6%
ISO 27001:2022
2 source controls mapped|2 target controls covered
6%
Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct
2 source controls mapped|2 target controls covered
6%
NIST Cybersecurity Framework 2.0
2 source controls mapped|5 target controls covered
6%
O-RAN WG11 Security Specification
2 source controls mapped|2 target controls covered
6%
ECB TIBER-EU Framework
2 source controls mapped|4 target controls covered
6%
FTC Safeguards Rule (16 CFR Part 314)
1 source controls mapped|2 target controls covered
3%
ASD Strategies to Mitigate Cyber Security Incidents
1 source controls mapped|1 target controls covered
3%
CFTC System Safeguards (17 CFR 37, 38, 39, 49)
1 source controls mapped|3 target controls covered
3%
EU Taxonomy Regulation
1 source controls mapped|2 target controls covered
3%
GLBA
1 source controls mapped|3 target controls covered
3%
IEEE 7000
1 source controls mapped|1 target controls covered
3%
HKMA SPM
1 source controls mapped|3 target controls covered
3%
EU AI Act
1 source controls mapped|1 target controls covered
3%
CDP Climate Change Questionnaire (Corporate Disclosure)
1 source controls mapped|2 target controls covered
3%
FFIEC IT Examination Handbook
1 source controls mapped|3 target controls covered
3%
COSO Internal Control - Integrated Framework (2013)
1 source controls mapped|1 target controls covered
3%
ASEAN Data Management Framework
1 source controls mapped|1 target controls covered
3%
Voluntary Principles on Security and Human Rights (VPs)
1 source controls mapped|1 target controls covered
3%
US OFAC Sanctions Compliance Framework
1 source controls mapped|1 target controls covered
3%
Proposal for a Regulation on Cyber Resilience Act (CRA)
1 source controls mapped|3 target controls covered
3%
GLI-33 - Gaming Laboratories International Event Wagering Systems
1 source controls mapped|2 target controls covered
3%
EIOPA Guidelines on ICT Security and Governance (EIOPA‑BoS‑23/146, 2023)
1 source controls mapped|2 target controls covered
3%
TISAX - Trusted Information Security Assessment Exchange
1 source controls mapped|2 target controls covered
3%
Telecommunications Sector Security Reforms (TSSR)
1 source controls mapped|2 target controls covered
3%
Defence Security Principles Framework (DSPF)
1 source controls mapped|2 target controls covered
3%
Protective Security Policy Framework (PSPF) Release 2024
1 source controls mapped|2 target controls covered
3%
DORA
1 source controls mapped|3 target controls covered
3%
Notifiable Data Breaches Scheme (Australia)
1 source controls mapped|2 target controls covered
3%
EU Digital Markets Act
1 source controls mapped|2 target controls covered
3%
FTC Health Breach Notification Rule
1 source controls mapped|2 target controls covered
3%
UK Product Security and Telecommunications Infrastructure Act (PSTI)
1 source controls mapped|2 target controls covered
3%
EAR - Export Administration Regulations
1 source controls mapped|2 target controls covered
3%
European Accessibility Act (Directive (EU) 2019/882)
1 source controls mapped|2 target controls covered
3%
Regulation (EU) 2023/1115 on deforestation-free supply chains
1 source controls mapped|2 target controls covered
3%
Ontario Accessibility for Ontarians with Disabilities Act (AODA) - IASR Web Standard
1 source controls mapped|2 target controls covered
3%
NIS2 Directive (Directive (EU) 2022/2555)
1 source controls mapped|2 target controls covered
3%
US ITAR and EAR - Export Control and Data Security
1 source controls mapped|2 target controls covered
3%
US SEC Digital Assets and Crypto Regulatory Framework
1 source controls mapped|2 target controls covered
3%
Australia Consumer Data Right - Banking (CDR)
1 source controls mapped|2 target controls covered
3%
Australia eSafety Commissioner - Online Safety Expectations for Industry
1 source controls mapped|2 target controls covered
3%
Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1
1 source controls mapped|3 target controls covered
3%
MTCS - Multi-Tier Cloud Security (Singapore)
1 source controls mapped|1 target controls covered
3%
ISO/IEC 38500:2024 - Governance of IT
1 source controls mapped|1 target controls covered
3%
ITIL 4
1 source controls mapped|1 target controls covered
3%
ISO 42001
1 source controls mapped|1 target controls covered
3%
IMO Maritime Cybersecurity Guidelines (MSC-FAL.1/Circ.3/Rev.2)
1 source controls mapped|1 target controls covered
3%
Monetary Authority of Singapore Technology Risk Management Guidelines
1 source controls mapped|3 target controls covered
3%
BCBS 239
1 source controls mapped|3 target controls covered
3%
EBA Guidelines on ICT and Security Risk Management (EBA/GL/2024/07)
1 source controls mapped|1 target controls covered
3%
WELL Building Standard v2 (International WELL Building Institute)
1 source controls mapped|1 target controls covered
3%
Critical Infrastructure Risk Management Program (CIRMP) Rules 2023
1 source controls mapped|2 target controls covered
3%
Singapore Government Instruction Manual on ICT&SS Management (IM8)
1 source controls mapped|3 target controls covered
3%
COBIT 2019
1 source controls mapped|1 target controls covered
3%
ASIS SPC.1-2009 - Organizational Resilience Standard
1 source controls mapped|3 target controls covered
3%
ISO/IEC 27007:2020
1 source controls mapped|1 target controls covered
3%
US EPA Safe Drinking Water Act (SDWA) - Cybersecurity Requirements
1 source controls mapped|3 target controls covered
3%
South Korea Cloud Security Assurance Program (CSAP)
1 source controls mapped|1 target controls covered
3%
Japan AI Guidelines
1 source controls mapped|1 target controls covered
3%
APRA CPS 234
1 source controls mapped|3 target controls covered
3%
UK ONR Cyber Security and Information Assurance (CSIA) for Nuclear Facilities
1 source controls mapped|1 target controls covered
3%
IEC 62351 - Power Systems Communication Security
1 source controls mapped|2 target controls covered
3%
ISO/IEC 27031:2011
1 source controls mapped|2 target controls covered
3%
ISO/IEC 25012:2008 - Data Quality Model
1 source controls mapped|1 target controls covered
3%
ISO 20000-1
1 source controls mapped|1 target controls covered
3%
FDA Quality Management System Regulation (QMSR)
1 source controls mapped|1 target controls covered
3%
NATO AQAP 2110 - Quality Assurance Requirements for Design, Development, and Production
1 source controls mapped|1 target controls covered
3%
Digital Economy Partnership Agreement (DEPA)
1 source controls mapped|1 target controls covered
3%
Brazil AI Framework
1 source controls mapped|1 target controls covered
3%
TNFD Recommendations
1 source controls mapped|3 target controls covered
3%
AASB S2 Climate-related Disclosures
1 source controls mapped|3 target controls covered
3%
Administrative Measures for the Security Assessment of Generative AI Services (2023) and Algorithmic Recommendation Management Provisions (2022)
1 source controls mapped|1 target controls covered
3%
IRM Enterprise Risk Management Framework (Institute of Risk Management)
1 source controls mapped|3 target controls covered
3%
Regulation (EU) 2019/1239 on the Maritime Single Window (MSW)
1 source controls mapped|1 target controls covered
3%
CISA Industrial Control Systems (ICS) Security Guidance
1 source controls mapped|1 target controls covered
3%
ASIC Cyber Resilience Good Practices
1 source controls mapped|1 target controls covered
3%
FTC GLBA Safeguards Rule (16 CFR Part 314)
1 source controls mapped|1 target controls covered
3%
Nevada Gaming Control Board Cybersecurity Requirements
1 source controls mapped|1 target controls covered
3%
Lloyd's Minimum Standards - Cyber Security
1 source controls mapped|1 target controls covered
3%
Australia AI Ethics Framework
1 source controls mapped|1 target controls covered
3%
EU Taxonomy Regulation (Regulation 2020/852)
1 source controls mapped|1 target controls covered
3%
India CERT-In Cyber Security Directions 2022
1 source controls mapped|1 target controls covered
3%
Security of Critical Infrastructure Act 2018 (SOCI)
1 source controls mapped|2 target controls covered
3%
PCI PIN Security
1 source controls mapped|3 target controls covered
3%
ITU-T X.805 - Security Architecture for End-to-End Communications
1 source controls mapped|1 target controls covered
3%
SWIFT CSCF
1 source controls mapped|3 target controls covered
3%
PCI SSF
1 source controls mapped|3 target controls covered
3%
UK Security and Emergency Measures Direction (SEMD) - Water Industry
1 source controls mapped|2 target controls covered
3%
UK FCA/PRA Operational Resilience Framework
1 source controls mapped|3 target controls covered
3%
SOC for Cybersecurity - Cybersecurity Risk Management Examination
1 source controls mapped|1 target controls covered
3%
SASB Standards (ISSB Integrated)
1 source controls mapped|1 target controls covered
3%
SASB Standards
1 source controls mapped|1 target controls covered
3%
AICPA SOC 1
1 source controls mapped|3 target controls covered
3%
SSAE 18 SOC 1 - Report on Controls at a Service Organisation (ICFR)
1 source controls mapped|3 target controls covered
3%
SWIFT CSP
1 source controls mapped|3 target controls covered
3%
OSFI B-13
1 source controls mapped|3 target controls covered
3%
NIST Privacy Framework Version 1.0
1 source controls mapped|2 target controls covered
3%
PCI P2PE
1 source controls mapped|3 target controls covered
3%
TIBER-EU (Threat Intelligence-Based Ethical Red Teaming - European Union)
1 source controls mapped|3 target controls covered
3%
TEFCA - Trusted Exchange Framework and Common Agreement
1 source controls mapped|1 target controls covered
3%
PSD2 SCA
1 source controls mapped|3 target controls covered
3%
DAMA-DMBOK2 - Data Management Body of Knowledge (2nd Edition)
1 source controls mapped|1 target controls covered
3%
Open Banking Security
1 source controls mapped|3 target controls covered
3%
SSAE 18 - Attestation Standards (SOC Reporting)
1 source controls mapped|1 target controls covered
3%
NIST SP 800-82 Revision 3: Guide to Industrial Control Systems (ICS) Security
1 source controls mapped|2 target controls covered
3%
UK AI Regulation Framework
1 source controls mapped|1 target controls covered
3%
NYDFS Cybersecurity Regulation (23 NYCRR Part 500)
1 source controls mapped|2 target controls covered
3%
Singapore AI Governance Framework
1 source controls mapped|1 target controls covered
3%
NIST Privacy Framework 1.0
1 source controls mapped|1 target controls covered
3%
Right to Disconnect (Australia)
1 source controls mapped|1 target controls covered
3%
UK Open Banking Standard
1 source controls mapped|2 target controls covered
3%
AICPA SOC 3
1 source controls mapped|3 target controls covered
3%
SEC Climate Disclosure Rule
1 source controls mapped|1 target controls covered
3%
SOC 2
1 source controls mapped|3 target controls covered
3%
OECD AI Principles
1 source controls mapped|1 target controls covered
3%
South Africa Promotion of Access to Information Act (PAIA)
1 source controls mapped|1 target controls covered
3%
CSA STAR (Security, Trust, Assurance, and Risk)
1 source controls mapped|1 target controls covered
3%
Australian Energy Sector Cyber Security Framework (AESCSF)
1 source controls mapped|1 target controls covered
3%
OWASP Top 10:2025
1 source controls mapped|1 target controls covered
3%
Ghana Cybersecurity Act
1 source controls mapped|1 target controls covered
3%
Spain ENS
1 source controls mapped|1 target controls covered
3%
IAEA Nuclear Security Series - Computer Security at Nuclear Facilities (NSS-17-T Rev 1)
1 source controls mapped|1 target controls covered
3%
FISMA
1 source controls mapped|1 target controls covered
3%
Japan FSA Cybersecurity Guidelines for Financial Institutions
1 source controls mapped|2 target controls covered
3%
CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act)
1 source controls mapped|1 target controls covered
3%
ISO/IEC 27011:2024
1 source controls mapped|1 target controls covered
3%
BSI IT-Grundschutz
1 source controls mapped|1 target controls covered
3%
OWASP DevSecOps Maturity Model (DSOMM)
1 source controls mapped|1 target controls covered
3%
DoD Zero Trust Reference Architecture
1 source controls mapped|1 target controls covered
3%
Secure by Design: A Guide for Manufacturers (CISA)
1 source controls mapped|1 target controls covered
3%
Belgium CyberFundamentals
1 source controls mapped|1 target controls covered
3%
ISO/IEC 27400:2022
1 source controls mapped|1 target controls covered
3%
Saudi NCA ECC
1 source controls mapped|1 target controls covered
3%
Cyber Essentials Plus
1 source controls mapped|1 target controls covered
3%
ANSSI Cybersecurity Framework
1 source controls mapped|1 target controls covered
3%
Space ISAC (Information Sharing and Analysis Center) - Threat Framework
1 source controls mapped|1 target controls covered
3%
UAE Virtual Asset Regulatory Authority (VARA) Regulations
1 source controls mapped|1 target controls covered
3%
US NRC 10 CFR 73.54 - Cyber Security for Nuclear Power Plants
1 source controls mapped|1 target controls covered
3%
FAA Cybersecurity Framework for Aviation
1 source controls mapped|1 target controls covered
3%
Papua New Guinea National Cybersecurity Policy & Cybercrime Act (2016)
1 source controls mapped|1 target controls covered
3%
RBI Cybersecurity Framework for Banks
1 source controls mapped|1 target controls covered
3%
Kuwait National Cybersecurity Framework
1 source controls mapped|1 target controls covered
3%
Frequently Asked Questions
What is NATO Cyber Defence Policy and NATO Computer Incident Response Capability (NCIRC)?
NATO Cyber Defence Policy and NATO Computer Incident Response Capability (NCIRC) is a compliance framework from International (NATO — 32 members) with 19 domains and 31 controls. The NATO cyber defence framework is defined by the NATO Cyber Defence Policy (original 2014, updated 2021) and operationalised through the NATO Computer Incident Response Capability (NCIRC) managed by the NATO Communications and Information Agency (NCI Agency). The CCDCOE provides research and the Tallinn Manual on the International Law Applicable to Cyber Operations, but these are not NATO policy documents. Key references: NATO Cyber Defence Policy (2021), NCIRC Handbook (2022), NCI Agency publications. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does NATO Cyber Defence Policy and NATO Computer Incident Response Capability (NCIRC) have?
NATO Cyber Defence Policy and NATO Computer Incident Response Capability (NCIRC) has 31 controls organised across 19 domains. The largest domains are NCIRC Operations (4 controls), Cyber Defence Integration (3 controls), Cyber Defence Policy and Governance (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does NATO Cyber Defence Policy and NATO Computer Incident Response Capability (NCIRC) map to?
NATO Cyber Defence Policy and NATO Computer Incident Response Capability (NCIRC) maps to 149 other compliance frameworks. The top mapping partners are HKMA Cyber Resilience Assessment Framework (C-RAF) (6% coverage), BS 65000:2014 - Guidance on Organizational Resilience (6% coverage), FFIEC Cybersecurity Assessment Tool (CAT) (6% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with NATO Cyber Defence Policy and NATO Computer Incident Response Capability (NCIRC) compliance?
Start your NATO Cyber Defence Policy and NATO Computer Incident Response Capability (NCIRC) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NATO Cyber Defence Policy and NATO Computer Incident Response Capability (NCIRC) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 31 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 768 frameworks.
Get Started Free →Free forever — no credit card required