On August 27, 2024, a coalition of blockchain industry leaders including Figment, Alluvial, AON, Blockdaemon, Chainproof, Coinbase, DV Labs, Eigen Labs, Galaxy, KPMG, Liquid Collective, Nexus Mutual, PwC, and Staked jointly launched the Node Operator Risk Standard (NORS) Certification for Ethereum. This first-of-its-kind certification establishes enterprise-grade criteria for staking risk management and operational security, setting a new benchmark for the entire Ethereum validator ecosystem.
The launch comes at a critical time for Ethereum, with the network’s native token trading at $2,458 and over $35 billion worth of ETH staked by validators worldwide. As institutional adoption of Ethereum staking accelerates, the need for standardized security practices has become increasingly urgent.
The Threat Landscape
Ethereum staking has matured rapidly since the network transitioned to proof-of-stake in September 2022. With more than 1.2 million validators active on the network, the operational complexity of running validators at scale has introduced new categories of risk. Slashing events, where validators lose staked ETH due to misconfiguration or misconduct, can result in losses exceeding hundreds of thousands of dollars for institutional operators.
Key management failures represent another significant vector. Validators that reuse keys, store keys on compromised systems, or fail to implement proper key rotation procedures expose both their own stake and, by extension, the delegated stake of their clients to theft or loss. The lack of standardized practices has meant that clients evaluating staking providers have had no common framework for comparing operational security across competitors.
Software vulnerabilities in validator clients pose a systemic risk. When major validator client releases contain bugs that could lead to mass slashing events, the ability of operators to respond quickly and safely depends entirely on their internal operational procedures — procedures that, until now, had no industry standard for evaluation.
Core Principles
The NORS certification addresses four critical pillars of validator operations. First, slashing prevention encompasses the technical controls and monitoring systems that ensure validators never attest to conflicting blocks or propose invalid data. Certification requires demonstrated evidence of automated slashing protection, redundant attestation monitoring, and incident response procedures tested under simulated failure conditions.
Second, validator diversity mandates that certified operators run a meaningful mix of validator client implementations. This diversity protects against single-client bugs that could cascade across the network. The certification requires operators to maintain diversity ratios and demonstrate active participation in multi-client testing programs.
Third, proper key management establishes requirements for how signing keys and withdrawal credentials are generated, stored, rotated, and eventually destroyed. The standard draws from established frameworks like SOC 2 and ISO 27001 but adds blockchain-specific controls that traditional IT security standards do not address.
Fourth, overall operational security encompasses the full spectrum of infrastructure security, from data center physical security to network architecture, access controls, and disaster recovery planning. Operators must demonstrate not just the existence of these controls but their effective operation through regular testing and audit.
Tooling and Setup
Node operators seeking NORS certification undergo a comprehensive assessment process. The evaluation begins with a self-assessment questionnaire covering all four pillars, followed by an independent review conducted by qualified assessors with deep expertise in both traditional information security and blockchain-specific operational requirements.
Figma and other early adopters have implemented battle-tested open-source validator client software with emphasis on redundancy. This approach ensures that if one client implementation encounters issues, operators can rapidly failover to an alternative implementation without disrupting validator duties.
The certification process also evaluates monitoring and alerting infrastructure. Certified operators must demonstrate real-time visibility into validator performance, attestation effectiveness, and proposal duties, with automated alerts for any deviation from expected behavior thresholds.
Ongoing Vigilance
NORS certification is not a one-time achievement. Certified operators must undergo periodic reassessment to maintain their status, ensuring that security practices evolve alongside the threat landscape and network protocol changes. The standard includes provisions for addressing new categories of risk as they emerge, such as the increasing sophistication of MEV-related attacks and the potential security implications of upcoming Ethereum protocol upgrades.
The working group has established a governance structure for maintaining and updating the standard, with representation from certified operators, security researchers, and protocol developers. This ensures that NORS remains relevant and effective as the Ethereum ecosystem continues to evolve.
Final Takeaway
The launch of NORS certification represents a maturation milestone for Ethereum staking. By establishing a common language and framework for evaluating validator security, the standard benefits all stakeholders: operators gain a competitive differentiator, clients gain confidence in their provider selection, and the Ethereum network benefits from a more resilient validator set.
As Joshua Faier, Senior Product Manager at Figment, noted: NORS helps bridge the gap between existing certifications like SOC 2 and ISO 27001, taking into account the many nuances of staking. For institutional investors evaluating staking providers, NORS certification should become a key selection criterion alongside financial performance metrics.
The introduction of risk-adjusted rewards — evaluating staking performance not just by raw returns but by the risk profile of the operator — further underscores the importance of standards like NORS. Operators who achieve certification signal not only their technical competence but their commitment to the long-term health and security of the Ethereum network.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before choosing a staking provider.
Finally some real standards for staking providers. SOC 2 means nothing when your validator gets slashed due to a key management failure no auditor would catch
SOC 2 checks boxes. NORS actually tests key management and slashing scenarios. big difference for anyone evaluating staking providers
SOC 2 is theater for most crypto companies. NORS actually testing slashing scenarios and key management is a real step up
Devraj P. SOC 2 being theater is exactly right. auditors check policy documents not slashing prevention logic. NORS tests actual operational risk
35 billion in staked ETH and until now there was no industry standard for evaluating node operators? How is that even possible in 2024
crypto moves faster than compliance. NORS is a good start but watch it take 2+ years before most providers actually get certified
rocketfuel 2 years is optimistic. look how long SOC 2 adoption took. crypto compliance frameworks move at glacial speed
the speed at which ETH staking grew vs institutional compliance is the problem. billions locked before anyone thought about standards
1.2 million validators and zero standards until mid 2024. the gap between ETH staking growth and operational best practices was massive
KPMG and PwC participating in NORS gives it institutional credibility that pure crypto standards never had. that matters for pension funds