EU Network and Information Services Directive (NIS2)

Contributors: (ordered alphabetically) Beatriz Esteves (IDLab, IMEC, Ghent University), Georg P. Krog (Signatu AS), Harshvardhan J. Pandit (ADAPT Centre, Dublin City University). NOTE: The affiliations are informative, do not represent formal endorsements, and may be outdated as this list is generated automatically from existing data.

Abstract

The Network Information Security Directive (NIS2) aims to increase the level of cybersecurity in EU and regulates 'Digital Service Providers' (DSPs) and 'Operators of Essential Services' (OESs). This extension provides concepts to support the implementation of NIS2 and align its requirements with those of other regulations, such as [GDPR], [DGA], and [AIAct].

NOTE: This is a draft vocabulary, which will be updated as NIS2 authoritative guidance is established on its interpretation. The DPVCG welcomes participation and contributions for this work.

Incident reporting is one of the important requirements for implementing [NIS2]. In such reporting, notifications containing relevant information about information are shared between entities and authorities at various stages from when the incident was detected to how the investigation proceeded and concluded. This is similar to data breach reporting requirements under [GDPR]. The [EU-NIS2] extension supports such reporting notifications by providing concepts that extend the risk:IncidentNotice concept to represent specific notices required in the incident reporting lifecycle.

eu-nis2:EarlyWarningReport: within 24 hours of detection containing cause of the incident and whether it was unlawful or malicious and whether there is cross-border impact go to full definition
eu-nis2:FinalReport: within 1 month of incident handling i.e. completing the incident recovery and containing the applied/ongoing measures, 'detailed description' - not sure what this means, and threat type / root cause - which is covered with threat and vulnerability concepts go to full definition
eu-nis2:IncidentAssessmentReport: within 72 hours of detection, which contains updates on the earlier information as well as initial assessment of severity and impact of the incident as well as any 'indicators of compromise' go to full definition
eu-nis2:InitialFeedbackOnIncident: Notification from authority to organisation (upon request, within 24 hours or early warning) containing "initial feedback" and guidelines on measures that can be taken in response to a breach go to full definition
eu-nis2:IntermediateReport: upon request - which provides updates, if any, to previous information go to full definition
eu-nis2:ProgressReport: within 1 month of detection if the incident handling has not been completed by then, with updates to previous information go to full definition
eu-nis2:RiskMitigationAdvice: Notification from organisation to stakeholders regarding risk mitigations to be applied and existence of threats go to full definition
eu-nis2:SignificantIncidentNotice: Notice sent for reporting significant incidents go to full definition

The concepts in this section reflect the status of processing operations being in compliance with NIS2, by extending the ComplianceStatus from DPV for NIS2. It does not define the requirements for compliance itself. To indicate these, the relation dpv:hasLawfulness can be used.

Example 1: Indicating status of NIS2 lawfulness

This example shows the use of EU-NIS2 to indicate the state of NIS2 lawfulness associated with two processes. The first is asserted to be compliant, while the compliance status for the second is unknown at the moment. Both processes assert the applicability of NIS2 for brevity.

ex:PDH1 a dpv:Process ;
  dpv:hasApplicableLaw legal-eu:NIS2 ;
  dpv:hasLawfulness eu-nis2:NIS2Compliant .

ex:PDH2 a dpv:Process ;
  dpv:hasApplicableLaw legal-eu:NIS2 ;
  dpv:hasLawfulness eu-nis2:NIS2ComplianceUnknown .

eu-nis2:NIS2Lawfulness: Status or state associated with being lawful or legally compliant regarding NIS2 go to full definition
- eu-nis2:NIS2ComplianceUnknown: State where lawfulness or compliance with NIS2 is unknown go to full definition
- eu-nis2:NIS2Compliant: State of being lawful or legally compliant for NIS2 go to full definition
- eu-nis2:NIS2NonCompliant: State of being unlawful or legally non-compliant for NIS2 go to full definition

Term	EarlyWarningReport	Prefix	eu-nis2
Label	Early Warning Report
IRI	https://w3id.org/dpv/legal/eu/nis2#EarlyWarningReport
Type	rdfs:Class, skos:Concept, risk:IncidentNotice
Broader/Parent types	risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure
Object of relation	dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure
Definition	within 24 hours of detection containing cause of the incident and whether it was unlawful or malicious and whether there is cross-border impact
Source
Date Created	2024-05-19
Contributors	Georg P. Krog, Harshvardhan J. Pandit
See More:	section NOTICE in EU-NIS2

Term	FinalReport	Prefix	eu-nis2
Label	Final Report
IRI	https://w3id.org/dpv/legal/eu/nis2#FinalReport
Type	rdfs:Class, skos:Concept, risk:IncidentNotice
Broader/Parent types	risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure
Object of relation	dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure
Definition	within 1 month of incident handling i.e. completing the incident recovery and containing the applied/ongoing measures, 'detailed description' - not sure what this means, and threat type / root cause - which is covered with threat and vulnerability concepts
Source
Date Created	2024-05-19
Contributors	Georg P. Krog, Harshvardhan J. Pandit
See More:	section NOTICE in EU-NIS2

Term	IncidentAssessmentReport	Prefix	eu-nis2
Label	Incident Assessment Report
IRI	https://w3id.org/dpv/legal/eu/nis2#IncidentAssessmentReport
Type	rdfs:Class, skos:Concept, risk:IncidentNotice
Broader/Parent types	risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure
Object of relation	dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure
Definition	within 72 hours of detection, which contains updates on the earlier information as well as initial assessment of severity and impact of the incident as well as any 'indicators of compromise'
Source
Date Created	2024-05-19
Contributors	Georg P. Krog, Harshvardhan J. Pandit
See More:	section NOTICE in EU-NIS2

Term	InitialFeedbackOnIncident	Prefix	eu-nis2
Label	Initial Feedback on Incident
IRI	https://w3id.org/dpv/legal/eu/nis2#InitialFeedbackOnIncident
Type	rdfs:Class, skos:Concept, risk:IncidentNotice
Broader/Parent types	risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure
Object of relation	dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure
Definition	Notification from authority to organisation (upon request, within 24 hours or early warning) containing "initial feedback" and guidelines on measures that can be taken in response to a breach
Source
Date Created	2024-05-19
Contributors	Georg P. Krog, Harshvardhan J. Pandit
See More:	section NOTICE in EU-NIS2

Term	IntermediateReport	Prefix	eu-nis2
Label	Intermediate Report
IRI	https://w3id.org/dpv/legal/eu/nis2#IntermediateReport
Type	rdfs:Class, skos:Concept, risk:IncidentNotice
Broader/Parent types	risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure
Object of relation	dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure
Definition	upon request - which provides updates, if any, to previous information
Source
Date Created	2024-05-19
Contributors	Georg P. Krog, Harshvardhan J. Pandit
See More:	section NOTICE in EU-NIS2

Term	NIS2ComplianceUnknown	Prefix	eu-nis2
Label	NIS2 Compliance Unknown
IRI	https://w3id.org/dpv/legal/eu/nis2#NIS2ComplianceUnknown
Type	rdfs:Class, skos:Concept, dpv:Lawfulness
Broader/Parent types	eu-nis2:NIS2Lawfulness → dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context
Object of relation	dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus
Definition	State where lawfulness or compliance with NIS2 is unknown
Date Created	2024-07-21
Contributors	Beatriz Esteves, Harshvardhan J. Pandit
See More:	section COMPLIANCE in EU-NIS2

Term	NIS2Compliant	Prefix	eu-nis2
Label	NIS2 Compliant
IRI	https://w3id.org/dpv/legal/eu/nis2#NIS2Compliant
Type	rdfs:Class, skos:Concept, dpv:Lawfulness
Broader/Parent types	eu-nis2:NIS2Lawfulness → dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context
Object of relation	dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus
Definition	State of being lawful or legally compliant for NIS2
Date Created	2024-07-21
Contributors	Beatriz Esteves, Harshvardhan J. Pandit
See More:	section COMPLIANCE in EU-NIS2

Term	NIS2Lawfulness	Prefix	eu-nis2
Label	NIS2 Lawfulness
IRI	https://w3id.org/dpv/legal/eu/nis2#NIS2Lawfulness
Type	rdfs:Class, skos:Concept, dpv:Lawfulness
Broader/Parent types	dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context
Object of relation	dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus
Definition	Status or state associated with being lawful or legally compliant regarding NIS2
Date Created	2024-07-21
Contributors	Beatriz Esteves, Harshvardhan J. Pandit
See More:	section COMPLIANCE in EU-NIS2

Term	NIS2NonCompliant	Prefix	eu-nis2
Label	NIS2 Non-compliant
IRI	https://w3id.org/dpv/legal/eu/nis2#NIS2NonCompliant
Type	rdfs:Class, skos:Concept, dpv:Lawfulness
Broader/Parent types	eu-nis2:NIS2Lawfulness → dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context
Object of relation	dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus
Definition	State of being unlawful or legally non-compliant for NIS2
Date Created	2024-07-21
Contributors	Beatriz Esteves, Harshvardhan J. Pandit
See More:	section COMPLIANCE in EU-NIS2

Term	ProgressReport	Prefix	eu-nis2
Label	Progress Report
IRI	https://w3id.org/dpv/legal/eu/nis2#ProgressReport
Type	rdfs:Class, skos:Concept, risk:IncidentNotice
Broader/Parent types	risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure
Object of relation	dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure
Definition	within 1 month of detection if the incident handling has not been completed by then, with updates to previous information
Source
Date Created	2024-05-19
Contributors	Georg P. Krog, Harshvardhan J. Pandit
See More:	section NOTICE in EU-NIS2

Term	RiskMitigationAdvice	Prefix	eu-nis2
Label	Risk Mitigation Advice
IRI	https://w3id.org/dpv/legal/eu/nis2#RiskMitigationAdvice
Type	rdfs:Class, skos:Concept, risk:IncidentNotice
Broader/Parent types	risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure
Object of relation	dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure
Definition	Notification from organisation to stakeholders regarding risk mitigations to be applied and existence of threats
Source
Date Created	2024-05-19
Contributors	Georg P. Krog, Harshvardhan J. Pandit
See More:	section NOTICE in EU-NIS2

Term	SignificantIncidentNotice	Prefix	eu-nis2
Label	Significant Incident Notice
IRI	https://w3id.org/dpv/legal/eu/nis2#SignificantIncidentNotice
Type	rdfs:Class, skos:Concept
Broader/Parent types	risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure
Object of relation	dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure
Definition	Notice sent for reporting significant incidents
Source
Date Created	2024-05-19
Contributors	Georg P. Krog, Harshvardhan J. Pandit
See More:	section NOTICE in EU-NIS2

DPV uses the following terms from [RDF] and [RDFS] with their defined meanings:

rdf:type to denote a concept is an instance of another concept
rdfs:Class to denote a concept is a Class or a category
rdfs:subClassOf to specify the concept is a subclass (subtype, sub-category, subset) of another concept
rdf:Property to denote a concept is a property or a relation

The following external concepts are re-used within DPV:

Issue 123: Add concepts from ENISA SotA Tech/Org Measures WIP help-wanted dpv eu-nis2 good first issue

ENISA has published a Guideline on State of the art for Technical and Organisational measures. Georg/Signatu have proposed these be integrated into DPV's TOMs concepts - see email with attached document.

harsh's reply with overview analysis of document and proposals for concepts in TOMs, RISK, and standards sections.
https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive-new/minimum-security-measures-for-operators-of-essentials-services - tool showing mapping between measures from ISO 27001, NIST CSF, and ISA/IEC 62443
https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive-new - measures for NIS2 directive implementations

Issue 222: Update NIS2 extension with practical concepts todo eu-nis2

As the NIS2 comes in to effect, there are several additional sources of information and guidance that should be incorporated into the DPV extension, including representing more of NIS2 itself.

Issue 223: Model NIS2 concepts from legal text todo help-wanted eu-nis2

Identify concepts e.g. entities, tech/org measures (from legal text) and align with DPV structure and add these to NIS2 extension

Issue 224: NIS2 concepts proposed by Jenni Parry todo help-wanted eu-nis2

See https://lists.w3.org/Archives/Public/public-dpvcg/2024Jun/0011.html for concepts which align NIS2 with ISO standard(s). These should be reviewed, and aligned where necessary with NIS2 concepts, and added to the NIS2 extension.

Issue 225: Incorporate NIS2 guidance from ENISA todo help-wanted eu-nis2

E.g. https://www.enisa.europa.eu/topics/awareness-and-cyber-hygiene/network-and-information-systems-directive-2-nis2 - use this to ensure DPV NIS2 concepts are correct, and add additional information for practical implementations based on identified best practices.

EU Network and Information Services Directive (NIS2)

version 2.1

Abstract

Status of This Document

1. Introduction

2. Notices

3. Compliance

4. Vocabulary Index

4.1 Classes

4.1.1 Early Warning Report

4.1.2 Final Report

4.1.3 Incident Assessment Report

4.1.4 Initial Feedback on Incident

4.1.5 Intermediate Report

4.1.6 NIS2 Compliance Unknown

4.1.7 NIS2 Compliant

4.1.8 NIS2 Lawfulness

4.1.9 NIS2 Non-compliant

4.1.10 Progress Report

4.1.11 Risk Mitigation Advice

4.1.12 Significant Incident Notice

4.2 Properties

4.3 External

Funding Acknowledgements

Funding Sponsors

Funding Acknowledgements for Contributors

A. Future Work

B. Changelog for v2.1

C. References

C.1 Informative references