Copyright © 2025 the Contributors to the EU Network and Information Services Directive (NIS2) Specification, published by the Data Privacy Vocabularies and Controls Community Group under the W3C Community Final Specification Agreement (FSA). A human-readable summary is available.
Contributors: (ordered alphabetically) Arthit Suriyawongkul (ADAPT Centre, Trinity College Dublin), Beatriz Esteves (IDLab, IMEC, Ghent University), Georg P. Krog (Signatu AS), Harshvardhan J. Pandit (AI Accountability Lab (AIAL), Trinity College Dublin). NOTE: The affiliations are informative, do not represent formal endorsements, and may be outdated as this list is generated automatically from existing data.
The Network Information Security Directive (NIS2) aims to increase the level of cybersecurity in EU and regulates 'Digital Service Providers' (DSPs) and 'Operators of Essential Services' (OESs). This extension provides concepts to support the implementation of NIS2 and align its requirements with those of other regulations, such as [GDPR], [DGA], and [AIAct].
NOTE: This is a draft vocabulary, which will be updated as NIS2 authoritative guidance is established on its interpretation. The DPVCG welcomes participation and contributions for this work.
DPV Specifications: The [DPV] is the core specification within the DPV family, with the following extensions: Personal Data [PD], Locations [LOC], Risk Management [RISK], Technology [TECH] and [AI], [JUSTIFICATIONS], [SECTOR] specific extensions, and [LEGAL] extensions modelling specific jurisdictions and regulations. A [PRIMER] introduces the concepts and modelling of DPV specifications, and [GUIDES] describe application of DPV for specific applications and use-cases. The Search Index page provides a searchable hierarchy of all concepts. The Data Privacy Vocabularies and Controls Community Group (DPVCG) develops and manages these specifications through GitHub. For meetings, see the DPVCG calendar.
To cite and understand the structure of DPV, the article "Data Privacy Vocabulary (DPV) - Version 2.0" (2024) describes the current state of DPV and extensions from version 2.0 onwards (open access version here). The earlier article "Creating A Vocabulary for Data Privacy" (2019) describes how the DPV was developed (open access versions here, here, and here).
Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.
This specification was published by the Data Privacy Vocabularies and Controls Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Final Specification Agreement (FSA) other conditions apply. Learn more about W3C Community and Business Groups.
GitHub Issues are preferred for discussion of this specification.
The extension supports the implementation of [NIS2] by providing concepts based on extending [DPV] to represent notifications, technical and organisational measures, reporting and compliance documentation, and other relevant information. It provides the following concepts:
Incident reporting is one of the important requirements for implementing [NIS2]. In such reporting, notifications containing relevant information about information are shared between entities and authorities at various stages from when the incident was detected to how the investigation proceeded and concluded. This is similar to data breach reporting requirements under [GDPR]. The [EU-NIS2] extension supports such reporting notifications by providing concepts that extend the risk:IncidentNotice concept to represent specific notices required in the incident reporting lifecycle.
The concepts in this section reflect the status of processing operations being in compliance with NIS2, by extending the ComplianceStatus from DPV for NIS2. It does not define the requirements for compliance itself. To indicate these, the relation dpv:hasLawfulness can be used.
| Term | EarlyWarningReport | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Early Warning Report | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#EarlyWarningReport | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | Report sent within 24 hours of detection containing cause of the incident and whether it was unlawful or malicious and whether there is cross-border impact | ||
| Source | NIS2 Article 23(4)(a) | ||
| Date Created | 2024-05-19 | ||
| Date Modified | 2025-08-05 | ||
| Contributors | Arthit Suriyawongkul, Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | FinalReport | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Final Report | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#FinalReport | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | Report sent within 1 month of incident handling i.e. completing the incident recovery and containing the applied/ongoing measures, and containing a 'detailed description' of the incident including its severity and impact, threat type and root cause that are likely to have triggered the incident, applied and ongoing measures, and - if applicable - cross-border impacts | ||
| Source | NIS2 Article 23(4)(d) | ||
| Date Created | 2024-05-19 | ||
| Date Modified | 2025-08-05 | ||
| Contributors | Arthit Suriyawongkul, Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | IncidentAssessmentReport | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Incident Assessment Report | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#IncidentAssessmentReport | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | Report sent within 72 hours of detection containing updates on the earlier information as well as initial assessment of severity and impact of the incident as well as any 'indicators of compromise' | ||
| Source | NIS2 Article 23(4)(b) | ||
| Date Created | 2024-05-19 | ||
| Date Modified | 2025-08-05 | ||
| Contributors | Arthit Suriyawongkul, Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | InitialFeedbackOnIncident | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Initial Feedback on Incident | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#InitialFeedbackOnIncident | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | Notification from authority to organisation (upon request, within 24 hours or early warning) containing "initial feedback" and guidelines on measures that can be taken in response to a breach | ||
| Source | NIS2 Article 23(5) | ||
| Date Created | 2024-05-19 | ||
| Contributors | Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | IntermediateReport | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Intermediate Report | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#IntermediateReport | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | Report sent upon request which provides updates, if any, to previous information | ||
| Source | NIS2 Article 23(4)(c) | ||
| Date Created | 2024-05-19 | ||
| Date Modified | 2025-08-05 | ||
| Contributors | Arthit Suriyawongkul, Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | NIS2ComplianceUnknown | Prefix | eu-nis2 |
|---|---|---|---|
| Label | NIS2 Compliance Unknown | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#NIS2ComplianceUnknown | ||
| Type | rdfs:Class, skos:Concept, dpv:Lawfulness | ||
| Broader/Parent types | eu-nis2:NIS2Lawfulness → dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context | ||
| Object of relation | dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus | ||
| Definition | State where lawfulness or compliance with NIS2 is unknown | ||
| Date Created | 2024-07-21 | ||
| Contributors | Beatriz Esteves, Harshvardhan J. Pandit | ||
| See More: | section COMPLIANCE in EU-NIS2 |
| Term | NIS2Compliant | Prefix | eu-nis2 |
|---|---|---|---|
| Label | NIS2 Compliant | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#NIS2Compliant | ||
| Type | rdfs:Class, skos:Concept, dpv:Lawfulness | ||
| Broader/Parent types | eu-nis2:NIS2Lawfulness → dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context | ||
| Object of relation | dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus | ||
| Definition | State of being lawful or legally compliant for NIS2 | ||
| Date Created | 2024-07-21 | ||
| Contributors | Beatriz Esteves, Harshvardhan J. Pandit | ||
| See More: | section COMPLIANCE in EU-NIS2 |
| Term | NIS2Lawfulness | Prefix | eu-nis2 |
|---|---|---|---|
| Label | NIS2 Lawfulness | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#NIS2Lawfulness | ||
| Type | rdfs:Class, skos:Concept, dpv:Lawfulness | ||
| Broader/Parent types | dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context | ||
| Object of relation | dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus | ||
| Definition | Status or state associated with being lawful or legally compliant regarding NIS2 | ||
| Date Created | 2024-07-21 | ||
| Contributors | Beatriz Esteves, Harshvardhan J. Pandit | ||
| See More: | section COMPLIANCE in EU-NIS2 |
| Term | NIS2NonCompliant | Prefix | eu-nis2 |
|---|---|---|---|
| Label | NIS2 Non-compliant | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#NIS2NonCompliant | ||
| Type | rdfs:Class, skos:Concept, dpv:Lawfulness | ||
| Broader/Parent types | eu-nis2:NIS2Lawfulness → dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context | ||
| Object of relation | dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus | ||
| Definition | State of being unlawful or legally non-compliant for NIS2 | ||
| Date Created | 2024-07-21 | ||
| Contributors | Beatriz Esteves, Harshvardhan J. Pandit | ||
| See More: | section COMPLIANCE in EU-NIS2 |
| Term | ProgressReport | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Progress Report | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#ProgressReport | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | Report sent within 1 month of detection if the incident handling has not been completed by then, with updates to previous information | ||
| Source | NIS2 Article 23(4)(e) | ||
| Date Created | 2024-05-19 | ||
| Date Modified | 2025-08-05 | ||
| Contributors | Arthit Suriyawongkul, Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | RiskMitigationAdvice | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Risk Mitigation Advice | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#RiskMitigationAdvice | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | Notification from organisation to stakeholders regarding risk mitigations to be applied and existence of threats | ||
| Source | NIS2 Article 23(5) | ||
| Date Created | 2024-05-19 | ||
| Contributors | Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | SignificantIncidentNotice | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Significant Incident Notice | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#SignificantIncidentNotice | ||
| Type | rdfs:Class, skos:Concept | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | Notice sent for reporting significant incidents | ||
| Source | NIS2 Article 23(3) | ||
| Date Created | 2024-05-19 | ||
| Contributors | Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
DPV uses the following terms from [RDF] and [RDFS] with their defined meanings:
The following external concepts are re-used within DPV:
The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019. Continued developments have been funded under: RECITALS Project funded under the EU's Horizon program with grant agreement No. 101168490.
Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.
The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).
The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre; and the AI Accountability Lab (AIAL) which is supported by grants from following groups: the AI Collaborative, an Initiative of the Omidyar Group; Luminate; the Bestseller Foundation; and the John D. and Catherine T. MacArthur Foundation.
ENISA has published a Guideline on State of the art for Technical and Organisational measures. Georg/Signatu have proposed these be integrated into DPV's TOMs concepts - see email with attached document.
As the NIS2 comes in to effect, there are several additional sources of information and guidance that should be incorporated into the DPV extension, including representing more of NIS2 itself.
Identify concepts e.g. entities, tech/org measures (from legal text) and align with DPV structure and add these to NIS2 extension
See https://lists.w3.org/Archives/Public/public-dpvcg/2024Jun/0011.html for concepts which align NIS2 with ISO standard(s). These should be reviewed, and aligned where necessary with NIS2 concepts, and added to the NIS2 extension.
E.g. https://www.enisa.europa.eu/topics/awareness-and-cyber-hygiene/network-and-information-systems-directive-2-nis2 - use this to ensure DPV NIS2 concepts are correct, and add additional information for practical implementations based on identified best practices.
This complements the existing data privacy vocabulary by providing specific details about notification requirements under the GDPR.
INCIDENT: Personal data breach (defined in Article 4(12))
NOTIFICATION TO: Supervisory authority (defined in Article 4(21)) (Article 33(1))
TIMELINE: Without undue delay, when feasible within 72 hours (Article 33(1))
TRIGGER: Upon becoming aware of the personal data breach, unless unlikely to result in a risk to individuals (Article 33(1))
INCIDENT: Personal data breach (defined in Article 4(12))
NOTIFICATION TO: Data subject (defined in Article 4(1)) (Articles 34(1) and 34(4))
TIMELINE: Without undue delay (Article 34(1))
TRIGGER: If the personal data breach is likely to result in a high risk to individuals, with exceptions when:
INCIDENT: Personal data breach (defined in Article 4(12))
NOTIFICATION TO: Controller (Article 33(2))
TIMELINE: Without undue delay (Article 33(2))
TRIGGER: Upon becoming aware of the personal data breach (Article 33(2))
This complements the existing data privacy vocabulary by providing specific details about notification requirements under the Law Enforcement Directive.
INCIDENT: Personal data breach (defined in Article 3(11))
NOTIFICATION TO: Supervisory authority (defined in Article 3(15)) (Article 30(1))
TIMELINE: Without undue delay, where feasible within 72 hours (Article 30(1))
TRIGGER: Upon becoming aware of the personal data breach, unless unlikely to result in a risk to individuals (Article 30(1))
INCIDENT: Personal data breach (defined in Article 3(11))
NOTIFICATION TO: Data subject (defined in Article 3(1)) (Articles 31(1) and 31(4))
TIMELINE: Without undue delay (may be delayed, restricted or omitted in specific circumstances, per Article 31(5)) (Article 31(1))
TRIGGER: If the personal data breach is likely to result in a high risk to individuals, with exceptions when:
INCIDENT: Personal data breach (defined in Article 3(11))
NOTIFICATION TO: Controller of another member state by or to whom the personal data breached has been transmitted (Article 30(6))
TIMELINE: Without undue delay (Article 30(6))
TRIGGER: If the personal data breach involves personal data that have been transmitted by or to the controller of another member state (Article 30(6))
INCIDENT: Personal data breach (defined in Article 3(11))
NOTIFICATION TO: Controller (Article 30(2))
TIMELINE: Without undue delay (Article 30(2))
TRIGGER: Upon becoming aware of the personal data breach (Article 30(2))
This complements the existing data privacy vocabulary by providing specific details about notification requirements under the E-Privacy Directive.
INCIDENT: Personal data breach (defined in Article 2(i))
NOTIFICATION TO: Competent national authority (Article 4(3-5))
TIMELINE: Without undue delay (Article 4(3))
TRIGGER: A personal data breach (Article 4(3))
INCIDENT: Personal data breach (defined in Article 2(i))
NOTIFICATION TO: Subscriber or individual (Article 4(3-5))
TIMELINE: Without undue delay (Article 4(3))
TRIGGER: If the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, with exception when:
INCIDENT: Particular risk of a breach of the security of the network
NOTIFICATION TO: Subscribers (Article 4(2)(2))
TIMELINE: Not specified in the law
TRIGGER: A particular risk of a breach of the security of the network (Article 4(2)(2))
This complements the existing data privacy vocabulary by providing specific details about notification requirements under the Data Governance Act.
INCIDENT: Unauthorized transfer, access or use of shared nonpersonal data
NOTIFICATION TO: Data holders (defined in Article 2(8)) (Articles 12(k) and 21(5))
TIMELINE: Without delay (Articles 12(k) and 21(5))
TRIGGER: Unauthorized transfer, access or use of shared nonpersonal data (Articles 12(k) and 21(5))
INCIDENT: Unauthorized transfer, access or use of shared nonpersonal data
NOTIFICATION TO: Data holders (defined in Article 2(8)) (Articles 12(k) and 21(5))
TIMELINE: Without delay (Articles 12(k) and 21(5))
TRIGGER: Unauthorized transfer, access or use of shared nonpersonal data (Articles 12(k) and 21(5))
INCIDENT: Unauthorized re-use (defined in Article 2(2)) of nonpersonal data
NOTIFICATION TO: Legal persons whose rights and interests may be affected (Article 5(5))
TIMELINE: Without delay (Article 5(5))
TRIGGER: Unauthorized re-use of nonpersonal data (Article 5(5))
INCIDENT: Data breach resulting in the re-identification of the data subject
NOTIFICATION TO: Public sector body (Article 5(5))
TIMELINE: Not specified in the law (Article 5(5))
TRIGGER: Data breach resulting in the re-identification of the data subject (Article 5(5))
This complements the existing data privacy vocabulary by providing specific details about notification requirements under the Data Act.
INCIDENT: Unauthorized use or disclosure of data under circumstances defined in Article 11(3)
NOTIFICATION TO: User of a connected product (defined in Article 2(12)) (Article 11(2)(c))
TIMELINE: Without undue delay (Article 11(2))
TRIGGER: If requested by the data holder (defined in Article 2(13)) or the trade secret holder (defined in Article 2(19)) (Article 11(2))
This complements the existing data privacy vocabulary by providing specific details about notification requirements under the NIS2 Directive.
INCIDENT: Significant Incident (defined in Articles 6(6), 23(3) and 23(11))
NOTIFICATION TO: CSIRT (defined in Article 10) (Article 23(1))
*The majority of essential and important entities will have to notify the authority(ies) of the member state(s) where the incident occurred or where they provide their services, while the Digital Infrastructure entities will have to notify the authority of the member state where they have their main establishment, per Article 26
TIMELINE: Early warning without undue delay, within 24 hours (Article 23(4)(a)); Notification without undue delay, within 72 hours, or 24 hours for trusted service providers (Article 23(4)(b)); Intermediate report at request of CSIRT or competent authority (Article 23(4)(c)); Final report within one month after notification (Article 23(4)(d)); Final report within one month of incident handling (Article 23(4)(e)); Progress report within one month if incident ongoing (Article 23(4)(e))
TRIGGER: Upon becoming aware of the significant incident (Article 23(4))
INCIDENT: Significant Incident (defined in Articles 6(6), 23(3) and 23(11))
NOTIFICATION TO: Recipients of their services (Article 23(1))
TIMELINE: Without undue delay (Article 23(1))
TRIGGER: When appropriate, if the provision of these services is likely to be adversely affected by the significant incident (Article 23(1))
INCIDENT: Significant Incident (defined in Articles 6(6), 23(3) and 23(11))
NOTIFICATION TO: Law enforcement authorities (Article 23(5))
TIMELINE: Without undue delay (Article 23(2))
TRIGGER: If the significant incident is suspected to be of criminal nature (Article 23(5))
INCIDENT: Significant Incident (defined in Articles 6(6), 23(3) and 23(11))
NOTIFICATION TO: The public (Article 23(7))
TIMELINE: According to the guidance from the CSIRT of the competent authority (Article 23(5))
TRIGGER: If required by CSIRT or competent authority (Article 23(7))
INCIDENT: Significant cyber threat (defined in Articles 6(10) and 6(11))
NOTIFICATION TO: Recipients of their services (Article 23(2))
TIMELINE: Without undue delay (Article 23(2))
TRIGGER: When appropriate, if these services are potentially affected by the significant cyber threat (Article 23(2))
INCIDENT: Incidents, cyber threats and near misses (defined in Article 6(5))
NOTIFICATION TO: CSIRT (defined in Article 10) or competent authority (defined in Article 8) (Article 23(1))
TIMELINE: Not explicitly specified for in the law
TRIGGER: Not explicitly specified for in the law
INCIDENT: Incidents, cyber threats and near misses (defined in Article 6(5))
NOTIFICATION TO: CSIRT or competent authority (Article 30(1))
TIMELINE: Not specified in the law
TRIGGER: Not specified in the law
This complements the existing data privacy vocabulary by providing specific details about information sharing requirements under the NIS2 Directive.
TO: Entities that fall within the scope of the NIS2 Directive and other relevant entities (Article 29(1))
WHAT INFORMATION: Relevant cybersecurity information, e.g. information relating to cyber threats, near misses, vulnerabilities, techniques and procedures, indicators of compromise and adversarial tactics (Article 29(1))
TIMELINE: Not specified in the law
TRIGGER: When such information sharing aims to prevent, detect, respond to or recover from incidents or to mitigate their impacts or enhances the level of cybersecurity (Article 29(1))
TO: CSIRT (Article 23(1))
WHAT INFORMATION: The notification of a significant incident received from an essential or important entity (Article 23(1))
TIMELINE: Upon receipt of the notification (Article 23(1))
TRIGGER: When an essential or important entity notifies the competent authority of a significant incident (Article 23(1))
TO: Competent authorities under the Critical Entities Resilience Directive (Article 23(10))
WHAT INFORMATION: Information about notified significant incidents, incidents, cyber threats and near misses (Article 23(10))
TIMELINE: Not specified in the law
TRIGGER: When significant incidents, incidents, cyber threats and near misses are notified by entities identified as critical entities under the Critical Entities Resilience Directive (Article 23(10))
TO: Single point of contact (defined in Article 8(3)) (Article 23(1))
WHAT INFORMATION: Relevant information notified by essential and important entities (Article 23(1))
TIMELINE: In due time (Article 23(1))
TRIGGER: In case of a cross-border or cross-sectoral significant incident (Article 23(1))
TO: Single point of contact (defined in Article 8(3)) (Article 30(2))
WHAT INFORMATION: Information about voluntary notifications of incidents, significant incidents, cyber threats and near misses (Article 30(2))
TIMELINE: Not specified in the law (Article 30(2))
TRIGGER: When necessary (Article 30(2))
TO: Other affected member states and ENISA (Article 23(6))
WHAT INFORMATION: Information about the notified significant incident (Article 23(6))
TIMELINE: Without undue delay (Article 23(6))
TRIGGER: When a significant incident concerns two or more member states and when otherwise appropriate (Article 23(6))
TO: The public (Article 23(7))
WHAT INFORMATION: About the significant incident (Article 23(7))
TIMELINE: After consulting the entity concerned (Article 23(7))
TRIGGER: When public awareness is necessary to prevent a significant incident or to deal with an ongoing significant incident, or when its disclosure is otherwise in the public interest (Article 23(7))
TO: Other affected member states and ENISA (Article 23(6))
WHAT INFORMATION: Information about the notified significant incident (Article 23(6))
TIMELINE: Without undue delay (Article 23(6))
TRIGGER: When a significant incident concerns two or more member states and when otherwise appropriate (Article 23(6))
TO: Single points of contact of other affected member states (Article 23(8))
WHAT INFORMATION: Notifications received (Article 23(8))
TIMELINE: Not specified in the law
TRIGGER: When it is requested by CSIRT or the competent authority (Article 23(8))
TO: ENISA (Article 23(9))
WHAT INFORMATION: A summary report, including anonymized and aggregated data on significant incidents, incidents, cyber threats and near misses notified, including voluntarily (Article 23(9))
TIMELINE: Every three months (Article 23(9))
TRIGGER: Not specified in the law
TO: The public (Article 23(7))
WHAT INFORMATION: About the significant incident (Article 23(7))
TIMELINE: After consulting the entity concerned (Article 23(7))
TRIGGER: When public awareness is necessary to prevent a significant incident or to deal with an ongoing significant incident, or when its disclosure is otherwise in the public interest (Article 23(7))
TO: Data protection authority of own member state (Article 35(1))
WHAT INFORMATION: That an infringement by an essential or important entity of their obligations under the NIS2 Directive can entail a personal data breach as defined in the GDPR (Article 35(1))
TIMELINE: Without undue delay (Article 35(1))
TRIGGER: When an infringement by an essential or important entity of their obligations under the NIS2 Directive can entail a personal data breach as defined in the GDPR (Article 35(1))
TO: CSIRTs network and the Cooperation Group (defined in Article 14) (Article 23(9))
WHAT INFORMATION: Its findings on notifications received (Article 23(9))
TIMELINE: Every six months (Article 23(9))
TRIGGER: Not specified in the law
This complements the existing data privacy vocabulary by providing specific details about notification requirements under DORA.
INCIDENT: Major information communication technology-related incident (defined in Article 3(10))
NOTIFICATION TO: Relevant competent authority (defined in Article 46) (Article 19(1))
TIMELINE: Initial notification four hours from the moment of classification of the incident as major, but no later than 24 hours from becoming aware of the incident; Intermediate report within 72 hours from the submission of the initial notification; Updated notifications every time a relevant status update is available or upon a request from the competent authority; Final report when the root cause analysis is complete, or within one month from the submission of the latest updated intermediate report (per draft Regulatory Technical Standard, subject to change)
TRIGGER: Upon becoming aware of the incident (Article 19(3))
INCIDENT: Major information communication technology-related incident (defined in Article 3(10))
NOTIFICATION TO: Competent authorities or CSIRTs under the NIS2 Directive, if required by a member state (Article 19(1))
TIMELINE: Initial notification four hours from the moment of classification of the incident as major, but no later than 24 hours from becoming aware of the incident; Intermediate report within 72 hours from the submission of the initial notification; Updated notifications every time a relevant status update is available or upon a request from the competent authority; Final report when the root cause analysis is complete, or within one month from the submission of the latest updated intermediate report (per draft Regulatory Technical Standard, subject to change)
TRIGGER: Not specified in the law
INCIDENT: Major information communication technology-related incident (defined in Article 3(10))
NOTIFICATION TO: Clients (Article 19(3))
TIMELINE: Without undue delay upon becoming aware of the incident (Article 19(3))
TRIGGER: When the incident has an impact on the financial interests of clients (Article 19(3))
INCIDENT: Significant cyber threat (defined in Article 3(13))
NOTIFICATION TO: Relevant competent authority (defined in Article 46) (Article 19(2))
TIMELINE: Not specified in the law
TRIGGER: If the financial entity deems the threat to be of relevance to the financial system, service users or clients (Article 19(2))
INCIDENT: Significant cyber threat (defined in Article 3(13))
NOTIFICATION TO: CSIRTs under the NIS2 Directive, if permitted by a member state (Article 19(2))
TIMELINE: Not specified in the law
TRIGGER: If the financial entity deems the threat to be of relevance to the financial system, service users or clients (Article 19(2))
INCIDENT: Significant cyber threat (defined in Article 3(13))
NOTIFICATION TO: Potentially affected clients (Article 19(3))
TIMELINE: Not specified in the law
TRIGGER: Where applicable (Article 19(3))
INFORMATION TO: Other relevant authorities, based on their respective competences (Article 19(6))
INFORMATION SHARED: Details of the major ICT-related incident (Article 19(6))
TIMELINE: In a timely manner (Article 19(6))
TRIGGER: Upon receipt of the initial notification and of each report about the major ICT-related incident (Article 19(6))
INFORMATION TO: Other relevant authorities, defined in Article 19(6) (Article 19(2))
INFORMATION SHARED: Information about significant cyber threats notified by financial entities (Article 19(2))
TIMELINE: Not specified in the law
TRIGGER: Not specified in the law (Article 19(2))
INFORMATION TO: Members of the European System of Central Banks (Article 19(7))
INFORMATION SHARED: On issues relevant to the payment system, in connection to the major ICT-related incident (Article 19(7))
TIMELINE: Not specified in the law
TRIGGER: If there are issues relevant to the payment system in connection to the major ICT-related incident (Article 19(7))
INFORMATION TO: Relevant competent authorities in other member states (Article 19(7))
INFORMATION SHARED: Not specified in the law
TIMELINE: As soon as possible following the assessment that the major ICT-related incident is relevant for competent authorities in other member states (Article 19(7))
TRIGGER: Upon receipt of information in relation to the major ICT-related incident from the competent authority, if it is determined that the major ICT-related incident is relevant for competent authorities in other member states (Article 19(7))
This complements the existing data privacy vocabulary by providing specific details about notification requirements under PSD2.
INCIDENT: Major operational or security incident
NOTIFICATION TO: Competent authority (defined in Article 100) in the home member state (defined in Article 4(1)) of the payment service provider (Article 96(1))
TIMELINE: Without undue delay (Article 96(1))
TRIGGER: Major operational or security incident (Article 96(1))
INCIDENT: Major operational or security incident
NOTIFICATION TO: Payment service users (defined in Article 4(10)) (Article 96(1))
TIMELINE: Without undue delay (Article 96(1))
TRIGGER: If the incident has or may have an impact on the financial interests of its payment service users (Article 96(1))
INFORMATION TO: Other relevant authorities in its member state (Article 96(2))
INFORMATION SHARED: Not specified in the law
TIMELINE: After assessing the relevance of the notified incident to other relevant authorities in its member state (Article 96(2))
TRIGGER: If notified incident is relevant to other relevant authorities in its member state (Article 96(2))
INFORMATION TO: European Banking Authority and European Central Bank (Article 96(2))
INFORMATION SHARED: Relevant details of the notified incident (Article 96(2))
TIMELINE: Without undue delay (Article 96(2))
TRIGGER: Receipt of the notification of the incident from the payment service provider (Article 96(2))
INFORMATION TO: Other relevant EU and national authorities (Article 96(2))
INFORMATION SHARED: Not specified in the law (Article 96(2))
TIMELINE: Not specified in the law
TRIGGER: If notified incident is relevant to other relevant EU and national authorities (Article 96(2))
INFORMATION TO: Members of the European System of Central Banks (Article 96(2))
INFORMATION SHARED: Issues relevant to the payment system (defined in Article 4(7)) in connection to the notified incident (Article 96(2))
TIMELINE: Not specified in the law
TRIGGER: If there are issues relevant to the payment system in connection to the notified incident (Article 96(2))
No changes