The [[[NIS2]]] aims to increase the level of cybersecurity in EU and regulates 'Digital Service Providers' (DSPs) and 'Operators of Essential Services' (OESs). This extension provides concepts to support the implementation of NIS2 and align its requirements with those of other regulations, such as [[GDPR]], [[DGA]], and [[AIAct]].
NOTE: This is a draft vocabulary, which will be updated as NIS2 authoritative guidance is established on its interpretation. The DPVCG welcomes participation and contributions for this work.
Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.
[[[DPV]]]: is the base/core specification for the 'Data Privacy Vocabulary', which is extended for Personal Data [[PD]], Locations [[LOC]], Risk Management [[RISK]], Technology [[TECH]], and [[AI]]. Specific [[LEGAL]] extensions are also provided which model jurisdiction specific regulations and concepts . To support understanding and applications of [[DPV]], various guides and resources [[GUIDES]] are provided, including a [[PRIMER]]. A Search Index of all concepts from DPV and extensions is available.
[[DPV]] and related resources are published on GitHub. For a general overview of the Data Protection Vocabularies and Controls Community Group [[DPVCG]], its history, deliverables, and activities - refer to DPVCG Website. For meetings, see the DPVCG calendar.
The peer-reviewed article “Creating A Vocabulary for Data Privacy” presents a historical overview of the DPVCG, and describes the methodology and structure of the DPV along with describing its creation. An open-access version can be accessed here, here, and here. The article Data Privacy Vocabulary (DPV) - Version 2, accepted for presentation at the 23rd International Semantic Web Conference (ISWC 2024), describes the changes made in DPV v2.
The extension supports the implementation of [[NIS2]] by providing concepts based on extending [[DPV]] to represent notifications, technical and organisational measures, reporting and compliance documentation, and other relevant information. It provides the following concepts:
Incident reporting is one of the important requirements for implementing [[NIS2]]. In such reporting, notifications containing relevant information about information are shared between entities and authorities at various stages from when the incident was detected to how the investigation proceeded and concluded. This is similar to data breach reporting requirements under [[GDPR]]. The [[EU-NIS2]] extension supports such reporting notifications by providing concepts that extend the risk:IncidentNotice concept to represent specific notices required in the incident reporting lifecycle.
The concepts in this section reflect the status of processing operations being in compliance with NIS2, by extending the ComplianceStatus from DPV for NIS2. It does not define the requirements for compliance itself. To indicate these, the relation dpv:hasLawfulness can be used.
| Term | EarlyWarningReport | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Early Warning Report | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#EarlyWarningReport | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | within 24 hours of detection containing cause of the incident and whether it was unlawful or malicious and whether there is cross-border impact | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Harshvardhan J. Pandit, Georg P. Krog | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | FinalReport | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Final Report | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#FinalReport | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | within 1 month of incident handling i.e. completing the incident recovery and containing the applied/ongoing measures, 'detailed description' - not sure what this means, and threat type / root cause - which is covered with threat and vulnerability concepts | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Harshvardhan J. Pandit, Georg P. Krog | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | IncidentAssessmentReport | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Incident Assessment Report | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#IncidentAssessmentReport | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | within 72 hours of detection, which contains updates on the earlier information as well as initial assessment of severity and impact of the incident as well as any 'indicators of compromise' | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Harshvardhan J. Pandit, Georg P. Krog | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | InitialFeedbackOnIncident | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Initial Feedback on Incident | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#InitialFeedbackOnIncident | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | Notification from authority to organisation (upon request, within 24 hours or early warning) containing "initial feedback" and guidelines on measures that can be taken in response to a breach | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Harshvardhan J. Pandit, Georg P. Krog | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | IntermediateReport | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Intermediate Report | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#IntermediateReport | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | upon request - which provides updates, if any, to previous information | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Harshvardhan J. Pandit, Georg P. Krog | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | NIS2ComplianceUnknown | Prefix | eu-nis2 |
|---|---|---|---|
| Label | NIS2 Compliance Unknown | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#NIS2ComplianceUnknown | ||
| Type | rdfs:Class, skos:Concept, dpv:Lawfulness | ||
| Broader/Parent types | eu-nis2:NIS2Lawfulness → dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context | ||
| Object of relation | dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus | ||
| Definition | State where lawfulness or compliance with NIS2 is unknown | ||
| Date Created | 2024-07-21 | ||
| Contributors | Harshvardhan J. Pandit, Beatriz Esteves | ||
| See More: | section COMPLIANCE in EU-NIS2 |
| Term | NIS2Compliant | Prefix | eu-nis2 |
|---|---|---|---|
| Label | NIS2 Compliant | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#NIS2Compliant | ||
| Type | rdfs:Class, skos:Concept, dpv:Lawfulness | ||
| Broader/Parent types | eu-nis2:NIS2Lawfulness → dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context | ||
| Object of relation | dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus | ||
| Definition | State of being lawful or legally compliant for NIS2 | ||
| Date Created | 2024-07-21 | ||
| Contributors | Harshvardhan J. Pandit, Beatriz Esteves | ||
| See More: | section COMPLIANCE in EU-NIS2 |
| Term | NIS2Lawfulness | Prefix | eu-nis2 |
|---|---|---|---|
| Label | NIS2 Lawfulness | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#NIS2Lawfulness | ||
| Type | rdfs:Class, skos:Concept, dpv:Lawfulness | ||
| Broader/Parent types | dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context | ||
| Object of relation | dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus | ||
| Definition | Status or state associated with being lawful or legally compliant regarding NIS2 | ||
| Date Created | 2024-07-21 | ||
| Contributors | Harshvardhan J. Pandit, Beatriz Esteves | ||
| See More: | section COMPLIANCE in EU-NIS2 |
| Term | NIS2NonCompliant | Prefix | eu-nis2 |
|---|---|---|---|
| Label | NIS2 Non-compliant | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#NIS2NonCompliant | ||
| Type | rdfs:Class, skos:Concept, dpv:Lawfulness | ||
| Broader/Parent types | eu-nis2:NIS2Lawfulness → dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context | ||
| Object of relation | dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus | ||
| Definition | State of being unlawful or legally non-compliant for NIS2 | ||
| Date Created | 2024-07-21 | ||
| Contributors | Harshvardhan J. Pandit, Beatriz Esteves | ||
| See More: | section COMPLIANCE in EU-NIS2 |
| Term | ProgressReport | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Progress Report | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#ProgressReport | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | within 1 month of detection if the incident handling has not been completed by then, with updates to previous information | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Harshvardhan J. Pandit, Georg P. Krog | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | RiskMitigationAdvice | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Risk Mitigation Advice | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#RiskMitigationAdvice | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | Notification from organisation to stakeholders regarding risk mitigations to be applied and existence of threats | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Harshvardhan J. Pandit, Georg P. Krog | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | SignificantIncidentNotice | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Significant Incident Notice | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#SignificantIncidentNotice | ||
| Type | rdfs:Class, skos:Concept | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | Notice sent for reporting significant incidents | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Harshvardhan J. Pandit, Georg P. Krog | ||
| See More: | section NOTICE in EU-NIS2 |
DPV uses the following terms from [[RDF]] and [[RDFS]] with their defined meanings:
The following external concepts are re-used within DPV:
The following people have contributed to this vocabulary. The names are ordered alphabetically. The affiliations are informative do not represent formal endorsements. Affiliations may be outdated. The list is generated automatically from the contributors listed for defined concepts.
The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.
Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.
The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).
The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.