Contributors: (ordered alphabetically) Beatriz Esteves (IDLab, IMEC, Ghent University), Georg P. Krog (Signatu AS), Harshvardhan J. Pandit (ADAPT Centre, Dublin City University). NOTE: The affiliations are informative, do not represent formal endorsements, and may be outdated as this list is generated automatically from existing data.
The [[[NIS2]]] aims to increase the level of cybersecurity in EU and regulates 'Digital Service Providers' (DSPs) and 'Operators of Essential Services' (OESs). This extension provides concepts to support the implementation of NIS2 and align its requirements with those of other regulations, such as [[GDPR]], [[DGA]], and [[AIAct]].
NOTE: This is a draft vocabulary, which will be updated as NIS2 authoritative guidance is established on its interpretation. The DPVCG welcomes participation and contributions for this work.
DPV v2.1-RC feedback/review period until FEB-16 The DPVCG welcomes feedback and review on the v2.1 Release Candidate containing DPV and related specifications until FEB-16, after which, these documents will be published unless unresolved major issues have been identified. Feedback/review can be e.g., suggestions for improvements, fixing grammar/typos, additional information and references, and technical changes to files. The DPVCG shall discuss all submitted feedback and will resolve in through the weekly meetings. To see what is included in v2.1 and a changelog, refer to this link.
DPV Specifications: The [[DPV]] is the core specification within the DPV family, with the following extensions: Personal Data [[PD]], Locations [[LOC]], Risk Management [[RISK]], Technology [[TECH]] and [[AI]], [[JUSTIFICATIONS]], [[SECTOR]] specific extensions, and [[LEGAL]] extensions modelling specific jurisdictions and regulations. A [[PRIMER]] introduces the concepts and modelling of DPV specifications, and [[GUIDES]] describe application of DPV for specific applications and use-cases. The Search Index page provides a searchable hierarchy of all concepts. The Data Privacy Vocabularies and Controls Community Group (DPVCG) develops and manages these specifications through GitHub. For meetings, see the DPVCG calendar.
To cite and understand the structure of DPV, the article "Data Privacy Vocabulary (DPV) - Version 2.0" (2024) describes the current state of DPV and extensions from version 2.0 onwards (open access version here). The earlier article "Creating A Vocabulary for Data Privacy" (2019) describes how the DPV was developed (open access versions here, here, and here).
Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.
The extension supports the implementation of [[NIS2]] by providing concepts based on extending [[DPV]] to represent notifications, technical and organisational measures, reporting and compliance documentation, and other relevant information. It provides the following concepts:
Incident reporting is one of the important requirements for implementing [[NIS2]]. In such reporting, notifications containing relevant information about information are shared between entities and authorities at various stages from when the incident was detected to how the investigation proceeded and concluded. This is similar to data breach reporting requirements under [[GDPR]]. The [[EU-NIS2]] extension supports such reporting notifications by providing concepts that extend the risk:IncidentNotice concept to represent specific notices required in the incident reporting lifecycle.
The concepts in this section reflect the status of processing operations being in compliance with NIS2, by extending the ComplianceStatus from DPV for NIS2. It does not define the requirements for compliance itself. To indicate these, the relation dpv:hasLawfulness can be used.
| Term | EarlyWarningReport | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Early Warning Report | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#EarlyWarningReport | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | within 24 hours of detection containing cause of the incident and whether it was unlawful or malicious and whether there is cross-border impact | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | FinalReport | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Final Report | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#FinalReport | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | within 1 month of incident handling i.e. completing the incident recovery and containing the applied/ongoing measures, 'detailed description' - not sure what this means, and threat type / root cause - which is covered with threat and vulnerability concepts | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | IncidentAssessmentReport | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Incident Assessment Report | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#IncidentAssessmentReport | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | within 72 hours of detection, which contains updates on the earlier information as well as initial assessment of severity and impact of the incident as well as any 'indicators of compromise' | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | InitialFeedbackOnIncident | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Initial Feedback on Incident | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#InitialFeedbackOnIncident | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | Notification from authority to organisation (upon request, within 24 hours or early warning) containing "initial feedback" and guidelines on measures that can be taken in response to a breach | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | IntermediateReport | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Intermediate Report | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#IntermediateReport | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | upon request - which provides updates, if any, to previous information | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | NIS2ComplianceUnknown | Prefix | eu-nis2 |
|---|---|---|---|
| Label | NIS2 Compliance Unknown | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#NIS2ComplianceUnknown | ||
| Type | rdfs:Class, skos:Concept, dpv:Lawfulness | ||
| Broader/Parent types | eu-nis2:NIS2Lawfulness → dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context | ||
| Object of relation | dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus | ||
| Definition | State where lawfulness or compliance with NIS2 is unknown | ||
| Date Created | 2024-07-21 | ||
| Contributors | Beatriz Esteves, Harshvardhan J. Pandit | ||
| See More: | section COMPLIANCE in EU-NIS2 |
| Term | NIS2Compliant | Prefix | eu-nis2 |
|---|---|---|---|
| Label | NIS2 Compliant | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#NIS2Compliant | ||
| Type | rdfs:Class, skos:Concept, dpv:Lawfulness | ||
| Broader/Parent types | eu-nis2:NIS2Lawfulness → dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context | ||
| Object of relation | dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus | ||
| Definition | State of being lawful or legally compliant for NIS2 | ||
| Date Created | 2024-07-21 | ||
| Contributors | Beatriz Esteves, Harshvardhan J. Pandit | ||
| See More: | section COMPLIANCE in EU-NIS2 |
| Term | NIS2Lawfulness | Prefix | eu-nis2 |
|---|---|---|---|
| Label | NIS2 Lawfulness | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#NIS2Lawfulness | ||
| Type | rdfs:Class, skos:Concept, dpv:Lawfulness | ||
| Broader/Parent types | dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context | ||
| Object of relation | dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus | ||
| Definition | Status or state associated with being lawful or legally compliant regarding NIS2 | ||
| Date Created | 2024-07-21 | ||
| Contributors | Beatriz Esteves, Harshvardhan J. Pandit | ||
| See More: | section COMPLIANCE in EU-NIS2 |
| Term | NIS2NonCompliant | Prefix | eu-nis2 |
|---|---|---|---|
| Label | NIS2 Non-compliant | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#NIS2NonCompliant | ||
| Type | rdfs:Class, skos:Concept, dpv:Lawfulness | ||
| Broader/Parent types | eu-nis2:NIS2Lawfulness → dpv:Lawfulness → dpv:ComplianceStatus → dpv:Status → dpv:Context | ||
| Object of relation | dpv:hasComplianceStatus, dpv:hasContext, dpv:hasLawfulness, dpv:hasStatus | ||
| Definition | State of being unlawful or legally non-compliant for NIS2 | ||
| Date Created | 2024-07-21 | ||
| Contributors | Beatriz Esteves, Harshvardhan J. Pandit | ||
| See More: | section COMPLIANCE in EU-NIS2 |
| Term | ProgressReport | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Progress Report | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#ProgressReport | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | within 1 month of detection if the incident handling has not been completed by then, with updates to previous information | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | RiskMitigationAdvice | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Risk Mitigation Advice | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#RiskMitigationAdvice | ||
| Type | rdfs:Class, skos:Concept, risk:IncidentNotice | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | Notification from organisation to stakeholders regarding risk mitigations to be applied and existence of threats | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
| Term | SignificantIncidentNotice | Prefix | eu-nis2 |
|---|---|---|---|
| Label | Significant Incident Notice | ||
| IRI | https://w3id.org/dpv/legal/eu/nis2#SignificantIncidentNotice | ||
| Type | rdfs:Class, skos:Concept | ||
| Broader/Parent types | risk:IncidentNotice → dpv:Notice → dpv:OrganisationalMeasure → dpv:TechnicalOrganisationalMeasure | ||
| Object of relation | dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure | ||
| Definition | Notice sent for reporting significant incidents | ||
| Source | |||
| Date Created | 2024-05-19 | ||
| Contributors | Georg P. Krog, Harshvardhan J. Pandit | ||
| See More: | section NOTICE in EU-NIS2 |
DPV uses the following terms from [[RDF]] and [[RDFS]] with their defined meanings:
The following external concepts are re-used within DPV:
The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.
Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.
The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).
The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.