Consider adding legal contextual information in Profile 2: Security Incident Response

[sonnyvanlingen]

I am looking to get some views of the TC on the following matter.

A number of European regulations (will) mandate security incident notification obligations accross different sectors. For example:

1. The Cyber Resilience Act (CRA) requires manufacturers of digital products to report severe security incidents having product impact to the CSIRT designated as coordinator as well as ENISA.
2. The NIS2 directive requires that so-called essential and important entities notify the authorities of significant incidents, including cyber incidents.

To make clear and explicit that a Profile 2 Security Incident Response CSAF document is written in fulfillment of such an obligation, we may want to consider adding an optional value to indicate this. This could be especially powerful if the sharing_group mechanism is implemented as discussed under issue 705, which can clarify to whom a particular "Profile 2 CSAF document" is addressed.

Implementation could be a simple tag such as nis2, CRA etc (which tags to standardize requires TC discussion) or could be more sophisticated. For example in case of a NIS2-related notification, we may want to consider standardizing

• the specific type of notification (early warning / incident notification / intermediate report etc).
• cause of the incident
• impact of the incident
• impact on services/sectors
• ..........

[tschmidtb51]

The question is whether we should have specific profiles for those obligations.

[sonnyvanlingen]

That's worth discussing :) I can see how that would indeed be more practical, and we won't end up in a situation where we overload Profile 2.