Guiding cybersecurity compliance: An ontology for the NIS 2 directive

Security compliance constitutes a significant source of concern for many corporate decision-makers due to its complexity and cost. These may be due, first and foremost, to the style of juridical language, which is often challenging to translate into concrete operational procedures. To facilitate such a translation and ultimately optimise the compliance effort, this article presents “NIS2Onto”, an Web Ontology Language (OWL) ontology designed to translate the Network and Information Security Directive version 2 (NIS 2) into an ontological format aimed to favour unambiguous understanding and security operations of cybersecurity professionals, legal experts, and all organisational stakeholders. Through the semantic representation of the NIS 2 entities, relationships, and security measures, NIS2Onto enables automated compliance verification, streamlined risk assessments, and effective policy implementation. Our evaluation employs both metrical and qualitative analysis through a real case study to witness the robustness and practical applicability of NIS2Onto. The ontology not only supports the accurate interpretation of complex legal texts but also aids in systematically enforcing cybersecurity measures. Furthermore, the extensibility of NIS2Onto allows for integration with other regulatory frameworks, thereby fostering a comprehensive and unified approach to cybersecurity governance.