NEXT-01NIS2 Article 23
Incident notification evidence.
Likely field groups: entity identity, incident classification, initial notification, significant impact, mitigation and authority-facing submission state.
Catalogue / Profile registry / Source-bound acts
A public register of machine profiles.
The catalogue shows which regulated acts have machine-readable evidence profiles and what each profile is allowed to claim.
Implemented profiles are separated from planned or experimental workpapers. That distinction should remain visible.
01 / Implemented
Profiles already under the sheath.
These are treated as public evidence objects: not legal advice, not certification, not a proprietary compliance ontology.
| Profile | Regulatory source | Source state | Evidence boundary | Public artefact |
|---|---|---|---|---|
| DORA ICT incident initial notification | Regulation (EU) 2022/2554, Article 19(4) | Official artefacts pinned by SHA-256 | Source-binding and field declaration only | Field browser · Generated view · JSON profile |
| EUDR due diligence statement preparation | Regulation (EU) 2023/1115 | Profile catalogue entry available in repository | Preparation record, not legal clearance | GitHub |
| ActProof software release record | Project governance / release evidence | Implemented as reusable profile | Release evidence, not security certification | GitHub |
| Standards engagement record | Public standards participation evidence | Implemented as reusable profile | Engagement record, not endorsement | GitHub |
02 / Planned
NIS2 Article 23 enters as an incident profile, not as a claim of compliance.
NIS2 Article 23 enters as a source-bound incident reporting profile. It supports evidence preparation and verification boundaries, not regulatory approval, and that distinction stays explicit in the profile itself.
NEXT-02DORA final report
Complexity and maturity workpaper.
Useful for evaluating which reporting fields are worth measuring, how mature they are, and where implementation risk concentrates.
NEXT-03Cross-act portfolio
One architecture, many profiles.
DORA, NIS2, EUDR, CSRD and GDPR can share evidence architecture while preserving source-specific boundaries.
03 / Registry fields
Every catalogue row should be auditable.
The catalogue should not only list names. It should list maturity, source authority, artefact binding, field profile, evidence labels, signature policy and refusal boundary.
01Act typeID
02Sourceauthority
03Fieldsrequired
04Evidencelabels
05Witnessroles
06Refusalboundary