AICP-FIMI
Within the CTI-BALANCED project, Mykolas Romeris University (MRU) carried out independent scientific research focused on the legal-regulatory, privacy, cybersecurity compliance, and knowledge-structuring dimensions of cyber threat intelligence (CTI) sharing. The result is a structured legal-regulatory and ontological framework that connects GDPR and privacy protection, cybersecurity legal compliance, threat classification based on EU regulatory requirements, and a formally validated OWL ontology for CTI governance. These results provide the legal, ethical, and knowledge-structuring foundation for responsible and legally defensible sectoral and national CTI sharing models.
DESCRIPTION
The cyber threat intelligence domain is expanding rapidly, yet it remains poorly served by legal-regulatory clarity. National and sectoral organisations that wish to share threat data face a fragmented landscape: GDPR imposes privacy obligations that are not straightforwardly compatible with open CTI exchange; the NIS2 Directive creates incident reporting and information-sharing structures but leaves important implementation questions unresolved; DORA, CER, the AI Act, the Cyber Resilience Act, and sectoral regulations add further compliance layers. CSIRTs, ISACs, national cybersecurity authorities, and private operators all operate within this complex regulatory environment without a coherent model that reconciles security value, legal compliance, and proportionality.
Within the CTI-BALANCED project, MRU’s role was to produce independent scientific research results that could address this gap: to define the legal-regulatory, privacy, and compliance framework within which CTI sharing should operate, and to encode that framework in a machine-interpretable ontological structure that can be used by system designers, legal analysts, and governance practitioners alike. The work did not focus on producing a commercial product or a technical data-sharing platform — it produced a coherent body of legal-analytical, methodological, and ontological results that support the responsible design of CTI-sharing systems at national and sectoral levels.
MRU’s research covered the full regulatory landscape applicable to CTI sharing, including a systematic analysis of twelve EU regulatory instruments: GDPR, NIS2, DORA, CER, the AI Act, the Cyber Resilience Act, DSA, PSD2, eIDAS2, ePrivacy, ENISA Regulation, and the Cybersecurity Act. This mapping produced a GDPR privacy protection model defining lawful basis scenarios, data minimisation rules, pseudonymisation requirements, DPIA triggers, controller/processor roles, and data subject rights management for CTI processing contexts. A parallel cybersecurity compliance model was built around NIS2 Article 21 security measures, Article 23 incident reporting obligations, and Article 29 voluntary CTI sharing, aligned with relevant ISO/IEC standards, NIST frameworks, FIRST CSIRT Services Framework, and ENISA guidance.
A central deliverable of MRU’s research is the SOC/CTI regulatory ontology (soc_cti_framework.ttl), developed in OWL/Turtle format and validated using SPARQL queries in Stardog Cloud. The ontology formally models 12 EU regulations, 20 regulatory requirements, 10 incident types, and their relationships to reporting attributes, communication standards, accreditation requirements, penalties, and safeguards. Building on this, a unified ontological framework was developed and submitted for publication in IEEE Access, integrating NIS2, GDPR, the AI Act, and CRA requirements with NIST CSF 2.0 controls, IEC 62443-3-3 industrial security requirements, and 94 MITRE ATT&CK ICS techniques across 12 tactics. An additional compliance framework for Mission 2 AI systems under the EU AI Act and harmonised standards was developed as a further research output. MRU also developed a threat classification framework based on cybersecurity legal regulation, a CTI maturity and quality assessment model, and conducted literature review, case analysis, comparative analysis, and content analysis covering privacy, GDPR, cybersecurity, and CTI sharing across EU and national jurisdictions. The full suite of research outputs is available as downloadable documents listed below.
KEY FINDINGS AND RESULTS:
The essence of the CTI-BALANCED results produced by MRU is a structured legal-regulatory and ontological knowledge package for governing cyber threat intelligence sharing responsibly. Rather than delivering a single legal opinion or a narrow compliance checklist, the research produced a reusable analytical model — covering regulatory mapping, privacy protection design, cybersecurity compliance logic, threat classification, ontological formalisation, and practical alignment — that can inform CTI-sharing governance at national, sectoral, and institutional levels.
— Regulatory landscape mapping: completed for 12 EU instruments (GDPR, NIS2, DORA, CER, AI Act, CRA, DSA, PSD2, eIDAS2, ePrivacy, ENISA Regulation, Cybersecurity Act), identifying applicable legal obligations, tensions, and compliance preconditions for CTI sharing.
— GDPR and privacy protection model: developed for CTI data processing contexts, covering lawful basis scenarios (Art. 6(1)(c), (e), (f)), data minimisation, pseudonymisation, anonymisation, DPIA triggers, cross-border sharing constraints, and data subject rights management.
— Cybersecurity compliance model: built around NIS2 Art. 21 risk measures, Art. 23 incident reporting timelines (1h/24h/72h/1 month), and Art. 29 voluntary CTI sharing, aligned with ISO/IEC 27001/27002/27035/27701, NIST CSF 2.0, and FIRST CSIRT Services Framework.
— Threat classification framework: developed based on cybersecurity legal regulation and good practice, mapping incident types, threat categories, CTI sharing levels (strategic/operational/tactical), data sensitivity, and applicable safeguards.
— SOC/CTI regulatory ontology (soc_cti_framework.ttl): formalised in OWL/Turtle and validated with SPARQL in Stardog Cloud, encoding 12 EU regulations, 20 requirements, 10 incident types, and their legal-governance relationships.
— Unified ontological framework (IEEE Access, submitted): integrating NIS2, GDPR, AI Act, and CRA requirements with NIST CSF 2.0, IEC 62443-3-3 (110 security requirements across 7 domains), and 94 MITRE ATT&CK ICS techniques across 12 tactics.
— Compliance framework for Mission 2 AI systems: developed under the EU AI Act and harmonised standards, addressing high-risk AI system requirements in cybersecurity-relevant deployment contexts.
— CTI maturity and quality assessment model: providing evaluators and operators with a structured instrument for assessing CTI-sharing programme readiness, indicator quality, governance maturity, and compliance alignment.
— Literature review, case analysis, comparative analysis, and content analysis: covering privacy, GDPR, cybersecurity legal issues, and CTI sharing across EU Member States and national jurisdictions, forming the empirical and legal basis for all model development.
— Dissemination: including presentations at international conferences (AESIN 2025, Luhmann 2025), academic workshops, MRU Science and Innovation Week, and contribution to national cybersecurity community events.
RESEARCH OUTPUTS AND DOCUMENTS
The following research documents were produced by MRU within the CTI-BALANCED project and are available for download:
- CTI-Balanced MRU — Threat Classification
Threat classification framework based on cybersecurity legal regulation and good practice. - CTI-Balanced MRU — GDPR and Privacy Related Practices
Analysis of GDPR applicability, privacy protection model, and data minimisation rules for CTI sharing contexts. - CTI-Balanced MRU — Non-Economic MTEP Activities Dissemination
Record of dissemination activities, conference presentations, workshops, and public engagement. - CTI-Balanced MRU — Literature Review: Privacy, Cybersecurity and CTI Sharing
Comprehensive literature review on privacy, GDPR, cybersecurity legal issues, and CTI sharing. - CTI-Balanced MRU — Case, Comparative and Content Analysis
Empirical legal analysis across EU Member States; comparative and content analysis of CTI-sharing governance.
6a. CTI-Balanced MRU — Ontology 1 (Core SOC/CTI Regulatory Framework)
OWL/Turtle ontology: soc_cti_framework.ttl — 12 regulations, 20 requirements, 10 incident types, SPARQL-validated.
6b. CTI-Balanced MRU — Ontology 2 (Extended Regulatory Layer)
Extended ontology covering additional regulatory requirements and governance relationships.
6c. CTI-Balanced MRU — Ontology Extended: ICS/MITRE ATT&CK
Ontology extension integrating 94 MITRE ATT&CK ICS techniques and IEC 62443-3-3 requirements.
6d. CTI-Balanced MRU — Ontology Light Version
Simplified ontology version for practitioner-oriented use and implementation guidance.
- CTI-Balanced MRU — Assessment Model
CTI maturity and quality assessment model for national and sectoral CTI-sharing programmes.
8a. CTI-Balanced MRU — Publication 1: Unified Ontological Framework (IEEE Access, submitted)
Academic paper integrating NIS2, GDPR, AI Act, CRA, NIST CSF 2.0, IEC 62443-3-3, and MITRE ATT&CK ICS.
8b. CTI-Balanced MRU — Publication 2: Journal of Intelligence and Counterintelligence (extra reference)
Additional academic reference supporting CTI governance and intelligence research.
- Compliance Framework for Mission 2 AI Systems under the EU AI Act and Harmonised Standards (Draft)
Research framework addressing high-risk AI system compliance requirements in cybersecurity contexts.
TAGS:
Cyber Threat Intelligence, CTI Sharing, Collective Cybersecurity, Sectoral Cybersecurity, National Cybersecurity, GDPR, Privacy Protection, Data Protection, NIS2, DORA, CER, AI Act, Cyber Resilience Act, Cybersecurity Compliance, Regulatory Mapping, Threat Classification, Incident Reporting, CSIRT, ISAC, CTI Governance, Ontology, OWL, Knowledge Graph, SPARQL, MITRE ATT&CK, IEC 62443, NIST CSF 2.0, ISO/IEC 27001, Privacy by Design, Data Minimisation, Pseudonymisation, DPIA, Lawful Basis, Legal-Regulatory Analysis, Cybersecurity Law, Responsible CTI, CTI-BALANCED, Mykolas Romeris University, MRU