Skip to content

feat(rules): add NIS2 and DORA compliance coverage#109

Open
pszymkowiak wants to merge 1 commit into
developfrom
feat/compliance-nis2-dora
Open

feat(rules): add NIS2 and DORA compliance coverage#109
pszymkowiak wants to merge 1 commit into
developfrom
feat/compliance-nis2-dora

Conversation

@pszymkowiak
Copy link
Copy Markdown
Contributor

@pszymkowiak pszymkowiak commented May 12, 2026

Summary

  • Register NIS2 (Directive (EU) 2022/2555, art. 21(2) cybersecurity risk-management measures — 10 controls) and DORA (Regulation (EU) 2022/2554 — 14 controls across art. 5, 8, 9, 10-13, 17, 19, 24, 28, 30) as supported compliance frameworks in rules/compliance-mapping.toml.
  • Inject 151 inline [[rules.compliance]] blocks across 9 cloud rule files (aws-cis, aws-iam-cis, azure-cis, azure-iam-cis, gcp-cis, gcp-iam-cis, entra-id-cis, o365-cis, google-workspace-cis) so engine findings now surface NIS2 / DORA control references in the same way as CIS / ISO-27001 / SOC-2 / PCI-DSS / HIPAA / NIST-800-53.
  • Process-only controls (governance, incident reporting workflows, third-party contractual provisions, resilience testing programmes) are declared with empty rule_patterns to make their non-automatable scope explicit — they cannot be evidenced by configuration scanning alone.

Coverage at a glance

Framework Controls Automated coverage Process-only
NIS2 art. 21(2) 10 (b)(c)(d)(e)(f)(g)(h)(i)(j) (a) policies — (f) effectiveness partial
DORA 14 art. 9.2/9.3/9.4, 10, 12, 13, 17, 28 art. 5, 8, 11, 19, 24, 30

Test plan

  • cargo test -p kxn-rules — 27 tests pass; TOML parser accepts all new framework strings.
  • python3 -c "import tomllib; tomllib.load(open(f,'rb'))" for every modified file — re-parse OK.
  • All 151 rule_patterns cross-checked against actual rule name fields — zero orphans.
  • Sample kxn list-rules --include aws-cis-1.4-no-root-access-keys — rule loads cleanly with new compliance blocks.
  • CI: cargo check --workspace, cargo test --workspace, clippy -D warnings on Linux + macOS.

Notes

  • This PR is data-only (TOML). No Rust source touched; engine handles framework names as free-form strings (crates/kxn-rules/src/parser.rs) so no API change is required.
  • compliance-mapping.toml remains a reference/documentation file (engine skips it explicitly in crates/kxn-cli/src/commands/monitor.rs). The inline blocks are what the engine reads.

🤖 Generated with Claude Code

@pszymkowiak @claude
feat(rules): add NIS2 and DORA compliance framework coverage
a38467c 
Add cybersecurity risk-management measures from Directive (EU) 2022/2555
(NIS2 art. 21(2)) and Regulation (EU) 2022/2554 (DORA) to the supported
compliance frameworks. Cloud rules across AWS/Azure/GCP, IAM, Entra ID,
O365 and Google Workspace are now tagged so findings expose NIS2 and DORA
controls alongside existing CIS / ISO-27001 / SOC-2 / PCI-DSS / HIPAA /
NIST-800-53 mappings.

- compliance-mapping.toml: register NIS2 (10 controls, art. 21(2)(a-j))
  and DORA (14 controls across art. 5, 8, 9, 10-13, 17, 19, 24, 28, 30).
- 151 inline [[rules.compliance]] blocks injected across 9 cloud rule files.
- Process-only controls (governance, incident reporting timeframes,
  third-party contracts, resilience testing programmes) are declared with
  empty rule_patterns to make non-automatable scope explicit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@pszymkowiak pszymkowiak force-pushed the feat/compliance-nis2-dora branch from 81228ee to a38467c Compare May 12, 2026 02:52
@pszymkowiak pszymkowiak changed the base branch from main to develop May 12, 2026 02:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pszymkowiak