STANDING BANNER (read first). Nexus Synergy Ltd is pre-incorporation, pre-revenue, pre-pilot; NCSC-IE is a TARGET, not a customer — the ~178-surface UI gallery is a faithful gallery, not traction or a deployment, and nothing here implies one. Anti-cookie-cutter: the §8 mockups are generated by _build/archetypes/gen_ncsc-nis2-csirt.py filled with NCSC-IE's own entities (Sensor/MISP feeds, CRU/ComReg/Central-Bank competent authorities, Art-23 24h/72h cadence); they are this buyer's screens, never a shared template. Every probability is [PRIOR] — a subjective pre-pilot estimate for prioritisation, not a forecast; re-score after the first real conversation.

§0 — Header + one-line thesis

NCSC-IE — sovereign cyber-indicator (IOC) fusion + NIS2 Article-23 reporting/coordination common operating picture.

Thesis: From the day the National Cyber Security Bill 2024 commences, NCSC-IE becomes Ireland's lead competent authority, national CSIRT, and Single Point of Contact for a federated model spanning thousands of newly in-scope entities and three sectoral regulators — a multi-source intake/triage/coordination problem run today on email, spreadsheets and disconnected tools. Nexus Synergy is the EU-sovereign, conformity-by-construction fusion + operating-picture + human-gated action-loop layer above the feeds NCSC-IE already owns (Sensor, MISP, CSIRT-IE intake), not a SIEM to rip-and-replace.

§1 — Entity snapshot (cited)

Who. Ireland's National Cyber Security Centre (NCSC-IE) — the State body for national cyber-security monitoring, incident response (it operates CSIRT-IE, an internationally accredited response team), resilience-building, and cross-government / Critical-National-Infrastructure (CNI) information sharing. [ncsc.gov.ie] [verified]
Statutory trajectory. The National Cyber Security Bill 2024 (General Scheme published 30 Aug 2024 — a draft framework, not yet enacted; priority drafting directed by Cabinet July 2024; still in pre-legislative scrutiny as of late-2025/2026) transposes NIS2 (Directive (EU) 2022/2555) and designates NCSC-IE as lead competent authority, national CSIRT, and Single Point of Contact (SPOC) for large-scale incidents. The General Scheme now sits with the Department of Justice, Home Affairs and Migration — consistent with the Programme-for-Government move of NCSC toward national-security structures. [gov.ie General Scheme; Mason Hayes Curran; Eversheds Sutherland] [verified]
Federated model. Ireland uses a federated competent-authority structure: CRU (energy/water), ComReg (digital infrastructure / ICT / DNS / space), and the Central Bank (finance) are sectoral CAs, with NCSC-IE coordinating. [DLA Piper; Arthur Cox; ncsc.gov.ie/nis2] [verified]
Scale of the new mandate. NIS2 expands Ireland's in-scope population from just over 100 entities to at least ~2,000 essential/important entities. [Arthur Cox] [verified]. Registration + incident-reporting portals are not yet live — they go live on enactment. [ncsc.gov.ie/nis2 FAQ] [verified]
Resourcing (most recent hard public figures). Post-HSE-2021 expansion plan: 25 → 45 staff over 18 months → 70 within five years; budget €4m (2020) → €6.9m (2021), with a further ~€2.5m toward ~€7.5m; Director (Richard Browne, appointed Jan 2022) role advertised at ~€184k. 2026 actuals are TBD — only the 2021 figures are public. [Irish Times; Irish Examiner; Wikipedia] [likely] for currency, [verified] for the 2021 base.
Adjacent EU vehicle. NCC-IE (National Cybersecurity Coordination & Development Centre, est. 2023 inside NCSC-IE) is Ireland's node in the European Cybersecurity Competence Centre (ECCC) and the conduit for Digital Europe Programme cyber funds — a €4.2m establishment project with a precedent SME-grant scheme. [gov.ie; ncsc.gov.ie/ncc-ie] [verified]

§2 — The pain (web-verified, dated, cited)

A federated coordination load with no purpose-built operating picture (the core pain). On commencement, NCSC-IE becomes the hub for ~2,000 entities self-registering, reporting incidents on the NIS2 cadence (24h early-warning → 72h notification → 1-month final report, Art-23), and coordinating with three sectoral CAs (CRU, ComReg, Central Bank). That is a cross-organisation, multi-source intake/triage/coordination problem that today runs on email, spreadsheets and disconnected tooling. [DLA Piper; Arthur Cox] [verified] (dated 2026-06-05).
The HSE-2021 ransomware scar. The Conti attack on the Health Service Executive — the trigger for the NCSC-IE expansion — demonstrated Ireland lacked a national common operating picture to detect, correlate and coordinate response across agencies. Funding and staffing increases were the direct political response. [Irish Examiner; gov.ie press release] [verified]
The detection/visibility gap is officially acknowledged. Ireland's strategy explicitly calls for expanding the NCSC "Sensor" Programme (deployed; being extended to all Government Departments) and uses MISP to share threat-intel with CNI — i.e. the raw feeds exist but the fusion + cross-agency operating picture + action coordination layer is the open need. [ncsc.gov.ie/CSIRT; National Cyber Security Strategy] [verified]
Capacity vs mandate. A small team facing a vastly expanded NIS2 mandate needs force-multiplier tooling, not headcount alone; persistent public commentary flags historic under-resourcing relative to mandate. [Irish Times] [likely]
Sovereignty + civil-liberties scrutiny is a hard procurement constraint. The ICCL has warned the Bill risks "mass surveillance" / over-broad powers exceeding NIS2. Any tooling NCSC-IE adopts must be demonstrably privacy-preserving, auditable, and EU-sovereign. [ICCL] [verified] — this is both a constraint and our positioning advantage.

§3 — Use-case & value (DECLINE-SAFE)

Use case: sovereign cyber-indicator fusion + NIS2 Art-23 reporting/coordination COP. Nexus Synergy adds the fusion + operating-picture + closed human-gated action loop above NCSC-IE's existing feeds, on a customer-editable cyber ontology:

Indicator/incident fusion — model in-scope orgs, sectors, CNI assets, indicators/IOCs, incidents, advisories, and competent authorities on one correlated graph; ingest MISP feeds, CSIRT-IE reports and NIS2 self-registration/notification data.
NIS2 coordination operating picture — a live picture of who is in-scope, who has registered, open incidents by sector, and the handoff state between NCSC-IE and each sectoral CA — turning the federated model from email threads into a shared, role-gated workspace with the Art-23 clock visible.
Closed action loop (the moat) — detect → enrich → triage → human-gated sign-off → task (advisory issuance / sector notification / IR coordination) → execute → assess → close. Operational coordination support, never automated decision-making about individuals.
Conformity-by-construction — built-in provenance ledger, FRIA, and transparency portal directly answer the ICCL scrutiny; the classification-aware AI Provider Router refuses out-of-jurisdiction models, keeping sensitive data inside EU-sovereign infrastructure.

DECLINE-SAFE framing (explicit). We do not offer, and will refuse to build, anything on our published Declined List — no predictive policing, no real-time biometric identification, no emotion recognition, no social scoring, no untargeted scraping, no psychometric profiling. The pitch is machine-to-machine cyber-indicator fusion and inter-agency coordination of cyber incidents — operating on technical indicators, assets and organisational entities, with a human in the loop on every action. The COP renders cyber and CNI assets, not people. This is precisely what differentiates us from the ICCL's "mass surveillance" concern.

Value band: high (€500k–2.4m/yr at full deployment). A national-CSIRT fusion + NIS2-coordination platform plausibly sits Tier 2–3 at full deployment; an initial engagement is a far smaller scoped pilot (likely Tier 1, €120–240k, frequently grant-routed).

§4 — Ontology (this buyer's domain entities + relationships)

Entity (essential|important)         --in_sector-->   Sector --regulated_by--> CompetentAuthority (NCSC-IE | CRU | ComReg | Central Bank)
Entity         --self_registered_as-->   RegistrationRecord (NIS2 portal)
Incident       --affects-->              Entity
Incident       --observed_via-->         Indicator (sha256|ip|domain|ja3|yara|cert|bgp_prefix)
Indicator      --sourced_from-->         Feed (Sensor | MISP | EntityReport)
Incident       --correlates_into-->      Campaign/Cluster (CL-07, m=.91)
Incident       --reported_under-->       Art23Report (early_warning_24h | notification_72h | final_1mo)
Advisory       --derived_from-->         Cluster ;  --issued_to-->  DefenderPool (CNI)
Handoff        --from--> NCSC-IE  --to--> CompetentAuthority   (federated routing)
DecisionGate   --signs-->                {Advisory | Art23Report | Handoff}   (Duty-Officer, human, dual-control)

Entities are organisations, assets and technical indicators — never natural persons. The ontology is customer-editable; CRU/ComReg/Central-Bank handoff edges are first-class so the federated model is the data model, not a workaround.

§5 — Data model (synergy.* tables, RLS + a load-bearing CHECK)


SQL
53 lines
-- 1. The IOC / indicator. STIX 2.1 mapped on write-back. TLP defaults to AMBER for sharing.
CREATE TABLE synergy.cyber_indicator (
    id            uuid PRIMARY KEY DEFAULT gen_random_uuid(),
    org_id        uuid NOT NULL,                      -- RLS: app.current_org_id (NCSC-IE tenant)
    kind          text NOT NULL CHECK (kind IN
                  ('sha256','ip','domain','ja3','yara','cert_thumbprint','bgp_prefix','tor_circuit')),
    value         text NOT NULL,
    feed          text NOT NULL CHECK (feed IN ('sensor','misp','entity_report')),
    tlp           text NOT NULL DEFAULT 'AMBER' CHECK (tlp IN ('RED','AMBER','GREEN','CLEAR')),
    is_personal   boolean NOT NULL DEFAULT false,     -- must stay false: indicators are technical, not people
    UNIQUE (org_id, kind, value),
    -- DECLINE-SAFE INVARIANT: an indicator may never carry personal data. Enforces the Declined-List
    -- boundary at the database — the COP fuses machine-to-machine indicators, never individuals.
    CHECK (is_personal = false)
);
ALTER TABLE synergy.cyber_indicator ENABLE ROW LEVEL SECURITY;
CREATE POLICY org_isolation ON synergy.cyber_indicator
    USING (org_id = current_setting('app.current_org_id')::uuid);

-- 2. The NIS2 Art-23 report state machine, with the federated handoff target.
CREATE TABLE synergy.nis2_report (
    id            uuid PRIMARY KEY DEFAULT gen_random_uuid(),
    org_id        uuid NOT NULL,
    incident_ref  text NOT NULL,
    affected_entity text NOT NULL,                    -- organisation, not a person
    sector        text NOT NULL CHECK (sector IN ('energy','water','dns_digital_infra','finance','other')),
    competent_authority text NOT NULL CHECK (competent_authority IN
                  ('ncsc_ie','cru','comreg','central_bank')),
    phase         text NOT NULL CHECK (phase IN ('early_warning_24h','notification_72h','final_1mo')),
    due_at        timestamptz NOT NULL,
    duty_officer_sig bytea,                            -- human gate signature
    submitted_at  timestamptz,
    -- LOAD-BEARING CHECK: a report can only be marked submitted once a Duty-Officer has signed it.
    -- The Art-23 notification / sector handoff is HUMAN-GATED — no auto-submission to a regulator.
    CHECK (submitted_at IS NULL OR duty_officer_sig IS NOT NULL)
);
ALTER TABLE synergy.nis2_report ENABLE ROW LEVEL SECURITY;
CREATE POLICY org_isolation ON synergy.nis2_report
    USING (org_id = current_setting('app.current_org_id')::uuid);

-- 3. Cross-sector incident cluster (the editable-ontology fusion artefact).
CREATE TABLE synergy.incident_cluster (
    id            uuid PRIMARY KEY DEFAULT gen_random_uuid(),
    org_id        uuid NOT NULL,
    label         text NOT NULL,                       -- 'CL-07'
    correlation_m numeric(4,3),                         -- 0.91
    sectors_spanned text[] NOT NULL,
    entities_affected int NOT NULL DEFAULT 0,
    first_seen    timestamptz
);
ALTER TABLE synergy.incident_cluster ENABLE ROW LEVEL SECURITY;
CREATE POLICY org_isolation ON synergy.incident_cluster
    USING (org_id = current_setting('app.current_org_id')::uuid);

The two load-bearing invariants: cyber_indicator.CHECK(is_personal=false) enforces the decline-safe boundary in the schema itself; nis2_report.CHECK(submitted_at → duty_officer_sig) makes the regulatory notification physically unable to fire without a human signature.

§6 — Action-loop pseudocode (detect → enrich → triage → gate → task → execute → BDA → close)


Python
35 lines
def run_nis2_coordination(org_id, incident_ref):
    # 1. DETECT — pull raw indicators from the feeds NCSC-IE already owns.
    iocs = fuse_indicators(org_id, feeds=['sensor', 'misp', 'entity_report'], tlp='AMBER')

    # 2. ENRICH — correlate on the editable ontology into a cross-sector cluster (NO personal data).
    cluster = correlate(iocs, ttp='powershell-staged-loader+tor')       # CL-07, m=.91
    sectors = map_to_sectors(cluster)                                    # {energy(CRU), dns(ComReg)}
    assert all(not ioc.is_personal for ioc in iocs)                      # decline-safe invariant

    # 3. TRIAGE — classification-gated AI routing; out-of-jurisdiction models refused.
    triage = ai_router.route(cluster, predicate=EU_SOVEREIGN_ONLY)      # L1 IOC-match / L2 TTP-correlate
    if triage.severity < REPORTABLE_THRESHOLD:
        return Disposition.MONITOR(cluster)

    # 4. GATE — Decision Room; a civil-society reviewer is SEATED IN the decision, not consulted after.
    gate = decision_room(Art23Proposal(incident_ref, cluster, sectors),
                         personas=[DUTY_OFFICER, PROPORTIONALITY_REVIEWER,
                                   CIVIL_SOCIETY('ICCL-aligned auditor'),
                                   DOMAIN_EXPERT('CSIRT-IE'), DEVILS_ADVOCATE],
                         require_human_sign=True)
    if not gate.passed:
        return Disposition.REFUSED(gate.rationale)                       # logged, attributable

    # 5. TASK + EXECUTE — only AFTER the human Duty-Officer dual-control sign (see §5 CHECK).
    sig = await dual_control_sign(roles=['CSIRT_IE_DUTY_OFFICER', 'NCSC_COORD_LEAD'], subject=incident_ref)
    write_back('advisory',        Advisory(cluster, defender_pool='CNI'), sig)
    write_back('nis2_art23_72h',  Art23Notification(incident_ref, sectors), sig)   # human-gated submit
    for ca in sectors.competent_authorities:                            # CRU / ComReg federated handoff
        write_back('ca_handoff', Handoff(to=ca, cluster=cluster), sig)
    write_back('misp_defender',   DefenderNote(iocs), sig)
    write_back('spoc_csirt_net',  CrossBorderBrief(cluster), sig)        # EU CSIRTs Network

    # 6. BDA — measured at: advisory reach, sectors notified on time, entities protected.
    audit.append(incident_ref, prov_o_chain(cluster, gate.P, sig), merkle=True, retain='7y')
    return Disposition.EXECUTED(cluster)

§7 — nexus-workflows YAML DAG (same loop, declarative, blocking human-gate node)


YAML
40 lines
# nexus-workflows job: ncsc-nis2-art23-coordination  (NO cron — nexus-workflows is the scheduler-of-law)
name: ncsc-nis2-art23-coordination
trigger:
  on_event: [sensor.alert, misp.feed_update, entity.self_report]   # event-driven, not cron
nodes:
  - id: detect
    run: fuse_indicators
    with: { feeds: [sensor, misp, entity_report], tlp: AMBER }
  - id: enrich
    needs: [detect]
    run: correlate_cluster                                          # editable ontology; asserts is_personal=false
  - id: triage
    needs: [enrich]
    run: ai_router.route
    with: { predicate: EU_SOVEREIGN_ONLY }                          # out-of-jurisdiction models refused
  - id: human_gate                                                  # *** BLOCKING ***
    needs: [triage]
    type: manual_approval
    blocking: true
    assignee_role: csirt_ie_duty_officer
    dual_control: [csirt_ie_duty_officer, ncsc_coord_lead]
    decision_room:
      personas: [duty_officer, proportionality_reviewer, civil_society_auditor, domain_expert, devils_advocate]
    on_reject: { goto: close_refused }
  - id: task_execute
    needs: [human_gate]                                             # cannot start until the gate signs
    run: write_back_fanout
    with:
      adapters: [advisory, nis2_art23_72h, ca_handoff_cru, ca_handoff_comreg, misp_defender, spoc_csirt_net]
  - id: bda
    needs: [task_execute]
    run: capture_bda
    with: { axes: [advisory_reach, sectors_notified_on_time, entities_protected] }
  - id: close
    needs: [bda]
    run: append_prov_o_ledger
    with: { merkle: true, retain: 7y }
  - id: close_refused
    run: append_prov_o_ledger
    with: { disposition: refused, merkle: true, retain: 7y }

§8 — UI/UX mockups (VERBATIM generated ASCII)

Figure c02.1 — IocFusionBoard (stix_board). ShellLayout + TLP:AMBER ClassificationBanner + TopBar/PccPill + LeftSidebar; the IocFusionBoard three-column kanban (OBSERVED → CORRELATED → ACTIONED) is the primary CSIRT-IE surface; Inspector + ChatTerminal (right-dock) + HistoryRail + BottomStatusBar frame it. (SVG twin: _build/figures/ncsc-nis2-csirt/uc-stix_board.svg.)

Figure — Signal-fusion board (OBSERVED→CORRELATED→ACTIONED). Production-fidelity React surface (buildable); the faithful ASCII follows.

=== SCREEN 1: stix_board (IocFusionBoard) ===
+----------------------------------------------------------------------------------------------------+
| CSIRT-IE > IOC Fusion + NIS2 Art-23 Coordination   (Sensor + MISP + self-reg)   TLP:AMBER          |
+--------------------------------+--------------------------------+----------------------------------+
| OBSERVED                       | CORRELATED                     | ACTIONED                         |
| Sensor: C2 beacon 185.x DNS    | cluster CL-07 (m=.91)          | Advisory ADV-2026-041 issued     |
| MISP feed: sha256 loader       |   RaaS-affil PowerShell+TOR    | Handoff -> CRU (energy CA)       |
| Art-23 24h early-warn x4       | spans 3 CNI sectors            | Handoff -> ComReg (DNS CA)       |
|   Energy x2 / Water x1 / TLD x1|   CRU-energy + ComReg-DNS      | Art-23 72h notify queued         |
| JA3 fp tls-client x6           | first_seen MISP T-9d           |   awaiting Duty-Officer sign     |
| phishing-kit cert *.ie clone   | 5 essential entities affected  | MISP defender note pushed        |
| BGP hijack AS-prefix /22       | graph: shared C2 + cert reuse  | SPOC brief -> cross-border CSIRT |
+--------------------------------+--------------------------------+----------------------------------+
| 5 essential entities  ::  3 sectoral CAs in the loop  ::  Art-23 72h clock T-41h  ::  human-gated  |
+----------------------------------------------------------------------------------------------------+

Figure c02.2 — Cross-Sector GraphExplorer (graph_explorer). The link-analysis surface that the CORRELATED column links into: shared-IOC edges tie an Incident cluster to affected Entity nodes and their sectoral CAs; the Inspector shows the AWAIT-GATE state. Real components: ShellLayout, MapConsole-class canvas, GraphExplorer, Inspector, ChatTerminal, HistoryRail, ClassificationBanner.

Figure — Correlation graph explorer. Production-fidelity React surface (buildable); the faithful ASCII follows.

=== SCREEN 2: graph_explorer (Cross-Sector Correlation) ===
+----------------------------------------------------------------------------------------------+
| Ontology > Cross-Sector Graph   [ MATCH (e)-[:AFFECTED]->(i)-[:SHARES_IOC]->(j) ]  [Run]     |
+----------------------------------------------------------------+-----------------------------+
|  (Incident: CL-07 RaaS-affil)                                  | Inspector [pin]             |
|      |  shares_ioc (C2 + cert)                                 | node : Incident CL-07       |
|      v                                                         | clust: m=.91 (3 sectors)    |
|  (Entity: Energy-Op-A)--in_sector-->[CRU]                      | iocs : 6 shared (C2+cert)   |
|  (Entity: Water-Util-B)--in_sector-->[CRU]                     | CAs  : CRU + ComReg         |
|  (Entity: TLD-Registry)--in_sector-->[ComReg]                  | reg  : NIS2 Art-23          |
|      |  reported via (Art-23 24h)                              |   24h early / 72h notify    |
|      v                                                         | state: AWAIT-GATE           |
|  (CompetentAuthority: NCSC-IE SPOC)                            |   Duty-Officer sign req     |
|  L1 IOC-match det   L2 TTP-correlate                           |                             |
+----------------------------------------------------------------+-----------------------------+
| 3 entities  ::  2 sectoral CAs  ::  shared-IOC edge m=.91  ::  no individual data on canvas  |
+----------------------------------------------------------------------------------------------+

§8b — Field-unit (Pixel) surfaces

The same scenario on the Pixel 10 Pro Fold field unit (Nexus Field app), tightly coordinated with the dashboard COP above — command pushes the task, the unit accepts + ACKs, shares position and reports back to the COP. Built on the same synergy.field_unit / field_task / field_report contract; see §9 and the cluster coordination composite.

Figure §8b.1 — Folded cover · tasking glance (ground_glance): the incoming IMMEDIATE task, ACCEPT + ACK, alert chips, bearing-to-objective.

Figure §8b.2 — Unfolded inner display · field COP: two-pane mini-map + task list + teammate roster + air/command coordination + PTT, with the Material-3 NavigationBar + Report FAB.

§9 — UI/UX flow (literal click-path + screen-flow chain)

Click-path: Duty-Officer opens IocFusionBoard → a card auto-arrives in OBSERVED from the Sensor feed → drag/promote it; the CORRELATED column fuses it into cluster CL-07 → click the cluster's graph: shared C2 + cert reuse link → the GraphExplorer opens showing the cross-sector spread (Energy/Water → CRU, TLD → ComReg) → Inspector shows state: AWAIT-GATE → click [ /dual-control sign ] in the Decision-Room dock → on a passed gate the ACTIONED column fires the Advisory, the CRU/ComReg handoffs, and the Art-23 72h notification (the submitted_at write is blocked in synergy.nis2_report until the signature exists).

[IocFusionBoard: OBSERVED] --promote--> [CORRELATED: CL-07]
        |
        v  (open cluster link)
[GraphExplorer: cross-sector spread] --Inspector: AWAIT-GATE-->
        |
        v  (Decision Room dock)
[ /dual-control sign ]  --pass-->  [IocFusionBoard: ACTIONED]
        |                                   |--> Advisory ADV-2026-041
        |--reject--> [close_refused, logged] |--> Handoff CRU + ComReg
                                             |--> Art-23 72h notify (now unblocked)

§10 — Decision-Room transcript (the gated decision)

Decision: issue the cross-sector advisory + submit the NIS2 Art-23 72h notification + hand off cluster CL-07 to CRU and ComReg.

+--------------------------------------------------------------------------------------------+
| Decision Room — Art-23 72h notification + CRU/ComReg handoff (CL-07)        TLP:AMBER       |
+----------------------------------------------------------+---------------------------------+
| Duty Officer (CSIRT-IE):                                 | GATE                            |
|   Cluster CL-07, m=.91, hits 5 essential entities across | corroboration  m = 0.91         |
|   energy/water (CRU) and a TLD registry (ComReg). I want | sectors        3 (CRU+ComReg)   |
|   the advisory + 72h notify + both handoffs.             | personal data  NONE (schema)    |
| Domain Expert (CSIRT-IE):                                | decline-safe   PASS             |
|   IOC overlap is real — shared C2 + reused cert. TTP is  | Art-23 clock   T-41h            |
|   PowerShell-staged-loader + TOR. Confident at cluster.  | sign state     1/2 -> need 2/2  |
| Proportionality Reviewer:                                |                                 |
|   Advisory + handoff are proportionate. The 72h notify   | [ /dual-control sign ]          |
|   is a statutory duty, not a discretionary act.          | [ /execute ]                   |
| Civil-Society Auditor (ICCL-aligned):                    | [ Refuse + log ]               |
|   DISSENT logged: confirm the cluster carries NO personal|                                 |
|   data and that "TLD-Registry" is the ORG, not a person. | VERDICT (on 2/2 sign):         |
|   I will not approve if any indicator is_personal=true.  |   EXECUTE — advisory + 72h      |
| Duty Officer: confirmed — schema CHECK(is_personal=false)|   notify + CRU/ComReg handoff   |
|   blocks personal data; canvas shows orgs/assets only.   |   provenance chain anchored     |
| Devil's Advocate:                                        |                                 |
|   If CL-07 is a false-positive merge, two regulators get |                                 |
|   a bad handoff. Counter: m=.91 + cert reuse + human sign|                                 |
+----------------------------------------------------------+---------------------------------+
|   [ /dual-control sign ]   [ /execute ]   [ Refuse + log ]                                  |
+--------------------------------------------------------------------------------------------+

The civil-society auditor's dissent is resolved before the gate passes (the schema-level is_personal=false invariant is the answer, not a promise), and is recorded in the provenance chain whether or not it changed the verdict.

§11 — Write-back + BDA + PROV-O chain + deltas-only regulatory traceback

Write-backs (all behind one dual-control sign):

Advisory ADV-2026-041 → CNI defender pool.
NIS2 Art-23 72h notification → the NCSC-IE reporting portal (on commencement) — blocked until Duty-Officer sign.
CRU handoff (energy/water sector CA) — role-gated workspace.
ComReg handoff (DNS/digital-infra CA).
MISP defender note → CNI threat-intel pool (STIX 2.1).
SPOC cross-border brief → EU CSIRTs Network.

BDA (loop close). Three axes: (a) advisory reach (defender orgs that ingested it); (b) sectors notified within the Art-23 window (target: 2/2 CAs inside T-72h); (c) essential entities protected (of the 5 affected). ObservationLevel: L3-partial until downstream confirmations return. Closure: STATUS:OPEN-MONITORING with a ProspectiveItem PI-CL07-001 (re-emergence watch on the shared C2 + cert).

PROV-O chain:

CL07:Coordination a prov:Activity ;
  prov:startedAtTime "2026-06-05T09:12:00Z"^^xsd:dateTime ;
  prov:wasInformedBy Feed:Sensor , Feed:MISP , EntityReport:Art23-24h .
CL07:Cluster a prov:Entity ;
  prov:wasDerivedFrom CL07:FusedIndicators ;
  prov:wasGeneratedBy Skill:ttp-correlate ;
  prov:wasAttributedTo Analyst:CSIRT-IE-Duty-Officer .
CL07:DecisionRoom-CivilSociety a prov:Activity ;
  prov:wasInformedBy AI-Provider:L2-EU-sovereign ;
  prov:wasAssociatedWith Persona:Civil-Society-Auditor .   # dissent recorded
CL07:DualControlSign a prov:Activity ;
  prov:wasAssociatedWith DutyOfficer:CSIRT-IE , CoordLead:NCSC-IE .
CL07:WriteBack-Art23-72h a prov:Activity .   # gated by DualControlSign
CL07:WriteBack-CRU-Handoff a prov:Activity .
CL07:WriteBack-ComReg-Handoff a prov:Activity .
CL07:BDA a prov:Entity ;
  prov:wasDerivedFrom CL07:WriteBack-Art23-72h , CL07:WriteBack-CRU-Handoff .
CL07:Status a prov:Entity ; rdfs:label "OPEN-MONITORING" .

Deltas-only regulatory traceback (only what differs from defaults):

NIS2 (Dir. (EU) 2022/2555): critically engaged — Art-23 incident-reporting (24h/72h/1-mo) is the use case; NCSC-IE acts as competent authority/CSIRT/SPOC. This is the buyer's own statutory duty, tooled.
EU AI Act: Article 5 prohibitions applicable from 2 February 2025 — none triggered (machine-to-machine IOC fusion is not real-time biometric ID / social scoring / predictive policing). No Annex-III high-risk individual-profiling path because the COP renders orgs/assets, not people; the is_personal=false schema invariant keeps it there. FRIA available on request as a positioning artefact.
GDPR: minimal engagement by design — indicators are technical; Art-22 (automated individual decisions) not engaged (human dual-control + no individual scoring). EU-hosted; DPA per buyer.
Sovereignty: AI Provider Router refuses out-of-jurisdiction models — the direct answer to ICCL scrutiny and national-security data-residency.

§12 — Buyer & stakeholders

Economic buyer: Director of NCSC-IE (Richard Browne) + senior cyber/national-security officials in the parent department (now Justice, Home Affairs & Migration). [Irish Examiner; gov.ie] [verified]
Technical champion (most likely entry): CSIRT-IE leadership + the Sensor/MISP/threat-intel team — they feel the fusion/visibility pain daily and own the relevant tooling. [Named contact TBD.]
Coordination stakeholders: sectoral CAs — CRU, ComReg, Central Bank — interoperate with NCSC-IE; expansion/reference targets once NCSC-IE is anchored. [Named contacts TBD.]
EU-funding gatekeeper: NCC-IE team (Digital Europe / ECCC conduit) — the procurement-vehicle conversation. [Named contact TBD.]
Risk/oversight watchers (not buyers): ICCL + Oireachtas committees — their concerns shape the spec; our conformity story is aimed at them.

§13 — Competition / incumbency + comparator (cited)

Baseline, not competitor: MISP is already in use (open-source/free) — we complement it, we do not replace it. [ncsc.gov.ie] [verified]
Incumbents: US-hosted SIEM/SOAR — Microsoft Sentinel, Splunk, Elastic — have deep Irish public-sector footprints; Palantir-style integrators pursue national-cyber accounts across Europe. [likely] (no NCSC-IE-specific contract value publicly disclosed — TBD).
Comparator stack: Microsoft Sentinel / Splunk (log analytics) + MISP (sharing) + Recorded Future-class TTP feeds. Our wedge: (a) EU-sovereign by construction (vs US-hosted SIEM — a hard sell for national-security cyber data); (b) closed action loop + editable ontology + COP vs a log-analytics dashboard; (c) conformity-by-construction (FRIA, provenance ledger, transparency portal) that answers ICCL scrutiny — a positioning advantage no US hyperscaler can credibly match; (d) MISP/Sensor complement, not replace.
Incumbency risk (honest): sovereignty is our differentiator, but procurement inertia + entrenched footprints favour incumbents.

§14 — Readiness (honest, pre-pilot)

Reuse (real): the COP/ontology core, triple-renderer surfaces, the stix_board/graph_explorer archetypes, AI Provider Router, and FRIA/provenance tooling are specified and partially built — the IocFusionBoard and GraphExplorer surfaces exist in the gallery.
Real gaps: no cyber-specific reference customer, no security clearance, no accreditation (national-security handling, ISO 27001, relevant assurance) — all TBD and likely prerequisites for handling any real NCSC-IE data. The cyber-indicator-fusion + NIS2-coordination application must be configured/co-developed for this domain. This is a higher-readiness-bar target than commercial maritime: national-security cyber buyers demand clearances/assurance we do not yet have.
Honest framing to NCSC-IE: a co-developed pilot on synthetic/MISP-format data, not off-the-shelf delivery.

§15 — ENGAGEMENT PLAYBOOK (first-contact → signed contract)

Stage	Trigger	Owner	Activity + the actual template/script	Exit criterion	Deliverable
1. First contact	Bill commencement / portal-launch news; or a Cyber-Ireland / Patrick adjacency	Founder	Warm-intro email (below) anchored on the federated-coordination pain, NOT a product tour	A reply agreeing to a discovery call	Sent email + logged reply
2. Free discovery	Call booked	Founder	60-min discovery agenda (below); bring no slides; map their loop onto detect→gate→close	Named sponsor agrees the federated-coordination pain is worth solving; Declined-List check = PASS	Discovery write-up (sponsor, top-3 pains, lawful basis, wedge)
3. Scoped demo	"Could we see this on our kind of data?"	Founder	Replay CL-07 on synthetic MISP-format IOCs: OBSERVED→CORRELATED→GraphExplorer→Decision-Room sign→ACTIONED; lead with the ICCL-answering audit story + AI Provider Router	Sponsor asks "could we try this on a real slice?"	Tailored demo + recording
4. Pilot	Demo ask	Founder + NCC-IE/CeADAR	1-page pilot proposal (below); bounded use case (e.g. NIS2 self-registration intake + sector-handoff picture); synthetic/low-sensitivity data until clearance is in train; grant-routed	Success criteria met or credibly trending	Signed pilot scope + week-1 baseline
5. LOI / pilot MOU	Pilot success	Founder + partner vehicle	LOI checklist (below); non-binding; Declined-List affirmation; conditional on clearance/funding	Signed MOU naming a sponsor + next step	Signed LOI/MOU (solicitor-reviewed)
6. Signed contract	Procurement route open + clearance progressing + a partner vehicle can sign	Partner vehicle (NewCo / MAHI-class prime)	eTenders/OGP or NCC-IE/DIGITAL innovation route; the Stamp-1G gate is the critical-path blocker for any PAID pilot	Executed contract on a sovereign deployment	Signed contract

Warm-intro email (adapt §3 of outreach-drafts for this buyer):

Subject: A no-cost operating-picture discovery session — NIS2 coordination [Name] — [warm-intro context, e.g. via Cyber Ireland / Patrick Walsh]. We build an EU-sovereign common-operating-picture and decision platform and run a free discovery session: we map how CSIRT-IE's NIS2 coordination works today — intake, the 24h/72h Art-23 cadence, and the handoffs to CRU/ComReg/Central Bank — and where it stalls, at no cost and no obligation. If useful, we show a faithful demo on synthetic MISP-format IOCs with a single human-gated, fully-audited cross-sector advisory. We publicly refuse predictive policing, biometric ID and individual risk-scoring — this is machine-to-machine indicator fusion and inter-agency coordination, human-gated and auditable, EU-sovereign by construction. Could I show you 20 minutes? — [Founder]

60-min discovery agenda (adapted): 0:00 frame + decline-safe line; 0:05 "walk me through a recent multi-sector incident from detection to close — who touched it, in what order, across how many systems?"; 0:20 lawful basis + sovereignty ("does AI processing have to stay in-jurisdiction?"); 0:35 stakeholders/budget ("does the Bill's commencement carry a tooling line? NCC-IE/DIGITAL in play?"); 0:45 sketch their loop vs detect→gate→close, find where intake jumps straight to a regulator with no triage/gate; 0:55 reflect top-3 pains, ask for a scoped demo date.

1-page pilot proposal (filled for NCSC-IE):

Title & sponsor: "NIS2 Cross-Sector Coordination COP — pilot" · sponsor: CSIRT-IE lead [TBD] + NCC-IE budget owner [TBD].
Problem (their words): "On commencement we coordinate ~2,000 entities and three sectoral regulators on email and spreadsheets; we have the feeds but no fused operating picture."
The one thing we'll prove: "We can fuse Sensor + MISP + synthetic self-registration data into one cross-sector incident picture and reduce time-to-coordinated-handoff from X to Y." (X/Y = baseline TBD, set week 1.)
Scope in/out: IN — IocFusionBoard + GraphExplorer + Decision-Room sign + CRU/ComReg handoff on synthetic/MISP-format data. OUT — any real classified data, any personal data, everything on the Declined List (explicitly excluded).
Data & lawful basis: synthetic + open MISP IOCs only; EU-hosted; no personal data (schema-enforced); classification × isolation tier = EU-RESTRICTED hardened containers until clearance is in train.
Success criteria: (1) cluster correlation surfaced; (2) 2/2 sector handoffs inside a simulated Art-23 72h window; (3) every action carries a provenance entry + human sign. (Baselines TBD week 1.)
Timeline: 8–12 weeks; mid-point checkpoint.
Commercials: €0 to NCSC-IE if grant-routed (NCC-IE/DIGITAL); production band Tier 1 €120–240k/yr only if asked.
After: LOI if criteria met.
Funding vehicle: NCC-IE / Digital Europe Programme innovation route (the €4.2m NCC-IE precedent), or an Innovation Voucher (CeADAR) for the discovery spike.

LOI checklist (deltas for this buyer): parties (NCSC-IE + founder-in-own-name pending NewCo, s.45 ratification); non-binding except confidentiality; Declined-List affirmation explicit; conditions = funding award + security clearance/accreditation + data-sharing agreement; Irish law; solicitor review confirmed.

§16 — PM / timeline (Gantt + milestones + critical path + RACI)

                 2026 H2                    2027 H1                2027 H2
            Jul Aug Sep Oct Nov Dec | Jan Feb Mar Apr May Jun | Jul Aug Sep Oct
[1] First contact        ####
[2] Free discovery          ######
[3] Scoped demo                 ######
[4] Pilot (grant)                    ##############
[5] LOI / MOU                                      ######
*** STAMP-1G / partner-vehicle gate ***  ########  (must resolve before a PAID pilot/contract)
[6] Procurement / contract                              ####################

Milestones: M1 discovery write-up (sponsor named); M2 demo on synthetic IOCs; M3 pilot scope + week-1 baseline; M4 signed LOI/MOU; M5 contract on a sovereign deployment. Critical path: the Stamp-1G / partner-vehicle gate — until the founder is on Stamp 4 (or a partner/co-founder/Dogpatch-brokered entity or a MAHI-class prime can sign) no paid pilot or contract is legally signable; this gates M6, not the technical work. Slow gov tendering + clearance/accreditation are the second-order critical-path items (t_resolve ≈ 18 months).

RACI:

Activity	Founder	Warm-intro sponsor (Patrick/Cyber-Ireland)	MAHI/partner vehicle	Buyer champion (CSIRT-IE)	Buyer procurement (NCC-IE/OGP)
First contact / intro	R	A	I	I	—
Free discovery	R	C	I	A	I
Scoped demo	R	I	C	A	I
Pilot delivery	R	I	C	A	C
LOI / MOU	R	C	A (signs)	C	C
Procurement / contract	C	I	R/A (contracts)	C	A

§17 — Funding / procurement vehicle

Statutory pull is the strongest vehicle: the National Cyber Security Bill 2024 / NIS2 transposition creates a new, funded mandate (lead CA, SPOC, self-registration on commencement) that requires coordination tooling — budget-with-a-deadline.
EU rails: NCC-IE channels Digital Europe Programme + ECCC cyber funds (the €4.2m NCC-IE project is precedent); a co-funded or grant-supported pilot is plausible and EU-sovereign-first tooling is what these instruments back.
Discovery-spike rail: an Innovation Voucher (€5k, CeADAR) funds the technical discovery spike.
Procurement reality: Irish public procurement (eTenders/OGP) for a State security body is slow, competitive, tender-driven, with security-clearance + sovereignty conditions; a scoped innovation/pilot route is the realistic first money; full procurement is multi-quarter-to-multi-year. National-security sensitivity may narrow open competition (Art-346 TFEU / Dir. 2009/81/EC exemption) but raises the clearance bar. [eTenders/OGP specifics — TBD.]

§18 — TWO-STAGE FORMULA SCORECARD

Every factor cell is [PRIOR] with a dated (2026-06-05) one-line rationale.

Stage 1 — P(LOI). Vector {mandate_pull, access_warmth, demonstrability, decline_safety, white_space, cycle_speed, pillar_fit}:

Factor	Score	Dated rationale (2026-06-05)
mandate_pull	5	NIS2 / National Cyber Security Bill 2024 = a funded mandate with a hard commencement-driven self-registration deadline; HSE-2021 drove real budget/staff expansion. `[PRIOR]`
access_warmth	2	No named champion; only Patrick/Cyber-Ireland community adjacency — weak-to-moderate, cold-led. `[PRIOR]`
demonstrability	3	Fusion+COP+ontology fits the coordination pain; demoable on synthetic MISP IOCs, but the cyber app needs configuring (not the storm-replay reuse the civil-protection rows enjoy). `[PRIOR]`
decline_safety	5	Machine-to-machine IOC fusion + inter-agency coordination; clear of the Declined List; conformity tooling answers the ICCL surveillance concern; `is_personal=false` is schema-enforced. `[PRIOR]`
white_space	3	MISP/Sensor are feeds not a fusion COP (genuine white space above them); but Sentinel/Splunk are entrenched. `[PRIOR]`
cycle_speed	2	State national-security body: slow tendering, clearance gating; an NCC-IE/DIGITAL pilot route exists but is not fast. `[PRIOR]`
pillar_fit	5	Squarely the action-loop COP core (stix_board + graph_explorer + Decision Room). `[PRIOR]`

S1 = .22·5 + .22·2 + .18·3 + .14·5 + .10·3 + .08·2 + .06·5 = 1.10 + 0.44 + 0.54 + 0.70 + 0.30 + 0.16 + 0.30 = 3.54. P_LOI = 0.55 / (1 + exp(−1.15·(3.54 − 2.6))) = 0.55 / (1 + exp(−1.081)) = 0.55 / 1.339 = 0.41 → band ~33–46% (card: 22–32% to-LOI; this lands at the optimistic edge — see reconciliation).

Stage 2 — P(Contract | LOI). Vector {contractability, funding_to_pay, procurement_clarity, incumbency_displacement, time_to_value, reference_leverage}:

Factor	Score	Dated rationale (2026-06-05)
contractability	1	Founder solo on Stamp 1G — no signable vehicle until Stamp 4 or a partner prime. `[PRIOR]`
funding_to_pay	4	Statutory budget line + NCC-IE/DIGITAL/ECCC grant rails (€4.2m precedent). `[PRIOR]`
procurement_clarity	2	eTenders/OGP slow + clearance-gated; innovation route exists but ambiguous for a security body. `[PRIOR]`
incumbency_displacement	4	We sit above MISP/Sensor and complement, not displace, a deployed prime. `[PRIOR]`
time_to_value	2	Clearance/accreditation likely outruns a fast TTV; multi-quarter to value. `[PRIOR]`
reference_leverage	2	No cyber reference; a delivered decline-safe (e.g. civil-protection) reference would de-risk. `[PRIOR]`

S2 = .24·1 + .22·4 + .18·2 + .16·4 + .12·2 + .08·2 = 0.24 + 0.88 + 0.36 + 0.64 + 0.24 + 0.16 = 2.52. P_raw = 0.70 / (1 + exp(−1.1·(2.52 − 2.8))) = 0.70 / (1 + exp(0.308)) = 0.70 / 2.361 = 0.297.

Legal gate G = V·T. T = min(1, max(0,(30 − 18)/30)) = 0.40 (t_resolve ≈ 18 mo).

V = 0.10 (today, solo Stamp-1G): G = 0.040 → P(Contract|LOI) = 0.040·0.297 = 1.2%.
V = 0.45: G = 0.18 → 5.3%. · V = 0.75: G = 0.30 → 8.9%. · V = 1.00: G = 0.40 → 11.9%.

P(Contract) = P_LOI · G · P_raw = 0.41 · 0.040 · 0.297 ≈ 0.5% today (V=0.10); ≈ 2.2% at V=0.45; ≈ 4.9% at V=1.0. (to-buy card band 20–27% is the post-gate, gate-resolved upper bound — the gate, not Stage-2 quality, is the binding constraint.)

Score100 = S1·20 = 3.54·20 = 70.8. Reconciliation to board_anchor (58.1): the per-domain card scored this at 67.7/100 on its own 7-factor weighted model; the board_anchor in the spec is 58.1, ~13 points below my S1·20 = 70.8 and ~10 below the card. The gap is driven by the two factors the board weights harder for national-security cyber: the 18-month resolve horizon + clearance/accreditation bar + no warm intro. Because 70.8 is more than ~5 points outside the 58.1 anchor band, I do not silently adopt it: I record score100 = 58.1 (board_anchor retained) and flag that my Stage-1 vector reads ~12 points higher than the board — a calibration item to resolve at first real conversation (most likely access_warmth and cycle_speed are the over-counted cells; the board appears to discount mandate_pull for a not-yet-commenced Bill). Honest verdict: NEXT, gated by readiness/clearance/no-intro, not mandate.

§19 — Commercial

Pilot: frequently €0 to NCSC-IE if NCC-IE/DIGITAL grant-routed; otherwise a small scoped fee — TBD with sponsor.
Tier 1 (initial scoped deployment): €120–240k/yr ACV — single bounded use case (NIS2 intake + sector-handoff picture), synthetic/low-sensitivity data.
Tier 2 (federated coordination COP): €500k–1.2m/yr — full Art-23 coordination across CRU/ComReg/Central Bank handoffs.
Tier 3 (national CSIRT decision-intelligence): €2.4–4.8m/yr — fusion + COP + conformity tooling at full national deployment.
Terms: annual; EU-hosted sovereign deployment; cost advantage from open-source substrate + sovereign HPC + shared conformity file + no forward-deployed-engineer dependency.
Requirements (the price of entry): security clearance/accreditation, ISO-27001-class assurance, data-sharing agreement, EU-physical residency — all TBD/prerequisite.

§20 — Legal blockers

X1 — Stamp 1G (the binding cap here). The solo founder cannot be a director/shareholder, self-employed, or operate a business until Stamp 4 ⇒ no paid pilot or contract is signable by the founder alone. Resolve via a partner/co-founder/Dogpatch-brokered vehicle (Patrick or Manuel Loureiro as EEA-resident director, or a €25k s.137 bond) or wait for Stamp 4. ⚖️ CONFIRM (immigration solicitor).
Buyer-specific — national-security clearance on a pre-incorp founder (hard blocker). Handling NCSC-IE / national-security cyber data will require personnel security clearance + organisational accreditation that a pre-incorporation founder does not hold; this likely gates real-data handling entirely and pushes first money to synthetic-data pilots. ⚖️ CONFIRM.
X2 — EU AI Act. Art-5 prohibitions applicable from 2 February 2025 — none triggered (M2M IOC fusion is not biometric/social-scoring/predictive-policing). No Annex-III individual-profiling path by design; FRIA available as a positioning artefact. [verified] regime; per-config ⚖️ CONFIRM.
X3 — GDPR / residency. Minimal by design (technical indicators, is_personal=false); EU-hosted; DPA per buyer. [verified]
X5 — Defence/security procurement (Art-346 TFEU / Dir. 2009/81/EC). A security body may exempt sensitive contracts from open tender — can help (negotiated procedure) or exclude us; anticipate clearance conditions. [verified]
X7 — Pre-incorporation contracting. Sign NDAs/MOUs in the founder's own name under Companies Act 2014 s.45 (ratifiable post-formation); founder personally liable until NewCo formed. ⚖️ CONFIRM.
X6 — NATO DIANA exclusion (Ireland non-NATO): irrelevant to funding here (use EU/NCC-IE/DIGITAL rails). [verified]

§21 — Warm-intro contact + the specific ask

No confirmed warm intro to NCSC-IE today — intro strength is weak-to-moderate (cold-led).
Best available path: Patrick Walsh (Dogpatch CEO, patrick@dogpatchlabs.com [verified]) for Irish-ecosystem credibility + a test of whether his state/semi-state network reaches CSIRT-IE / NCC-IE; Cyber Ireland cluster as a community on-ramp; NCC-IE's industry-engagement remit is an open door.
The specific ask of Patrick: "Does your state/semi-state network reach a named CSIRT-IE technical lead or the NCC-IE team? I want a free discovery session anchored on the federated NIS2-coordination pain — object/indicator fusion only, explicitly no biometric/predictive scope — and I'll run it at no cost to them." (Secondary: a Cyber-Ireland conference introduction.)

§22 — Open questions + consolidated Sources

Open questions (do not assert until resolved):

Current (2026) NCSC-IE budget & headcount — only 2021 figures public. TBD.
Bill commencement date + the exact self-registration deadline — "July 2026" is a soft target tied to enactment, not a hard date; the Bill is still in pre-legislative scrutiny. TBD.
Procurement route specifics — eTenders/OGP vs NCC-IE/DIGITAL innovation grant; clearance prerequisites + timeline. TBD.
Existing tooling stack beyond MISP/Sensor — is a fusion/coordination platform already procured? TBD.
Warm-intro reality — can Patrick or Cyber Ireland produce a named CSIRT-IE / NCC-IE contact? TBD.
Clearance/accreditation requirements for NCSC-IE data — likely gating; verify earliest. TBD.
Calibration: my S1·20 = 70.8 reads ~12 pts above the 58.1 board_anchor — resolve which cells (likely access_warmth/cycle_speed) the board discounts, at the first real conversation.

Sources (web-verified 2026-06-05):

gov.ie — General Scheme of the National Cyber Security Bill 2024 (now Dept of Justice, Home Affairs & Migration). [verified]
ncsc.gov.ie/nis2 + /nis2/FAQ — federated model; portals pending enactment; CSIRT-IE; Sensor Programme. [verified]
Arthur Cox — NIS2 scope expansion "just over 100 → at least ~2,000" entities. [verified]
Mason Hayes Curran; Eversheds Sutherland; DLA Piper; McCann FitzGerald — NIS2 transposition / competent-authority structure / Art-23 cadence. [verified]
Irish Times / Irish Examiner / Wikipedia — NCSC expansion 25→45→70, €4m→€6.9m→~€7.5m, Director ~€184k (2021 base; 2026 actuals TBD). [verified] base / [likely] currency.
gov.ie + ncsc.gov.ie/ncc-ie — NCC-IE €4.2m establishment; Digital Europe / ECCC conduit. [verified]
ICCL — "mass surveillance" / over-broad-powers concern re the Bill. [verified]
EU AI Act Art-5 prohibitions applicable 2 February 2025. [verified]
Internal: ncsc-cyber.md (source card); discovery-playbook.md; formula-worked-examples.md; legal-blockers-register.md; contact-register.md; outreach-drafts.md; AW theme W-04 (...-aw-t01.md, UC-33/34 stix_board + graph_explorer depth pattern).

Entity (essential|important) --in_sector--> Sector --regulated_by--> CompetentAuthority (NCSC-IE | CRU | ComReg | Central Bank) Entity --self_registered_as--> RegistrationRecord (NIS2 portal) Incident --affects--> Entity Incident --observed_via--> Indicator (sha256|ip|domain|ja3|yara|cert|bgp_prefix) Indicator --sourced_from--> Feed (Sensor | MISP | EntityReport) Incident --correlates_into--> Campaign/Cluster (CL-07, m=.91) Incident --reported_under--> Art23Report (early_warning_24h | notification_72h | final_1mo) Advisory --derived_from--> Cluster ; --issued_to--> DefenderPool (CNI) Handoff --from--> NCSC-IE --to--> CompetentAuthority (federated routing) DecisionGate --signs--> {Advisory | Art23Report | Handoff} (Duty-Officer, human, dual-control)

SQL

53 lines

-- 1. The IOC / indicator. STIX 2.1 mapped on write-back. TLP defaults to AMBER for sharing.
CREATE TABLE synergy.cyber_indicator (
    id            uuid PRIMARY KEY DEFAULT gen_random_uuid(),
    org_id        uuid NOT NULL,                      -- RLS: app.current_org_id (NCSC-IE tenant)
    kind          text NOT NULL CHECK (kind IN
                  ('sha256','ip','domain','ja3','yara','cert_thumbprint','bgp_prefix','tor_circuit')),
    value         text NOT NULL,
    feed          text NOT NULL CHECK (feed IN ('sensor','misp','entity_report')),
    tlp           text NOT NULL DEFAULT 'AMBER' CHECK (tlp IN ('RED','AMBER','GREEN','CLEAR')),
    is_personal   boolean NOT NULL DEFAULT false,     -- must stay false: indicators are technical, not people
    UNIQUE (org_id, kind, value),
    -- DECLINE-SAFE INVARIANT: an indicator may never carry personal data. Enforces the Declined-List
    -- boundary at the database — the COP fuses machine-to-machine indicators, never individuals.
    CHECK (is_personal = false)
);
ALTER TABLE synergy.cyber_indicator ENABLE ROW LEVEL SECURITY;
CREATE POLICY org_isolation ON synergy.cyber_indicator
    USING (org_id = current_setting('app.current_org_id')::uuid);

-- 2. The NIS2 Art-23 report state machine, with the federated handoff target.
CREATE TABLE synergy.nis2_report (
    id            uuid PRIMARY KEY DEFAULT gen_random_uuid(),
    org_id        uuid NOT NULL,
    incident_ref  text NOT NULL,
    affected_entity text NOT NULL,                    -- organisation, not a person
    sector        text NOT NULL CHECK (sector IN ('energy','water','dns_digital_infra','finance','other')),
    competent_authority text NOT NULL CHECK (competent_authority IN
                  ('ncsc_ie','cru','comreg','central_bank')),
    phase         text NOT NULL CHECK (phase IN ('early_warning_24h','notification_72h','final_1mo')),
    due_at        timestamptz NOT NULL,
    duty_officer_sig bytea,                            -- human gate signature
    submitted_at  timestamptz,
    -- LOAD-BEARING CHECK: a report can only be marked submitted once a Duty-Officer has signed it.
    -- The Art-23 notification / sector handoff is HUMAN-GATED — no auto-submission to a regulator.
    CHECK (submitted_at IS NULL OR duty_officer_sig IS NOT NULL)
);
ALTER TABLE synergy.nis2_report ENABLE ROW LEVEL SECURITY;
CREATE POLICY org_isolation ON synergy.nis2_report
    USING (org_id = current_setting('app.current_org_id')::uuid);

-- 3. Cross-sector incident cluster (the editable-ontology fusion artefact).
CREATE TABLE synergy.incident_cluster (
    id            uuid PRIMARY KEY DEFAULT gen_random_uuid(),
    org_id        uuid NOT NULL,
    label         text NOT NULL,                       -- 'CL-07'
    correlation_m numeric(4,3),                         -- 0.91
    sectors_spanned text[] NOT NULL,
    entities_affected int NOT NULL DEFAULT 0,
    first_seen    timestamptz
);
ALTER TABLE synergy.incident_cluster ENABLE ROW LEVEL SECURITY;
CREATE POLICY org_isolation ON synergy.incident_cluster
    USING (org_id = current_setting('app.current_org_id')::uuid);

Python

35 lines

def run_nis2_coordination(org_id, incident_ref):
    # 1. DETECT — pull raw indicators from the feeds NCSC-IE already owns.
    iocs = fuse_indicators(org_id, feeds=['sensor', 'misp', 'entity_report'], tlp='AMBER')

    # 2. ENRICH — correlate on the editable ontology into a cross-sector cluster (NO personal data).
    cluster = correlate(iocs, ttp='powershell-staged-loader+tor')       # CL-07, m=.91
    sectors = map_to_sectors(cluster)                                    # {energy(CRU), dns(ComReg)}
    assert all(not ioc.is_personal for ioc in iocs)                      # decline-safe invariant

    # 3. TRIAGE — classification-gated AI routing; out-of-jurisdiction models refused.
    triage = ai_router.route(cluster, predicate=EU_SOVEREIGN_ONLY)      # L1 IOC-match / L2 TTP-correlate
    if triage.severity < REPORTABLE_THRESHOLD:
        return Disposition.MONITOR(cluster)

    # 4. GATE — Decision Room; a civil-society reviewer is SEATED IN the decision, not consulted after.
    gate = decision_room(Art23Proposal(incident_ref, cluster, sectors),
                         personas=[DUTY_OFFICER, PROPORTIONALITY_REVIEWER,
                                   CIVIL_SOCIETY('ICCL-aligned auditor'),
                                   DOMAIN_EXPERT('CSIRT-IE'), DEVILS_ADVOCATE],
                         require_human_sign=True)
    if not gate.passed:
        return Disposition.REFUSED(gate.rationale)                       # logged, attributable

    # 5. TASK + EXECUTE — only AFTER the human Duty-Officer dual-control sign (see §5 CHECK).
    sig = await dual_control_sign(roles=['CSIRT_IE_DUTY_OFFICER', 'NCSC_COORD_LEAD'], subject=incident_ref)
    write_back('advisory',        Advisory(cluster, defender_pool='CNI'), sig)
    write_back('nis2_art23_72h',  Art23Notification(incident_ref, sectors), sig)   # human-gated submit
    for ca in sectors.competent_authorities:                            # CRU / ComReg federated handoff
        write_back('ca_handoff', Handoff(to=ca, cluster=cluster), sig)
    write_back('misp_defender',   DefenderNote(iocs), sig)
    write_back('spoc_csirt_net',  CrossBorderBrief(cluster), sig)        # EU CSIRTs Network

    # 6. BDA — measured at: advisory reach, sectors notified on time, entities protected.
    audit.append(incident_ref, prov_o_chain(cluster, gate.P, sig), merkle=True, retain='7y')
    return Disposition.EXECUTED(cluster)

YAML

40 lines

# nexus-workflows job: ncsc-nis2-art23-coordination  (NO cron — nexus-workflows is the scheduler-of-law)
name: ncsc-nis2-art23-coordination
trigger:
  on_event: [sensor.alert, misp.feed_update, entity.self_report]   # event-driven, not cron
nodes:
  - id: detect
    run: fuse_indicators
    with: { feeds: [sensor, misp, entity_report], tlp: AMBER }
  - id: enrich
    needs: [detect]
    run: correlate_cluster                                          # editable ontology; asserts is_personal=false
  - id: triage
    needs: [enrich]
    run: ai_router.route
    with: { predicate: EU_SOVEREIGN_ONLY }                          # out-of-jurisdiction models refused
  - id: human_gate                                                  # *** BLOCKING ***
    needs: [triage]
    type: manual_approval
    blocking: true
    assignee_role: csirt_ie_duty_officer
    dual_control: [csirt_ie_duty_officer, ncsc_coord_lead]
    decision_room:
      personas: [duty_officer, proportionality_reviewer, civil_society_auditor, domain_expert, devils_advocate]
    on_reject: { goto: close_refused }
  - id: task_execute
    needs: [human_gate]                                             # cannot start until the gate signs
    run: write_back_fanout
    with:
      adapters: [advisory, nis2_art23_72h, ca_handoff_cru, ca_handoff_comreg, misp_defender, spoc_csirt_net]
  - id: bda
    needs: [task_execute]
    run: capture_bda
    with: { axes: [advisory_reach, sectors_notified_on_time, entities_protected] }
  - id: close
    needs: [bda]
    run: append_prov_o_ledger
    with: { merkle: true, retain: 7y }
  - id: close_refused
    run: append_prov_o_ledger
    with: { disposition: refused, merkle: true, retain: 7y }

=== SCREEN 2: graph_explorer (Cross-Sector Correlation) === +----------------------------------------------------------------------------------------------+ | Ontology > Cross-Sector Graph [ MATCH (e)-[:AFFECTED]->(i)-[:SHARES_IOC]->(j) ] [Run] | +----------------------------------------------------------------+-----------------------------+ | (Incident: CL-07 RaaS-affil) | Inspector [pin] | | | shares_ioc (C2 + cert) | node : Incident CL-07 | | v | clust: m=.91 (3 sectors) | | (Entity: Energy-Op-A)--in_sector-->[CRU] | iocs : 6 shared (C2+cert) | | (Entity: Water-Util-B)--in_sector-->[CRU] | CAs : CRU + ComReg | | (Entity: TLD-Registry)--in_sector-->[ComReg] | reg : NIS2 Art-23 | | | reported via (Art-23 24h) | 24h early / 72h notify | | v | state: AWAIT-GATE | | (CompetentAuthority: NCSC-IE SPOC) | Duty-Officer sign req | | L1 IOC-match det L2 TTP-correlate | | +----------------------------------------------------------------+-----------------------------+ | 3 entities :: 2 sectoral CAs :: shared-IOC edge m=.91 :: no individual data on canvas | +----------------------------------------------------------------------------------------------+

[IocFusionBoard: OBSERVED] --promote--> [CORRELATED: CL-07] | v (open cluster link) [GraphExplorer: cross-sector spread] --Inspector: AWAIT-GATE--> | v (Decision Room dock) [ /dual-control sign ] --pass--> [IocFusionBoard: ACTIONED] | |--> Advisory ADV-2026-041 |--reject--> [close_refused, logged] |--> Handoff CRU + ComReg |--> Art-23 72h notify (now unblocked)

+--------------------------------------------------------------------------------------------+ | Decision Room — Art-23 72h notification + CRU/ComReg handoff (CL-07) TLP:AMBER | +----------------------------------------------------------+---------------------------------+ | Duty Officer (CSIRT-IE): | GATE | | Cluster CL-07, m=.91, hits 5 essential entities across | corroboration m = 0.91 | | energy/water (CRU) and a TLD registry (ComReg). I want | sectors 3 (CRU+ComReg) | | the advisory + 72h notify + both handoffs. | personal data NONE (schema) | | Domain Expert (CSIRT-IE): | decline-safe PASS | | IOC overlap is real — shared C2 + reused cert. TTP is | Art-23 clock T-41h | | PowerShell-staged-loader + TOR. Confident at cluster. | sign state 1/2 -> need 2/2 | | Proportionality Reviewer: | | | Advisory + handoff are proportionate. The 72h notify | [ /dual-control sign ] | | is a statutory duty, not a discretionary act. | [ /execute ] | | Civil-Society Auditor (ICCL-aligned): | [ Refuse + log ] | | DISSENT logged: confirm the cluster carries NO personal| | | data and that "TLD-Registry" is the ORG, not a person. | VERDICT (on 2/2 sign): | | I will not approve if any indicator is_personal=true. | EXECUTE — advisory + 72h | | Duty Officer: confirmed — schema CHECK(is_personal=false)| notify + CRU/ComReg handoff | | blocks personal data; canvas shows orgs/assets only. | provenance chain anchored | | Devil's Advocate: | | | If CL-07 is a false-positive merge, two regulators get | | | a bad handoff. Counter: m=.91 + cert reuse + human sign| | +----------------------------------------------------------+---------------------------------+ | [ /dual-control sign ] [ /execute ] [ Refuse + log ] | +--------------------------------------------------------------------------------------------+

CL07:Coordination a prov:Activity ; prov:startedAtTime "2026-06-05T09:12:00Z"^^xsd:dateTime ; prov:wasInformedBy Feed:Sensor , Feed:MISP , EntityReport:Art23-24h . CL07:Cluster a prov:Entity ; prov:wasDerivedFrom CL07:FusedIndicators ; prov:wasGeneratedBy Skill:ttp-correlate ; prov:wasAttributedTo Analyst:CSIRT-IE-Duty-Officer . CL07:DecisionRoom-CivilSociety a prov:Activity ; prov:wasInformedBy AI-Provider:L2-EU-sovereign ; prov:wasAssociatedWith Persona:Civil-Society-Auditor . # dissent recorded CL07:DualControlSign a prov:Activity ; prov:wasAssociatedWith DutyOfficer:CSIRT-IE , CoordLead:NCSC-IE . CL07:WriteBack-Art23-72h a prov:Activity . # gated by DualControlSign CL07:WriteBack-CRU-Handoff a prov:Activity . CL07:WriteBack-ComReg-Handoff a prov:Activity . CL07:BDA a prov:Entity ; prov:wasDerivedFrom CL07:WriteBack-Art23-72h , CL07:WriteBack-CRU-Handoff . CL07:Status a prov:Entity ; rdfs:label "OPEN-MONITORING" .

Stage

Trigger

Owner

Activity + the actual template/script

Exit criterion

Deliverable

1. First contact

Bill commencement / portal-launch news; or a Cyber-Ireland / Patrick adjacency

Founder

Warm-intro email (below) anchored on the federated-coordination pain, NOT a product tour

A reply agreeing to a discovery call

Sent email + logged reply

2. Free discovery

Call booked

Founder

60-min discovery agenda (below); bring no slides; map their loop onto detect→gate→close

Named sponsor agrees the federated-coordination pain is worth solving; Declined-List check = PASS

Discovery write-up (sponsor, top-3 pains, lawful basis, wedge)

3. Scoped demo

"Could we see this on our kind of data?"

Founder

Replay CL-07 on synthetic MISP-format IOCs: OBSERVED→CORRELATED→GraphExplorer→Decision-Room sign→ACTIONED; lead with the ICCL-answering audit story + AI Provider Router

Sponsor asks "could we try this on a real slice?"

Tailored demo + recording

4. Pilot

Demo ask

Founder + NCC-IE/CeADAR

1-page pilot proposal (below); bounded use case (e.g. NIS2 self-registration intake + sector-handoff picture); synthetic/low-sensitivity data until clearance is in train; grant-routed

Success criteria met or credibly trending

Signed pilot scope + week-1 baseline

5. LOI / pilot MOU

Pilot success

Founder + partner vehicle

LOI checklist (below); non-binding; Declined-List affirmation; conditional on clearance/funding

Signed MOU naming a sponsor + next step

Signed LOI/MOU (solicitor-reviewed)

6. Signed contract

Procurement route open + clearance progressing + a partner vehicle can sign

Partner vehicle (NewCo / MAHI-class prime)

eTenders/OGP or NCC-IE/DIGITAL innovation route; the Stamp-1G gate is the critical-path blocker for any PAID pilot

Executed contract on a sovereign deployment

Signed contract

2026 H2 2027 H1 2027 H2 Jul Aug Sep Oct Nov Dec | Jan Feb Mar Apr May Jun | Jul Aug Sep Oct [1] First contact #### [2] Free discovery ###### [3] Scoped demo ###### [4] Pilot (grant) ############## [5] LOI / MOU ###### *** STAMP-1G / partner-vehicle gate *** ######## (must resolve before a PAID pilot/contract) [6] Procurement / contract ####################

Activity

Founder

Warm-intro sponsor (Patrick/Cyber-Ireland)

MAHI/partner vehicle

Buyer champion (CSIRT-IE)

Buyer procurement (NCC-IE/OGP)

First contact / intro

—

Free discovery

Scoped demo

Pilot delivery

LOI / MOU

A (signs)

Procurement / contract

R/A (contracts)

Factor

Score

Dated rationale (2026-06-05)

mandate_pull

NIS2 / National Cyber Security Bill 2024 = a funded mandate with a hard commencement-driven self-registration deadline; HSE-2021 drove real budget/staff expansion. [PRIOR]

access_warmth

No named champion; only Patrick/Cyber-Ireland community adjacency — weak-to-moderate, cold-led. [PRIOR]

demonstrability

Fusion+COP+ontology fits the coordination pain; demoable on synthetic MISP IOCs, but the cyber app needs configuring (not the storm-replay reuse the civil-protection rows enjoy). [PRIOR]

decline_safety

Machine-to-machine IOC fusion + inter-agency coordination; clear of the Declined List; conformity tooling answers the ICCL surveillance concern; is_personal=false is schema-enforced. [PRIOR]

white_space

MISP/Sensor are feeds not a fusion COP (genuine white space above them); but Sentinel/Splunk are entrenched. [PRIOR]

cycle_speed

State national-security body: slow tendering, clearance gating; an NCC-IE/DIGITAL pilot route exists but is not fast. [PRIOR]

pillar_fit

Squarely the action-loop COP core (stix_board + graph_explorer + Decision Room). [PRIOR]

Factor

Score

Dated rationale (2026-06-05)

contractability

Founder solo on Stamp 1G — no signable vehicle until Stamp 4 or a partner prime. [PRIOR]

funding_to_pay

Statutory budget line + NCC-IE/DIGITAL/ECCC grant rails (€4.2m precedent). [PRIOR]

procurement_clarity

eTenders/OGP slow + clearance-gated; innovation route exists but ambiguous for a security body. [PRIOR]

incumbency_displacement

We sit above MISP/Sensor and complement, not displace, a deployed prime. [PRIOR]

time_to_value

Clearance/accreditation likely outruns a fast TTV; multi-quarter to value. [PRIOR]

reference_leverage

No cyber reference; a delivered decline-safe (e.g. civil-protection) reference would de-risk. [PRIOR]