Thesis Type |
|
Student |
Falk Boehm |
Status |
Finished |
Proposal on |
13/05/2025 1:00 pm |
Proposal room |
Seminar room I5 6202 |
Presentation on |
03/03/2026 9:30 am |
Presentation room |
Seminar room I5 6202 |
Supervisor(s) |
Stefan Decker |
Advisor(s) |
Mehdi Akbari G. Lasse Nitz Avikarsha Mandal |
Contact |
mehdi.akbari.gurabi@fit.fraunhofer.de lasse.nitz@fit.fraunhofer.de avikarsha.mandal@fit.fraunhofer.de |
The thesis focuses on the new regulatory requirements imposed on companies by the NIS2 directive. It aims to systematically extract these requirements and align them with established industry standards that provide detailed guidance for implementation. The goal is to enable a structured mapping between high-level regulatory obligations and more detailed implementation guidance, thereby supporting organizations in understanding and operationalizing compliance requirements. The thesis investigates how large language models (LLMs) can support this alignment. The thesis should contribute to the topic by analyzing the trade-offs between different representations and retrieval strategies under realistic constraints.
A central challenge in this context is that relevant standards documents are typically copyrighted and cannot be distributed as part of a solution. Therefore, the thesis focuses on approaches that operate on documents provided by the user, with an emphasis on transferability across different standards and document versions. In this setting, the extraction and utilization of document structure is of particular importance, as it can support explainability by indicating where relevant information originates without requiring fully curated semantic knowledge to be shared.
Additionally, the research may contribute to generating relevant playbooks for this matter. The goal is to create generic playbooks that are transferable between organizations while effectively supporting individual use. This exploration may include ideas such as modularity, textual guidelines, or code-based playbook refinement. The requirements extraction will follow an established methodology, and the resulting playbooks will be evaluated against a pre-defined set of relevant factors, may be verified through expert interviews.
This work is particularly significant due to the introduction of directives like NIS2 and legislations such as the EU Cybersecurity Act, which emphasize the need for timely incident reporting and automation in response processes. The thesis will first focus on analyzing these directives and regulations, followed by implementing necessary components to support achieving of the compliance.
Some references related to the topic:
- NIS2 Directive Overview: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
- https://www.dataguard.co.uk/blog/a-step-by-step-guide-for-nis2-directive
- The EU Cybersecurity Act: https://eur-lex.europa.eu/EN/legal-content/summary/the-eu-cybersecurity-act.html
- Requirements for Playbook-Assisted Cyber Incident Response, Reporting and Automation: https://dl.acm.org/doi/full/10.1145/3688810
- The EU’s cybersecurity framework: the interplay between the Cyber Resilience Act and the NIS 2 Directive: https://link.springer.com/article/10.1365/s43439-023-00084-z
- Cybersecurity in the EU: How the NIS2-directive stacks up against its predecessor: https://www.sciencedirect.com/science/article/pii/S0267364923001000
Basic knowledge in the domains of cyber incident response, system engineering, semantic technologies and Generative-AI.