The definitions and concepts regarding cyber risk, cyber threat, categorization, and notation conventions are primarily derived from the European Union's comprehensive legislative framework (including NIS 2, DORA, and CRA) and the specialized framework of the Top Level Cyber Threat Clusters (TLCTC).
a) Cyber Risk
| Framework | Term | Definition |
|---|---|---|
| EU Regulation (General) | Cybersecurity Risk | Defined as "the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident". This definition is common in the Cyber Resilience Act (CRA) and the NIS 2 Directive's definition of 'risk'. |
| EU Regulation (DORA/Financial) | ICT Risk | Functional equivalent to Cyber Risk. Defined broadly in DORA to include any circumstance disrupting operations or providing adverse effects in digital/physical environments. DORA intentionally focuses on this broader concept for operational resilience. |
| TLCTC | Cyber Risk | Describes "the probability of occurrence of a cyber event in which IT systems or human actors are compromised due to one or more of the 10 Top Level Cyber Threat Clusters, leading (via Event-Chains) to consequential damage (impact)". |
The EU legislative framework generally defines risk based on the traditional likelihood and magnitude formula, often employing an "all-hazards approach." The TLCTC framework is structurally precise, positioning Cyber Risk as the ultimate probability tied to the loss of control (system compromise) caused by one or more of the 10 specific threat clusters.
b) Cyber Threat
| Framework | Term | Definition |
|---|---|---|
| EU Regulation (Harmonized) | Cyber Threat | Centralized in Regulation (EU) 2019/881 (Cybersecurity Act). Defined as "any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems". |
| EU Regulation (DORA/NIS 2) | Significant Cyber Threat | A threat is 'significant' if technical characteristics imply severe impact or major ICT-related incidents. |
| TLCTC | Threat (Threat Cluster) | Defined as "a set of tactics, techniques and procedures (TTP) that attackers apply to provoke an event or incident, exploiting vulnerabilities in IT systems or human behaviors". |
The EU regulatory view prioritizes legal standardization and interoperability via the CSA. The TLCTC framework is built on the Axiom that threats must be separated from threat actors and motivation, classified solely by the generic vulnerability they target.
c) Categories of Cyber Threats
| Framework | Grouping Method | Details |
|---|---|---|
| TLCTC | 10 Mutually Exclusive Threat Clusters | Groups threats based on the generic vulnerability. E.g., #1 Abuse of Functions, #9 Social Engineering, #10 Supply Chain Attack. |
| EU Regulation (DORA) | Functional Categories/TTPs | Requires identification of threats like "Social engineering," "Identity theft," "Data destruction." These overlap in function rather than being mutually exclusive causes. |
| EU Regulation (NIS 2/CRA) | Entity/Product Criticality | NIS 2 classifies by entity criticality (Essential vs Important). CRA classifies products (Class I, II, Critical). |
d) Notation Convention
| Framework | Notation Type | Format |
|---|---|---|
| TLCTC | Sequential & Dual-Layer |
Strategic: #9 → #3 → #7 (Human-Readable). Operational: TLCTC-XX.YY (Machine-Readable). |
| EU Regulation (TLPT) | TIBER-EU Documentation | Document-heavy planning: Targeted Threat Intelligence Report, Red Team Test Plan, Blue Team Report. Focuses on scenarios and flags. |
The Analogy: The Library and the Translator
The difference between the EU Regulatory definitions and the TLCTC framework is like comparing a country's official library to a new, universal machine-translation app for incident reporting.
TLCTC Synergy with EU Cyber Regulation Framework
The EU regulatory framework would profit significantly from adopting concepts like the TLCTC, primarily by gaining a unified, standardized technical taxonomy that improves internal market functioning, risk communication, and operational testing mandated by the current legislation.
1 Enhancing Regulatory Standardization
-
Standardized Lexicon for Threat Sharing: The EU relies on the CSA for a centralized definition of 'cyber threat'.
TLCTC Benefit: Offers a unified, mandatory taxonomy of 10 mutually exclusive clusters. This provides consistent, standardized input data for threat intelligence sharing systems like the CSIRTs network. -
Risk Categorization: Manufacturers (CRA) and entities (NIS 2) must manage risk.
TLCTC Benefit: Provides a stable language for defining risk appetite and allocating resources effectively at the strategic level.
2 Improving Strategic Communication (DORA & NIS 2)
Both NIS 2 and DORA place high demands on the management body to approve and oversee cybersecurity risk management. The TLCTC’s dual-notation system bridges the gap between technical reality and board oversight.
3 Strengthening Operational Testing (TLPT)
The TLCTC notation can be used to formally tag and track the steps within a TLPT engagement, providing a logical sequence representation for complex attack paths (e.g., #10.1→#7) as required by TIBER-EU.
In summary, while the EU establishes what must be protected, TLCTC offers the axiomatic language for defining the causes.
Related Insights
TLCTC Analysis: DORA TLPT vs. TLCTC Framework V2.0
From Compliance to Strategy: Bridging the Gap in DORA's Threat-Led Penetration Testing.
EU Cyber Regulation Will Fail Without a Common Taxonomy
Why NIS2 and CRA need a shared, cause-based understanding of cyber threats to succeed.