The middle layer must be visible.
Without a mapper, a machine-readable regulatory profile is just somebody’s private interpretation.
The Mapper records the conversion from official source text to operational profile JSON, including the parts that can be mechanically checked and the parts that remain human judgement.
Source text becomes JSON in public.
The workpaper does not hide the translation. It breaks it into reviewable states.
run_all.py
profile: eu.dora.ict_incident.major.initial.v1
stages: 8
source_bundle: pinned
mapper_report: generated
traceability: present
result: PASS WITH REVIEW NOTESCompact output first. Full detail below.
The terminal is evidence, not decoration. It should support the workpaper, not dominate the page.
Where judgement entered, it is named.
Machine profiles should not pretend all interpretation is mechanical. The ledger makes review-required decisions visible.
| Decision | Why needed | Source basis | Confidence | Review |
|---|---|---|---|---|
| Incident classification fields | Operational schema needs discrete profile fields | DORA incident reporting source fragments | Medium | Legal review required |
| Time semantics | Reporting process needs timestamps normalized | Notification timing obligations | Medium | Implementation review |
| Disclosure controls | Some fields may be sensitive in public tooling | Security and confidentiality considerations | Low to medium | Policy review required |
The mapper creates an adoption surface.
Compare private schemas against a public source-bound profile.
This is the bridge from commons infrastructure to practical use: missing fields, unsupported fields, source-supported fields, interpretation-required fields and overclaim risks.
SCHEMA GAP REPORT reference: eu.dora.major_ict_incident.v1 compared: vendor_dora_incident_v3.json matched fields: 37 missing source-bound fields: 06 vendor-only fields: 11 interpretation-required: 04 disclosure-sensitive: 03 unsupported legal claims: 02
Useful without becoming closed infrastructure.
A gap report is a concrete output for vendors and compliance teams, while the reference profile remains open and challengeable.
The wide table stays local-scroll.
Mapper review data is too wide to crush into narrow mobile columns. It should scroll horizontally inside its own container while the page itself remains stable.
| Mapper answer | Profile field | Source fragment | Evidence label | Review status | Notes |
|---|---|---|---|---|---|
| Major ICT-related incident notification | incident_type | Regulatory source fragment concerning major ICT-related incidents | source-supported | reviewed | Field exists to preserve reporting category |
| Initial report timing | notification_stage | Reporting process source fragment | interpretation-required | needs legal check | Operational staging must not imply legal sufficiency |
| Affected services and impact | impact_scope | Incident impact source fragment | source-supported | reviewed | May require sub-field refinement in implementation |
The mapper refuses legal magic.
The mapper can show how a profile was assembled. It cannot certify that the profile is legally complete or accepted by a supervisor.
- official source artefacts named and hashed
- field provenance, mapper notes and reproducibility
- schema divergence against a public reference profile
- where interpretation entered the machine profile
- legal approval or supervisory acceptance
- that a filing, firm or vendor is compliant
- that a mapping is legally complete without review
- that pinned sources are automatically the latest legal state