A structured inventory of candidate mechanisms for MIM6 v9.0, organised along the security pipeline: from identity and authentication to policy enforcement and secure transfer.
Establish trusted identities for people, organisations, and machines, and verify them before granting access to data or services.
De facto standard for delegated authorisation (OAuth 2.0) and federated authentication (OpenID Connect). Enables single sign-on across city services. Supports scopes for fine-grained permissions. Client Credentials flow for machine-to-machine communication.
Cryptographically signed, tamper-proof digital credentials. An issuer (e.g. city hall) issues a credential to a holder (citizen or organisation), who presents it to a verifier without contacting the issuer. Supports selective disclosure — share only what's needed.
Self-sovereign identifiers that are cryptographically verifiable and not dependent on a central registry. Resolve to DID Documents containing public keys and service endpoints. Foundation for decentralised trust in data spaces.
European framework for trusted electronic identification and authentication. eIDAS 2.0 introduces the EU Digital Identity Wallet (EUDIW) based on Verifiable Credentials. By 2026, EU member states must offer digital wallets. Directly relevant for cross-border city service access.
Certificate-based authentication where both client and server present certificates. Standard for machine-to-machine authentication in data spaces and IoT networks. Higher security than API keys or bearer tokens.
Define and enforce policies that determine which authenticated entities can access which data, under which conditions.
XACML is the formal OASIS standard for attribute-based access control policies (ABAC). OPA (with Rego language) is the modern, developer-friendly alternative widely adopted in cloud-native environments. Both enable fine-grained, context-aware access decisions: "allow access to air quality data if requester is a registered city AND purpose is public health".
Machine-readable language for expressing usage policies, permissions, prohibitions, and duties attached to data. Used by International Data Spaces (IDS) and Eclipse Dataspace Components (EDC) to define data usage contracts. Example: "this dataset may be used for research only, must be deleted after 12 months".
Extension of OAuth 2.0 where the resource owner (citizen) defines access policies for their data, and an authorisation server enforces them — even when the owner is offline. Enables citizen-controlled data sharing across city services.
Ensure data confidentiality, integrity, and authenticity during transfer between systems, including sovereign data exchange across organisational boundaries.
Reference implementation for European data spaces. Handles the full negotiation lifecycle: catalogue browsing, contract negotiation, policy verification, and secure data transfer. Implements IDS protocols. Used by Catena-X (automotive), Gaia-X, and emerging city data spaces.
FIWARE's implementation of the data space connector pattern. Integrates with NGSI-LD context brokers. Adds trust (Verifiable Credentials), policy (ODRL), and secure transfer on top of existing FIWARE deployments. Lower barrier for cities already using FIWARE.
Transport Layer Security 1.3 for encrypting data in transit. Mandatory baseline for all MIM-conformant data exchanges. For sensitive data, end-to-end encryption (beyond TLS) ensures that intermediary platforms cannot read the payload.
Protocol specification for sovereign data exchange. Defines connector-to-connector communication: self-description, catalogue, contract negotiation, and transfer. Implemented by EDC and FIWARE DSC. Being adopted as the European data space standard via DSSC and SIMPL.
Continuously evaluate cyber risks, implement security measures, and ensure compliance with regulatory requirements (NIS2, GDPR, Cyber Resilience Act).
EU directive on security of network and information systems. Mandatory for essential and important entities (including public administration and digital infrastructure). Requires risk assessments, incident reporting (24h/72h), supply chain security, and management accountability. In force since October 2024.
ISO 27001 is the international standard for information security management systems (ISMS). ISO 27701 extends it with privacy information management (GDPR alignment). Provides a structured framework for risk assessment, controls, and continuous improvement. Widely recognised as baseline certification for data-handling organisations.
New EU regulation requiring cybersecurity-by-design for products with digital elements. Relevant for smart city hardware and software (IoT devices, platform components). Mandates vulnerability handling, security updates, and conformity assessment. Applies from 2027.
European trust and federation framework for data spaces. Defines trust anchors, credential schemas, compliance rules, and self-descriptions for data space participants. Cities participating in European data spaces will need Gaia-X conformant self-descriptions.
Standardised logging of all data access events (who accessed what, when, under which policy). Immutable audit trails (potentially blockchain-anchored) for compliance demonstration. Essential for NIS2 incident reporting and GDPR accountability. Currently a gap in the MIM6 specification.