Notes
Definitions
Here we list terms that need to be defined. Often for all MIMs not just for 6.
Data
Definition: Raw, unprocessed facts and figures without context. Data can be numbers, text, images, or other forms of input.
Example: A list of temperatures recorded every hour throughout the day.
Information
Definition: Data that has been processed, organized, or structured in a way that adds context and meaning, making it useful for decision-making. When information is transferred it is data.
Example: A report analysing the temperature data to determine the hottest and coldest times of the day.
Data processors
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal* data on behalf of the controller; Reference: GDPR Article 4(8)
*We expand the definition to also encompass all kinds of data, not only personal data.
Processing
‘processing’ means any operation or set of operations which is performed on personal* data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; Reference: GDPR Article 4(2)
*We expand the definition to also encompass all kinds of data, not only personal data.
Identity
A set of attributes that uniquely describe a subject within a given context. Reference: NIST Definition (SP 800-63-3 – Digital Identity)
Meeting Notes
Working Group Meeting #18 (25 February 2026)
Update on the 1st MIM Steering Committee meeting and upcoming joint foundational MIMs Working Group (comprising of MIMs 0, 1, 2, and 6)
Discussion on the differences between the global MIM6 <> MIM6 Plus
Need for identifying the interoperable aspects of NIS2
As an overarching layer, Harm recommended to look into the EUCC Certification Scheme and that there are interoperability-related security considerations/profiles to look into and guide our work on MIM6 going forward
Further mentioned: CAMMS and the (iLabs) FIDES Open ITB Testbed Suites
Alain to give a presentation on the Common Criteria during the next meeting
Work on FIWARE data space connector ongoing. Following further feedback, an early version for the mechanisms may be ready for the next meeting
Working Group Meetings #16-17 (26 November 2025 & 21 January 2026)
Limited participation; discussion on the next steps (especially mechanisms) as well as the OASC Conference in late January 2026; further thoughts on pre-requisites for MIM6; discussing the option of a joint working group for the foundational MIMs
Working Group Meeting #15 (22 October 2025)
Alain and Elliott from Kereval presented their work on a conformance testing suite for MIMs 1, 2 and 7 (version 6; i.e. the "old" MIM1). This gave us some idea on how future MIM6 testing may be done. See the video recording for more information
We discussed possible mechanisms for our Requirements (only R1 so far). You can find these in this sheet. Please add your thoughts (in column C or on its right-hand side). We will continue discussing these during the next meetings
Working Group Meeting #14 (24 September 2025)
First meeting after the summer break, kicking off the 2025/26 Securing Data MIM development cycle
Discussions on the narrow scope of the objective and the wider scope of the Capabilities (especially C1).
Open question: do we need to align these? How? To be dicussed in line with the broader cross-MIM work taking place this year
Roadmap 25/26
Mechanism-level developed and initial tests/precedure (Citcom.ai FIWARE connector)
LDT toobox testing - tool 5 (Kereval)
Specifications - draft
Interoperability guidance - draft
Use cases - based on Södertälje use case
Pre- and post-requisites - responsibilities assigned and text developed
Whitepaper on MIM6, test procedures, initial test results?
Working Group Meeting #13 (25 June 2025)
post-publication MIMs v8/2025 and pre-summer meeting, recap of work done
Working Group Meeting #12 (22 May 2025)
Our regular Working Group meeting slot will change starting June (meetings not taking place in July and August 2025). They will take place on the fourth Wednesday from 13:30-15:00 CET each month
Sharing use cases with other MIMs, in particular MIM3, will be discussed further after the release of MIMs 2025/MIMs Plus v8
The role of additional MIM6 Plus regulations, such as the role of GDPR for our scope and ISO 18031, will be discussed in the future. This also relates to the ongoing discussion of pre- and post-requisites (see the existing sub-page for the identified ISO 27001 ones).
Standards input as suggested by MM to be scheduled for September if possible - either as part of a normal WG meeting or separately (OASC Knowledge Exchange event?)
There is the idea of running a MIM-wide testing workshop to gain a better understanding how to test for interoperable security within the scope of MIM6 and the MIMs in general. Possible presenters include Alain/Kereval, RISE/CitCom MVP, Liviu, and possibly Vincent
Working Group Meetings #9-11 (February-April 2025)
Please see the recordings/slides in the Google Workspace folder
Working Group Meeting #8 (12 December 2024)
Capabilities
We have agreed on the following three initial Capabilities to be included in MIMs (Plus) v7.5:
C1: Data is only accessible to users that should have access to it
C2: Data accessed by users has not been altered
C3: Data accessed by users has not been altered and originates from a verified source
The fourth capability discussed previously ("Data is accessible to the extent intended by the publisher (SLA)") is not included for now; it may be covered by MIM3/is out of scope of this MIM due to it being a pre-requisite. To be revisited in 2025.
Specifications
An initial mapping of the above Capabilities against ISO 27001 by our Swedish colleagues showed its relevance for this MIM. Additional comments also highlighted a role for NIS2 - with high relevance to European cities - and IEC 62443. All three will be mentioned in the MIM6 Specifications. and their relevance, from high-level Capabilities to implementation guidance, be further explored.
Previous Specifications from an earlier version of the MIM have been moved here; their relevance will be assessed at a later stage
- StandardAspectReferences
ISO27005
International Standard ISO/IEC 27005:2018 Information technology – Security techniques – Information security risk management
NIST SP800-53r5
NIST Special Publication SP800-53, Security and Privacy Controls for Information Systems and Organizations
GDPR
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27vApril 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Suggestion to contact the Swedish Standards bodies to learn more about their activities relevant to this MIM
The next Working Group meeting is going to take place in February 2025. The January meeting has been cancelled and attending participants at the OASC Conference in Tampere on 22/23 January 2025 will be discussing the roadmap towards MIMs 2025/MIMs Plus version 8.
Working Group Meeting #7 (28 November 2024)
The December Working Group meeting is going to take place on 12 December 2024 from 13-14 CET.
Further discussion on the initial Capabilities
Suggested Capabilities worked on and finalised in the next meeting
"Data is only accessible to users that should have access to it"
"Data accessed by users has not been altered"
"Data accessed by users has not been altered and originates from a verified source"
"Data is accessible to the extent intended by the publisher" (SLA) -> might be covered by MIM3 (Data Exchange)
Scope of this MIM - further considerations
Are data classifications and user classifications/mapping (who should have the right to access what data and for what purpose?) covered by other MIMs, in particular MIM3?
Resulting of the above, how are we going to treat security-related pre-requisites, such as users having correct access rights?
We are considering to have expert input from standards and city practitioners on interoperable security in March/April 2025. To be discussed further in early 2025.
The January Working Group meeting is cancelled. Informal chats will take place at the OASC Conference in Tampere on 22/23 January 2025.
Working Group Meeting #6 (24 October 2024)
Discussed the initial scope of Capabilities
Mentioned resources to check for secure data transfer capabilities (with an interoperability scope):
Data Space Support Centre - Data Spaces Blueprint
Next steps
Focus on Capabilities until the OASC Conference in January 2025
Working Group Meeting #5 (26 September 2024)
The (interim; awaiting formal approval) Champion of MIM6 is Södertälje Municipality. Welcome!
Working Group meetings will now be taking place on every fourth Thursday each month, lasting 90 minutes from 13:00-14:30 CE(S)T
A suggested new MIMs framework was presented. Discussion on it are ongoing. For MIM6, nothing will initially change
The immediate focus for the Working Group is to outline and establish Capabilities before outlining Requirements
Additional volunteers are welcome to start working on the MIM's Interoperability Guidance (which can cover a broad range of topics, e.g. infrastructure, implementation, procurement, required skills)
Working Group Meeting #4 (15 May 2024)
Agreement on the the MIM6 objective for MIMs 2024/MIMs Plus v7
Agreement that "risk assessment is a tool, not an objective" (and thus is not part of this version of the objectives)
Work started on discussing Capabilities. The following are early suggestions inspired by MIM1. The comments aim to reflect the thoughts of the audience during the meeting.
C1: Applications are able to securely access data from different sources (such as cities, communities and vertical solutions).
C2: Applications are able to use both current and historical data, use geospatial querying and be automatically updated when the source data changes. (Comment: Not relevant?)
C3: Applications can discover and retrieve data relevant to their context from a variety of sources Covered by C1? (Comment: Covered by C1?)
C4: Applications can retrieve a subset of data from a larger data set To detailed for MIM6? (Comment: Too detailed for MIM6?)
Working Group Meeting #3 (11 April 2024)
Ongoing work on defining the objective
Working Group Meeting #2 (15 March 2024)
Are the following aspects in scope?
Things and southbound APIs
Physical device security
The sending to and from data sources (databses, data platforms, devices)
Provisioning a data source: control plane interoperability (identity management and authorisation)
IoT/Data platform
Communication between modules
Sending of data to northbound APIs
Northbound APIs and marketplace enablers
Sharing of data
Connection to data spaces
Identification, authorisation, and monetarisation of services
Focus on the data platform itself or also on central/external security systems?
Working Group Meeting #1 (15 February 2024)
Establishment of the MIM6 Working Group
Meetings to be held on a monthly basis where possible
Immediate goal: define an objective by early June 2024 for MIMs 2024/MIMs Plus v7
Prior suggestion for objectives:
To develop a methodology to help identify security-related risks and choose the right measures to protect systems and data.
To provide cities with a framework for governance, risk management and control in the area of cybersecurity, along with a baseline of cybersecurity measures addressing the identified risks and providing a methodology for conducting regular maturity assessments.
Last updated