{
  "tool_id": "art-146-nis2-governance-readiness-checker",
  "note": "golden_hash empty until first `node golden-parity.test.mjs --update`.",
  "vectors": [
    {
      "name": "all-controls-met-fresh-review-grade-a",
      "policy_parameters": {
        "board_approved_art21_measures": true,
        "board_receives_quarterly_status_updates": true,
        "ciso_or_equivalent_designated": true,
        "board_cybersecurity_training_completed": true,
        "training_covers_threat_landscape": true,
        "training_covers_incident_response": true,
        "board_review_age_days": 90
      },
      "output_payload": {
        "governance_grade": "A",
        "controls_met": 6,
        "total_controls": 6,
        "gaps": [],
        "board_action_items": [],
        "personal_liability_risk": false,
        "board_review_age_days": 90
      },
      "golden_hash": "accac1c1bac59e5a8fae4f95ec8382cf01ddad12a548691b4f23ec733e282a51"
    },
    {
      "name": "stale-review-no-controls-personal-liability",
      "policy_parameters": {
        "board_review_age_days": 400
      },
      "output_payload": {
        "governance_grade": "D",
        "controls_met": 0,
        "total_controls": 6,
        "gaps": [
          "board_approved_art21_measures",
          "board_receives_quarterly_status_updates",
          "ciso_or_equivalent_designated",
          "board_cybersecurity_training_completed",
          "training_covers_threat_landscape",
          "training_covers_incident_response",
          "board_review_stale"
        ],
        "board_action_items": [
          "Board must formally approve all Art. 21 cybersecurity risk-management measures (Directive Art. 20(1))",
          "Establish quarterly board-level cybersecurity status reporting cadence",
          "Designate a CISO or equivalent cybersecurity officer with board-level accountability",
          "Schedule and complete NIS2-mandated cybersecurity training for all management-body members",
          "Confirm training curriculum includes sector-specific threat landscape and risk context",
          "Confirm training curriculum covers Art. 23 incident-reporting clocks (24h/72h/30d)",
          "Schedule overdue board cybersecurity review — last review is more than 12 months ago"
        ],
        "personal_liability_risk": true,
        "board_review_age_days": 400
      },
      "golden_hash": "0f3377e54651f681785f49e999bbb26af6c16def8abd6267b58e91873000e666"
    }
  ]
}
