Pyxis Methodology — Multi-Framework Assessment

Frameworks in scope (8)

Pyxis scores eight EU frameworks in a single run, mapped to a unified catalogue of 129 controls. The selection follows the regulatory backbone and the ISO standards that European compliance practice cites most often in digital contexts.

Three-score model: FCI / WMI / ECI

Framework readiness is expressed by three complementary indices. All operate on STRM composite weights (`type_factor × strength / 10`, MAX-resolved across the eight frameworks) and follow the canonical formulas of the MFA workbook. The hand-derivation reproduction of the Annex C 8-control DORA fixture makes the three numbers verifiable from an independent source.

FCI — Framework Coverage Index

FCI expresses structural coverage: what proportion of mapped controls for the framework reach full STRM strength. The canonical definition is `SUMPRODUCT(W) / COUNTIF(W, ">0") × 100` (MFA workbook `Framework Readiness!D5`); the denominator is the size of `maxWeightByControl` after applicability filtering, not the framework total requirements. On the Annex C 8-control DORA fixture, FCI = 68.75%.

WMI — Weighted Maturity Index

WMI expresses weighted maturity: `SUMPRODUCT(W × M/5) / SUMPRODUCT(W × (W>0)) × 5` (MFA workbook `Framework Readiness!E5`). An unanswered control contributes 0 to the numerator but full weight to the denominator (treat-as-zero) — this preserves the invariant "the denominator is fixed at scope-determination time, the numerator grows as evidence accrues." On the Annex C DORA fixture: WMI = 2.87 / 5.0; on the extended 9-control fixture with one unanswered control: WMI = 2.70 / 5.0.

ECI — Effective Coverage Index

ECI expresses effective coverage normalised against the framework total requirements: `SUMPRODUCT(W × M/5) / total_requirements × 100`. The total requirement counts are anchored to the canonical MFA workbook values (DORA 313, NIS2 39, EU AI Act 89, ISO 42001 65, ISO 27001 118, ISO 22301 46, ISO 27701 92), not to aggregate estimates. On the Annex C DORA fixture, ECI = 10.19% (numerator 3.160 / denominator 31 in the didactic fixture; in production the denominator is 313).

Sector profiling and lex specialis

Readiness is not a property of the framework in the abstract, but of the framework applied to a concrete organisation. Pyxis resolves applicability before any scoring, in two stages: sector profile (Mandatory / Voluntary / Superseded / N/A applicability matrix) and article-level lex specialis rules.

Sector profiles (18 total)

18 profiles: 12 industry verticals + 3 AI roles (`ai-provider`, `ai-deployer`, `ai-importer`) + 3 CRA actors (`cra-manufacturer` 65 controls, `cra-importer` 49, `cra-distributor` 47). Each profile carries a set of `mfa_controls_applicable` and a framework applicability matrix — not all eight frameworks always apply.

Article-level lex specialis (LEX-01..04)

Four lex specialis rules govern cases where a special regulation displaces a general one. Lex specialis is applied at the applicability layer (resolver `site/src/lib/mfa/resolve-applicable.ts`), not inside the scoring loop — cleanly separating "is the framework in scope?" from "what score does the framework get?".

Example: LEX-01 — DORA → NIS2 for financial entities

For a financial entity defined by DORA Art. 2(1)(a)–(u), DORA displaces NIS2 on cyber risk management dossiers (NIS2 Art. 21–23 and Chapter VII), but NIS2 Art. 7 (national CSIRTs), Art. 13 (supervision), and Art. 14 (peer reviews) remain applicable. The granularity is article-level, not framework-level: Pyxis does not drop NIS2 in its entirety — it drops the individual controls mapped to the displaced articles and retains those mapped to the retained articles.

CRA + NIS2 are concurrent, not lex specialis. No LEX-CRA-* rule was introduced; an audit-fixture regression guard (`CRA does NOT lex-specialis NIS2`) explicitly blocks the accidental reintroduction of an incorrect relationship.

STRM-weighted cross-framework mapping

The STRM model (Subset / Tangent / Related / Match) describes the semantic relationship between a control in the unified catalogue and a requirement in a regulatory framework. It is the backbone that allows Pyxis to score eight frameworks from a single set of evidence.

Five relationship types

`equal_to` (semantically identical requirements), `subset_of` (the control fulfils a subset of the requirement), `superset_of` (the control exceeds the requirement), `intersects_with` (partial overlap), `not_related` (no semantic relationship). The canonical token is `equal_to` across all methodology layers (Excel `Scoring Methodology!A8`, Reference DOCX §4.2, v4 ToolRef DOCX §4.4). The form `equal` was never used and requires no migration.

Composite weight formula

Each edge carries a `type_factor` (derived from the relationship type) and a `strength` (1-10, calibrated at the edge level). The composite weight is `type_factor × strength / 10` and is MAX-resolved across the eight frameworks — when the same control is mapped to multiple frameworks, the composite weight retained is the maximum across the edges. This guarantees that scores are not inflated by redundancy mappings.

456 STRM edges

388 edges across the seven cross-framework standards + 68 unique CRA→MFA edges (197 upstream JRC/ENISA-anchored edges deduplicate via MAX-resolve into 68 canonical edges in target). The complete dataset lives in `site/src/data/mfa/mappings.ts`; per-category consolidation is in `site/src/data/mfa/categories.ts` (9 categories tagged `cra`: governance, risk-assessment, incident-reporting, asset-management, privacy, supply-chain, business-continuity, documentation, transparency).

CRA integration — 197 JRC/ENISA-anchored edges

CRA is the eighth framework via a de novo extraction from CRA Annex I plus the JRC/ENISA mapping. The 197 upstream edges are 100% cited to the JRC/ENISA mapping (JRC137340, DOI 10.2760/905934), 0 with `relationship_type: "equal"`, 186 `intersects_with` + 11 `subset_of`, 69 high-confidence direct anchors + 128 medium-confidence transitive via existing standards mappings. MFA per-actor coverage: manufacturer 65, importer 49, distributor 47, authorised representative 46, OSS steward 43.

Gap severity model

The severity-ranked cross-framework gap register is the primary deliverable for the non-quant reader. The severity of a gap depends on the combination of control maturity and the regulatory class of the framework that invokes it.

Mandatory vs Voluntary

Mandatory frameworks (legally binding for organisations in scope) are: NIS2, DORA, ISO 22301 BCMS when the profile invokes it, CRA. Voluntary frameworks (best practice) are ISO 27001, ISO 42001, ISO 27701, ISO 27017/27018 when referenced. The distinction is encoded as a framework-level constant `MANDATORY_FRAMEWORKS` in `site/src/lib/scoring/mfa-scoring.ts`. A per-(control, framework) granularity is a direction of evolution; the framework-level fallback is the current minimum-fix.

Critical / High / Standard tiers

Critical: maturity ≤ 1 AND at least one Mandatory edge. High: maturity ≤ 3 AND at least one Mandatory edge. Standard: everything else. Voluntary-only gaps (gaps where every edge belongs to a Voluntary framework) roll into Standard regardless of maturity level — this keeps the "legal exposure" signal undiluted by best-practice gaps. The logic lives in `mfa-scoring.ts` (severity assignment function); the regression fixture in `site/tests/audit/mfa-scoring-fixture.test.ts` blocks regression.

Methodology fidelity

Six P0 methodology decisions anchor fidelity to primary source (MFA workbook + DOCX + Annex C hand-derivation). They are the foundation of the "methodology-backed PDF, 8 frameworks" promise.

The six P0 decisions

Directions of evolution

Three directions are under evaluation as UX/data-model expansions: three theme scores per theme instead of one (Mandatory / Voluntary / Combined), Dashboard headline cross-framework cards (Mandatory Readiness Score + Overall Maturity Score), per-(control, framework) regulatory class as a data-layer field instead of the framework-level fallback. These are not scoring-correctness gaps.

References

All references are public URLs. Repository anchors are accessible via GitHub — direct links to master HEAD follow.

Normative sources

• EUR-Lex — Directive (EU) 2022/2555 (NIS2)
• EUR-Lex — Regulation (EU) 2022/2554 (DORA)
• EUR-Lex — Regulation (EU) 2024/1689 (EU AI Act)
• EUR-Lex — Regulation (EU) 2024/2847 (CRA)
• JRC / ENISA — CRA Mapping (JRC137340, DOI 10.2760/905934)

Code anchors

• mfa-scoring.ts — FCI/WMI/ECI/severity engine
• resolve-applicable.ts — applicability resolver + lex specialis
• mappings.ts — 456 STRM edges + framework requirement counts
• mfa-scoring-fixture.test.ts — Annex C regression guard