Currently free during beta - premium features coming soon. Subscribe now to lock in early access.

arXiv: From Legacy Documentation to OSCAL: An MCP-Based Agent Pipeline for Threat-Informed Continuous Compliance in Critical Infrastructure

CER Critical Entities Resilience Directive · · arxiv_cscr

AI Analysis

This paper, published on arXiv, presents a technical pipeline that automates the translation of legacy compliance documentation into the Open Security Controls Assessment Language (OSCAL) format, using a Model Context Protocol (MCP) based agent system. It is designed to support threat-informed continuous compliance under the EU’s Critical Entities Resilience (CER) Directive. The proposal aims to bridge the gap between static, human-readable documents and machine-readable, automated compliance monitoring for critical infrastructure.

The primary audience is compliance and cybersecurity teams within sectors covered by the CER Directive, including energy, transport, banking, health, and digital infrastructure. Organizations that currently rely on manual, document-based compliance processes will be most affected, as this pipeline offers a path toward real-time, automated threat assessment and control validation.

Compliance teams should evaluate their current documentation formats and assess readiness for adopting OSCAL-based automation. They should begin mapping existing security controls to the CER Directive’s requirements and consider piloting MCP-based tools to streamline continuous compliance reporting. Engaging with technical teams to understand integration points with existing security orchestration platforms is also recommended.

Get notified about CER changes

Subscribe to our free weekly digest covering 24 compliance frameworks.