@ansvar/eu-regulations-mcp 0.1.0 → 0.2.0

package/data/seed/mappings/iso27001-data-act.json

@@ -0,0 +1,66 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "DATA_ACT",
+    "articles": ["5", "8"],
+    "coverage": "partial",
+    "notes": "Art 5 data sharing policies, Art 8 technical protection measures for trade secrets"
+  },
+  {
+    "control_id": "A.5.10",
+    "control_name": "Acceptable use of information and other associated assets",
+    "regulation": "DATA_ACT",
+    "articles": ["4", "5", "6"],
+    "coverage": "full",
+    "notes": "Art 4-6 define acceptable use conditions for product data access and sharing"
+  },
+  {
+    "control_id": "A.5.12",
+    "control_name": "Classification of information",
+    "regulation": "DATA_ACT",
+    "articles": ["8"],
+    "coverage": "partial",
+    "notes": "Art 8 requires identification and protection of trade secrets in data sharing"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "DATA_ACT",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Art 1-3 define scope and obligations for data holders and recipients"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "DATA_ACT",
+    "articles": ["4", "31"],
+    "coverage": "partial",
+    "notes": "Art 4 product data retention, Art 31 international data access safeguards"
+  },
+  {
+    "control_id": "A.8.3",
+    "control_name": "Information access restriction",
+    "regulation": "DATA_ACT",
+    "articles": ["4", "5", "6"],
+    "coverage": "full",
+    "notes": "Art 4-6 define access rights and restrictions for product data"
+  },
+  {
+    "control_id": "A.8.10",
+    "control_name": "Information deletion",
+    "regulation": "DATA_ACT",
+    "articles": ["23"],
+    "coverage": "full",
+    "notes": "Art 23 requires data retrieval and deletion capabilities for cloud switching"
+  },
+  {
+    "control_id": "A.8.24",
+    "control_name": "Use of cryptography",
+    "regulation": "DATA_ACT",
+    "articles": ["8"],
+    "coverage": "partial",
+    "notes": "Art 8 technical measures to protect trade secrets may include encryption"
+  }
+]

package/data/seed/mappings/iso27001-dga.json

@@ -0,0 +1,50 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "DGA",
+    "articles": ["5", "12"],
+    "coverage": "full",
+    "notes": "Security policies for data intermediation services"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "DGA",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Framework for data sharing and governance"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "DGA",
+    "articles": ["5", "11"],
+    "coverage": "full",
+    "notes": "Data governance and cataloguing requirements"
+  },
+  {
+    "control_id": "A.5.34",
+    "control_name": "Privacy and protection of PII",
+    "regulation": "DGA",
+    "articles": ["5", "12"],
+    "coverage": "full",
+    "notes": "Personal data protection in data sharing"
+  },
+  {
+    "control_id": "A.8.3",
+    "control_name": "Information access restriction",
+    "regulation": "DGA",
+    "articles": ["5", "6"],
+    "coverage": "full",
+    "notes": "Access controls for protected data re-use"
+  },
+  {
+    "control_id": "A.8.11",
+    "control_name": "Data masking",
+    "regulation": "DGA",
+    "articles": ["5"],
+    "coverage": "full",
+    "notes": "Anonymization and pseudonymization for data sharing"
+  }
+]

package/data/seed/mappings/iso27001-dma.json

@@ -0,0 +1,50 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "DMA",
+    "articles": ["5", "6"],
+    "coverage": "partial",
+    "notes": "Art 5-6 gatekeeper obligations include data handling policies"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "DMA",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Art 1-3 define scope, gatekeeper designation, and core platform services"
+  },
+  {
+    "control_id": "A.5.35",
+    "control_name": "Independent review of information security",
+    "regulation": "DMA",
+    "articles": ["15"],
+    "coverage": "partial",
+    "notes": "Art 15 requires audited compliance reports for gatekeepers"
+  },
+  {
+    "control_id": "A.8.3",
+    "control_name": "Information access restriction",
+    "regulation": "DMA",
+    "articles": ["5", "6"],
+    "coverage": "full",
+    "notes": "Art 5-6 restrict gatekeepers from combining user data across services without consent"
+  },
+  {
+    "control_id": "A.8.10",
+    "control_name": "Information deletion",
+    "regulation": "DMA",
+    "articles": ["6"],
+    "coverage": "partial",
+    "notes": "Art 6 requires data portability enabling user data deletion"
+  },
+  {
+    "control_id": "A.8.11",
+    "control_name": "Data masking",
+    "regulation": "DMA",
+    "articles": ["6"],
+    "coverage": "partial",
+    "notes": "Art 6 requires anonymization of search ranking data shared with competitors"
+  }
+]

package/data/seed/mappings/iso27001-dsa.json

@@ -0,0 +1,58 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "DSA",
+    "articles": ["14", "34"],
+    "coverage": "partial",
+    "notes": "Art 14 T&C policies, Art 34 VLOP risk management policies"
+  },
+  {
+    "control_id": "A.5.2",
+    "control_name": "Information security roles and responsibilities",
+    "regulation": "DSA",
+    "articles": ["11", "41"],
+    "coverage": "full",
+    "notes": "Art 11 points of contact, Art 41 compliance officers for VLOPs"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "DSA",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Art 1-3 define scope, liability exemptions, and territorial application"
+  },
+  {
+    "control_id": "A.5.35",
+    "control_name": "Independent review of information security",
+    "regulation": "DSA",
+    "articles": ["37"],
+    "coverage": "full",
+    "notes": "Art 37 requires independent audits for VLOPs at least annually"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "DSA",
+    "articles": ["16", "18"],
+    "coverage": "full",
+    "notes": "Art 16 notice-and-action mechanism, Art 18 criminal offense reporting"
+  },
+  {
+    "control_id": "A.8.8",
+    "control_name": "Management of technical vulnerabilities",
+    "regulation": "DSA",
+    "articles": ["34", "35"],
+    "coverage": "partial",
+    "notes": "Art 34-35 VLOP risk assessment and mitigation including systemic risks"
+  },
+  {
+    "control_id": "A.8.16",
+    "control_name": "Monitoring activities",
+    "regulation": "DSA",
+    "articles": ["16", "34"],
+    "coverage": "full",
+    "notes": "Art 16 content monitoring for notices, Art 34 systemic risk monitoring"
+  }
+]

package/data/seed/mappings/iso27001-eecc.json

@@ -0,0 +1,74 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "EECC",
+    "articles": ["40", "41"],
+    "coverage": "full",
+    "notes": "Security policies required for electronic communications networks"
+  },
+  {
+    "control_id": "A.5.5",
+    "control_name": "Contact with authorities",
+    "regulation": "EECC",
+    "articles": ["5", "6", "40"],
+    "coverage": "full",
+    "notes": "Coordination with national regulatory authorities"
+  },
+  {
+    "control_id": "A.5.7",
+    "control_name": "Threat intelligence",
+    "regulation": "EECC",
+    "articles": ["40"],
+    "coverage": "partial",
+    "notes": "Security threat awareness for network operators"
+  },
+  {
+    "control_id": "A.5.24",
+    "control_name": "Information security incident management planning and preparation",
+    "regulation": "EECC",
+    "articles": ["40"],
+    "coverage": "full",
+    "notes": "Incident preparedness for network operators"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "EECC",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Comprehensive framework for electronic communications"
+  },
+  {
+    "control_id": "A.5.34",
+    "control_name": "Privacy and protection of PII",
+    "regulation": "EECC",
+    "articles": ["102", "103"],
+    "coverage": "full",
+    "notes": "Privacy protections for communications"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "EECC",
+    "articles": ["40"],
+    "coverage": "full",
+    "notes": "Security incident reporting to authorities"
+  },
+  {
+    "control_id": "A.7.4",
+    "control_name": "Physical security monitoring",
+    "regulation": "EECC",
+    "articles": ["40"],
+    "coverage": "partial",
+    "notes": "Physical security of network infrastructure"
+  },
+  {
+    "control_id": "A.8.22",
+    "control_name": "Segregation of networks",
+    "regulation": "EECC",
+    "articles": ["40"],
+    "coverage": "partial",
+    "notes": "Network architecture security requirements"
+  }
+]

package/data/seed/mappings/iso27001-ehds.json

@@ -0,0 +1,90 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "EHDS",
+    "articles": ["57", "66", "73"],
+    "coverage": "full",
+    "notes": "Health data access bodies must establish security policies for data processing"
+  },
+  {
+    "control_id": "A.5.2",
+    "control_name": "Information security roles and responsibilities",
+    "regulation": "EHDS",
+    "articles": ["55", "57", "60", "61"],
+    "coverage": "full",
+    "notes": "Health data access bodies, data holders, and data users have defined responsibilities"
+  },
+  {
+    "control_id": "A.5.10",
+    "control_name": "Acceptable use of information and other associated assets",
+    "regulation": "EHDS",
+    "articles": ["53", "66"],
+    "coverage": "full",
+    "notes": "Strict rules on purposes for which health data can be processed for secondary use"
+  },
+  {
+    "control_id": "A.5.12",
+    "control_name": "Classification of information",
+    "regulation": "EHDS",
+    "articles": ["14", "51", "78"],
+    "coverage": "full",
+    "notes": "Health data categories defined with priority classifications and quality labels"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "EHDS",
+    "articles": ["1", "2", "50"],
+    "coverage": "full",
+    "notes": "EHDS establishes comprehensive legal framework for health data"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "EHDS",
+    "articles": ["7", "14", "77", "79"],
+    "coverage": "full",
+    "notes": "Dataset catalogues and EHR systems must maintain records"
+  },
+  {
+    "control_id": "A.5.34",
+    "control_name": "Privacy and protection of PII",
+    "regulation": "EHDS",
+    "articles": ["3", "4", "7", "8", "66", "71"],
+    "coverage": "full",
+    "notes": "Comprehensive rights including access, portability, restriction, and opt-out"
+  },
+  {
+    "control_id": "A.8.3",
+    "control_name": "Information access restriction",
+    "regulation": "EHDS",
+    "articles": ["67", "68", "73"],
+    "coverage": "full",
+    "notes": "Data permits and secure processing environments required"
+  },
+  {
+    "control_id": "A.8.10",
+    "control_name": "Information deletion",
+    "regulation": "EHDS",
+    "articles": ["8", "71"],
+    "coverage": "partial",
+    "notes": "Right to restrict access and opt-out from secondary use"
+  },
+  {
+    "control_id": "A.8.11",
+    "control_name": "Data masking",
+    "regulation": "EHDS",
+    "articles": ["66", "73"],
+    "coverage": "full",
+    "notes": "Data minimisation and secure processing with anonymization"
+  },
+  {
+    "control_id": "A.8.24",
+    "control_name": "Use of cryptography",
+    "regulation": "EHDS",
+    "articles": ["73"],
+    "coverage": "full",
+    "notes": "Secure processing environment requires encryption"
+  }
+]

package/data/seed/mappings/iso27001-eidas2.json

@@ -0,0 +1,106 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "EIDAS2",
+    "articles": ["19", "24"],
+    "coverage": "full",
+    "notes": "Art 19 security requirements for trust services, Art 24 qualified trust service provider requirements"
+  },
+  {
+    "control_id": "A.5.2",
+    "control_name": "Information security roles and responsibilities",
+    "regulation": "EIDAS2",
+    "articles": ["17", "20"],
+    "coverage": "full",
+    "notes": "Art 17 supervisory body responsibilities, Art 20 trust service provider obligations"
+  },
+  {
+    "control_id": "A.5.15",
+    "control_name": "Access control",
+    "regulation": "EIDAS2",
+    "articles": ["6a", "6b"],
+    "coverage": "full",
+    "notes": "Art 6a-6b EUDI Wallet authentication and access control requirements"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "EIDAS2",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Art 1-3 define scope, definitions, and legal framework for electronic identification and trust services"
+  },
+  {
+    "control_id": "A.5.34",
+    "control_name": "Privacy and protection of PII",
+    "regulation": "EIDAS2",
+    "articles": ["6a", "6c", "11a"],
+    "coverage": "full",
+    "notes": "Art 6a wallet privacy requirements, Art 6c user control over data, Art 11a unique identifier protection"
+  },
+  {
+    "control_id": "A.5.35",
+    "control_name": "Independent review of information security",
+    "regulation": "EIDAS2",
+    "articles": ["17", "20", "21"],
+    "coverage": "full",
+    "notes": "Art 17 supervisory audits, Art 20-21 conformity assessment for trust service providers"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "EIDAS2",
+    "articles": ["19"],
+    "coverage": "full",
+    "notes": "Art 19(2) requires notification of security breaches within 24 hours to supervisory body"
+  },
+  {
+    "control_id": "A.8.2",
+    "control_name": "Privileged access rights",
+    "regulation": "EIDAS2",
+    "articles": ["24"],
+    "coverage": "partial",
+    "notes": "Art 24 qualified trust service provider must implement access controls"
+  },
+  {
+    "control_id": "A.8.5",
+    "control_name": "Secure authentication",
+    "regulation": "EIDAS2",
+    "articles": ["6a", "8", "29"],
+    "coverage": "full",
+    "notes": "Art 6a wallet authentication, Art 8 assurance levels, Art 29 qualified electronic signature requirements"
+  },
+  {
+    "control_id": "A.8.7",
+    "control_name": "Protection against malware",
+    "regulation": "EIDAS2",
+    "articles": ["6a", "19"],
+    "coverage": "partial",
+    "notes": "Art 6a wallet security requirements, Art 19 security measures for trust services"
+  },
+  {
+    "control_id": "A.8.24",
+    "control_name": "Use of cryptography",
+    "regulation": "EIDAS2",
+    "articles": ["26", "29", "32", "38"],
+    "coverage": "full",
+    "notes": "Art 26 advanced electronic signatures, Art 29 qualified signatures, Art 32 qualified seals, Art 38 qualified timestamps"
+  },
+  {
+    "control_id": "A.8.25",
+    "control_name": "Secure development life cycle",
+    "regulation": "EIDAS2",
+    "articles": ["6a", "24"],
+    "coverage": "partial",
+    "notes": "Art 6a wallet certification requirements, Art 24 trust service provider security measures"
+  },
+  {
+    "control_id": "A.8.29",
+    "control_name": "Security testing in development and acceptance",
+    "regulation": "EIDAS2",
+    "articles": ["6a", "20", "21"],
+    "coverage": "full",
+    "notes": "Art 6a wallet certification, Art 20-21 conformity assessment for trust services"
+  }
+]

package/data/seed/mappings/iso27001-eprivacy.json

@@ -0,0 +1,66 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "EPRIVACY",
+    "articles": ["4", "14"],
+    "coverage": "full",
+    "notes": "Policies required for security of electronic communications"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "EPRIVACY",
+    "articles": ["1", "3"],
+    "coverage": "full",
+    "notes": "Establishes privacy requirements for electronic communications"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "EPRIVACY",
+    "articles": ["6", "9"],
+    "coverage": "full",
+    "notes": "Traffic data and location data retention rules"
+  },
+  {
+    "control_id": "A.5.34",
+    "control_name": "Privacy and protection of PII",
+    "regulation": "EPRIVACY",
+    "articles": ["5", "6", "9", "13"],
+    "coverage": "full",
+    "notes": "Core privacy protections for electronic communications"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "EPRIVACY",
+    "articles": ["4"],
+    "coverage": "full",
+    "notes": "Breach notification requirements for communications providers"
+  },
+  {
+    "control_id": "A.8.3",
+    "control_name": "Information access restriction",
+    "regulation": "EPRIVACY",
+    "articles": ["5"],
+    "coverage": "full",
+    "notes": "Confidentiality of communications and prohibition of interception"
+  },
+  {
+    "control_id": "A.8.10",
+    "control_name": "Information deletion",
+    "regulation": "EPRIVACY",
+    "articles": ["6"],
+    "coverage": "full",
+    "notes": "Traffic data erasure requirements"
+  },
+  {
+    "control_id": "A.8.24",
+    "control_name": "Use of cryptography",
+    "regulation": "EPRIVACY",
+    "articles": ["4"],
+    "coverage": "partial",
+    "notes": "Security measures including encryption for communications"
+  }
+]

package/data/seed/mappings/iso27001-eu_taxonomy.json

@@ -0,0 +1,34 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "EU_TAXONOMY",
+    "articles": ["1", "8"],
+    "coverage": "partial",
+    "notes": "Framework requires policies for sustainability reporting"
+  },
+  {
+    "control_id": "A.5.12",
+    "control_name": "Classification of information",
+    "regulation": "EU_TAXONOMY",
+    "articles": ["3", "10", "11", "12", "13", "14", "15"],
+    "coverage": "full",
+    "notes": "Classification criteria for environmentally sustainable activities"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "EU_TAXONOMY",
+    "articles": ["1", "2", "8"],
+    "coverage": "full",
+    "notes": "Establishes legal framework for sustainable finance classification"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "EU_TAXONOMY",
+    "articles": ["8"],
+    "coverage": "full",
+    "notes": "Disclosure requirements for Taxonomy-aligned activities"
+  }
+]

package/data/seed/mappings/iso27001-eucc.json

@@ -0,0 +1,66 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "EUCC",
+    "articles": ["1", "3"],
+    "coverage": "full",
+    "notes": "EUCC establishes cybersecurity certification policies"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "EUCC",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "EU-wide certification scheme requirements"
+  },
+  {
+    "control_id": "A.5.36",
+    "control_name": "Conformance with policies, rules and standards for information security",
+    "regulation": "EUCC",
+    "articles": ["4", "5", "6", "7"],
+    "coverage": "full",
+    "notes": "Common Criteria evaluation and assurance levels"
+  },
+  {
+    "control_id": "A.8.9",
+    "control_name": "Configuration management",
+    "regulation": "EUCC",
+    "articles": ["8", "9"],
+    "coverage": "full",
+    "notes": "Configuration management in evaluation process"
+  },
+  {
+    "control_id": "A.8.24",
+    "control_name": "Use of cryptography",
+    "regulation": "EUCC",
+    "articles": ["6"],
+    "coverage": "full",
+    "notes": "Cryptographic controls evaluated under Common Criteria"
+  },
+  {
+    "control_id": "A.8.25",
+    "control_name": "Secure development life cycle",
+    "regulation": "EUCC",
+    "articles": ["6", "8"],
+    "coverage": "full",
+    "notes": "Development security evaluated in certification"
+  },
+  {
+    "control_id": "A.8.28",
+    "control_name": "Secure coding",
+    "regulation": "EUCC",
+    "articles": ["6"],
+    "coverage": "full",
+    "notes": "Code security evaluated under Common Criteria"
+  },
+  {
+    "control_id": "A.8.29",
+    "control_name": "Security testing in development and acceptance",
+    "regulation": "EUCC",
+    "articles": ["4", "5", "6"],
+    "coverage": "full",
+    "notes": "Comprehensive security testing in evaluation"
+  }
+]