@ansvar/eu-regulations-mcp 0.1.0 → 0.2.0

package/data/seed/mappings/nist-csf-cra.json

@@ -0,0 +1,130 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "CRA",
+    "articles": ["1", "2", "3", "4"],
+    "coverage": "full",
+    "notes": "CRA Art 1-4 define scope for products with digital elements"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "CRA",
+    "articles": ["10", "Annex I"],
+    "coverage": "full",
+    "notes": "Art 10 manufacturer obligations, Annex I requires documented risk assessment"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "CRA",
+    "articles": ["10", "18", "19", "20"],
+    "coverage": "full",
+    "notes": "Art 10 manufacturer, Art 18 importer, Art 19 distributor, Art 20 EU representative obligations"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "CRA",
+    "articles": ["10", "11"],
+    "coverage": "full",
+    "notes": "Art 10 secure development policies, Art 11 vulnerability handling policies"
+  },
+  {
+    "control_id": "GV.SC-01",
+    "control_name": "Supply chain risk management program",
+    "regulation": "CRA",
+    "articles": ["13", "18", "19"],
+    "coverage": "full",
+    "notes": "Art 13 SBOM requirements, Art 18-19 supply chain verification"
+  },
+  {
+    "control_id": "ID.AM-02",
+    "control_name": "Software platforms and applications inventories",
+    "regulation": "CRA",
+    "articles": ["13"],
+    "coverage": "full",
+    "notes": "Art 13 requires SBOM (Software Bill of Materials)"
+  },
+  {
+    "control_id": "ID.RA-01",
+    "control_name": "Vulnerabilities in assets are identified",
+    "regulation": "CRA",
+    "articles": ["10", "11", "Annex I"],
+    "coverage": "full",
+    "notes": "Art 10-11 vulnerability handling, Annex I Part II vulnerability requirements"
+  },
+  {
+    "control_id": "ID.RA-03",
+    "control_name": "Internal and external threats are identified",
+    "regulation": "CRA",
+    "articles": ["Annex I"],
+    "coverage": "full",
+    "notes": "Annex I requires threat modeling in product design"
+  },
+  {
+    "control_id": "ID.RA-05",
+    "control_name": "Risk responses are identified",
+    "regulation": "CRA",
+    "articles": ["10", "Annex I"],
+    "coverage": "full",
+    "notes": "Art 10 and Annex I require documented risk mitigation"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "CRA",
+    "articles": ["Annex I"],
+    "coverage": "full",
+    "notes": "Annex I Part I requires data confidentiality protection"
+  },
+  {
+    "control_id": "PR.DS-02",
+    "control_name": "Data-in-transit is protected",
+    "regulation": "CRA",
+    "articles": ["Annex I"],
+    "coverage": "full",
+    "notes": "Annex I Part I requires secure communication mechanisms"
+  },
+  {
+    "control_id": "PR.PS-01",
+    "control_name": "Configuration management practices established",
+    "regulation": "CRA",
+    "articles": ["10", "Annex I"],
+    "coverage": "full",
+    "notes": "Annex I Part I requires secure default configuration"
+  },
+  {
+    "control_id": "PR.PS-02",
+    "control_name": "Software is maintained and updated",
+    "regulation": "CRA",
+    "articles": ["10", "11"],
+    "coverage": "full",
+    "notes": "Art 10-11 require 5-year security update support"
+  },
+  {
+    "control_id": "DE.AE-02",
+    "control_name": "Potentially adverse events are analyzed",
+    "regulation": "CRA",
+    "articles": ["10", "11"],
+    "coverage": "full",
+    "notes": "Art 10-11 require vulnerability assessment and analysis"
+  },
+  {
+    "control_id": "RS.MA-01",
+    "control_name": "Incident response plan is executed",
+    "regulation": "CRA",
+    "articles": ["14"],
+    "coverage": "full",
+    "notes": "Art 14 requires notification of exploited vulnerabilities within 24h"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "CRA",
+    "articles": ["14"],
+    "coverage": "full",
+    "notes": "Art 14 requires notification to ENISA and national CSIRTs"
+  }
+]

package/data/seed/mappings/nist-csf-csddd.json

@@ -0,0 +1,50 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "CSDDD",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Corporate due diligence regulatory context"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "CSDDD",
+    "articles": ["7", "8"],
+    "coverage": "full",
+    "notes": "Due diligence risk management"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "CSDDD",
+    "articles": ["5", "6"],
+    "coverage": "full",
+    "notes": "Due diligence responsibilities"
+  },
+  {
+    "control_id": "GV.SC-01",
+    "control_name": "Supply chain risk management program",
+    "regulation": "CSDDD",
+    "articles": ["6", "7", "8"],
+    "coverage": "full",
+    "notes": "Value chain due diligence requirements"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "CSDDD",
+    "articles": ["6", "11"],
+    "coverage": "partial",
+    "notes": "Supply chain mapping and documentation"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "CSDDD",
+    "articles": ["14", "15"],
+    "coverage": "full",
+    "notes": "Grievance mechanism and reporting"
+  }
+]

package/data/seed/mappings/nist-csf-csrd.json

@@ -0,0 +1,34 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "CSRD",
+    "articles": ["1"],
+    "coverage": "full",
+    "notes": "Corporate sustainability reporting context"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "CSRD",
+    "articles": ["1"],
+    "coverage": "full",
+    "notes": "Management responsibility for sustainability reporting"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "CSRD",
+    "articles": ["1"],
+    "coverage": "partial",
+    "notes": "Sustainability data collection and management"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "CSRD",
+    "articles": ["1"],
+    "coverage": "partial",
+    "notes": "Sustainability data integrity"
+  }
+]

package/data/seed/mappings/nist-csf-cyber_solidarity.json

@@ -0,0 +1,90 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Cyber solidarity framework and SOC infrastructure context"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["3", "4"],
+    "coverage": "full",
+    "notes": "European Cybersecurity Shield risk management"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["5", "6"],
+    "coverage": "full",
+    "notes": "National and cross-border SOC responsibilities"
+  },
+  {
+    "control_id": "GV.SC-01",
+    "control_name": "Supply chain risk management program",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["15", "16"],
+    "coverage": "full",
+    "notes": "Managed security services and supply chain"
+  },
+  {
+    "control_id": "ID.RA-01",
+    "control_name": "Vulnerabilities in assets are identified",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["12"],
+    "coverage": "full",
+    "notes": "Coordinated vulnerability testing"
+  },
+  {
+    "control_id": "ID.RA-03",
+    "control_name": "Internal and external threats are identified",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["4", "7"],
+    "coverage": "full",
+    "notes": "Threat detection and analysis capabilities"
+  },
+  {
+    "control_id": "DE.CM-01",
+    "control_name": "Networks and network services are monitored",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["4", "5", "6"],
+    "coverage": "full",
+    "notes": "SOC monitoring infrastructure"
+  },
+  {
+    "control_id": "DE.AE-02",
+    "control_name": "Potentially adverse events are analyzed",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["7", "8"],
+    "coverage": "full",
+    "notes": "Cyber threat analysis and correlation"
+  },
+  {
+    "control_id": "RS.MA-01",
+    "control_name": "Incident response plan is executed",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["10", "11"],
+    "coverage": "full",
+    "notes": "Cyber emergency mechanism response"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["7", "8", "9"],
+    "coverage": "full",
+    "notes": "Cross-border information sharing"
+  },
+  {
+    "control_id": "RC.RP-01",
+    "control_name": "Recovery plan is executed",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["13", "14"],
+    "coverage": "full",
+    "notes": "Mutual assistance and recovery support"
+  }
+]

package/data/seed/mappings/nist-csf-cybersecurity-act.json

@@ -0,0 +1,90 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["1", "2", "46"],
+    "coverage": "full",
+    "notes": "Art 1-2 scope, Art 46 EU cybersecurity certification framework"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["51", "52"],
+    "coverage": "full",
+    "notes": "Art 51 security objectives, Art 52 assurance levels (basic/substantial/high)"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["4", "5", "6", "7"],
+    "coverage": "full",
+    "notes": "ENISA objectives and tasks define EU cybersecurity coordination"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["46", "47", "51"],
+    "coverage": "full",
+    "notes": "Art 46-47 certification requirements, Art 51 security objectives"
+  },
+  {
+    "control_id": "ID.RA-01",
+    "control_name": "Vulnerabilities in assets are identified",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["51", "54"],
+    "coverage": "full",
+    "notes": "Art 51(f) minimizing vulnerabilities, Art 54 vulnerability management"
+  },
+  {
+    "control_id": "ID.RA-05",
+    "control_name": "Risk responses are identified",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["51", "52"],
+    "coverage": "full",
+    "notes": "Art 51-52 security objectives and assurance requirements"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["51"],
+    "coverage": "partial",
+    "notes": "Art 51(c-d) data confidentiality and integrity"
+  },
+  {
+    "control_id": "PR.DS-02",
+    "control_name": "Data-in-transit is protected",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["51"],
+    "coverage": "partial",
+    "notes": "Art 51(c-d) data confidentiality and integrity in transit"
+  },
+  {
+    "control_id": "PR.AT-01",
+    "control_name": "Awareness and training provided",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["10", "12"],
+    "coverage": "partial",
+    "notes": "Art 10 capacity building, Art 12 knowledge development"
+  },
+  {
+    "control_id": "DE.AE-02",
+    "control_name": "Potentially adverse events are analyzed",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["8", "22"],
+    "coverage": "partial",
+    "notes": "Art 8 operational cooperation, Art 22 coordination"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["8", "22"],
+    "coverage": "partial",
+    "notes": "Art 8 operational cooperation framework"
+  }
+]

package/data/seed/mappings/nist-csf-data-act.json

@@ -0,0 +1,50 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "DATA_ACT",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Art 1-3 define scope for data holders, users, and data sharing services"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "DATA_ACT",
+    "articles": ["5", "8"],
+    "coverage": "partial",
+    "notes": "Art 5 data sharing conditions, Art 8 trade secret protection policies"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "DATA_ACT",
+    "articles": ["3", "4"],
+    "coverage": "partial",
+    "notes": "Art 3-4 require knowledge of data generated by connected products"
+  },
+  {
+    "control_id": "PR.AA-05",
+    "control_name": "Access permissions and authorizations are managed",
+    "regulation": "DATA_ACT",
+    "articles": ["4", "5", "6"],
+    "coverage": "full",
+    "notes": "Art 4-6 define access rights to product data for users and third parties"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "DATA_ACT",
+    "articles": ["8"],
+    "coverage": "partial",
+    "notes": "Art 8 technical measures to protect trade secrets"
+  },
+  {
+    "control_id": "PR.DS-10",
+    "control_name": "Data is disposed of properly",
+    "regulation": "DATA_ACT",
+    "articles": ["23"],
+    "coverage": "full",
+    "notes": "Art 23 cloud switching requires proper data retrieval and deletion"
+  }
+]

package/data/seed/mappings/nist-csf-dga.json

@@ -0,0 +1,58 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "DGA",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Data governance regulatory context"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "DGA",
+    "articles": ["10", "11", "12"],
+    "coverage": "full",
+    "notes": "Data intermediation services responsibilities"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "DGA",
+    "articles": ["5", "12"],
+    "coverage": "full",
+    "notes": "Security policies for data intermediation services"
+  },
+  {
+    "control_id": "PR.AA-01",
+    "control_name": "Identities and credentials for authorized users",
+    "regulation": "DGA",
+    "articles": ["5", "6"],
+    "coverage": "full",
+    "notes": "Access controls for protected data re-use"
+  },
+  {
+    "control_id": "PR.AA-05",
+    "control_name": "Access permissions and authorizations are managed",
+    "regulation": "DGA",
+    "articles": ["5", "6"],
+    "coverage": "full",
+    "notes": "Data access authorization controls"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "DGA",
+    "articles": ["5", "11"],
+    "coverage": "full",
+    "notes": "Data governance and cataloguing requirements"
+  },
+  {
+    "control_id": "PR.DS-02",
+    "control_name": "Data-in-transit is protected",
+    "regulation": "DGA",
+    "articles": ["5", "12"],
+    "coverage": "full",
+    "notes": "Secure data transmission for sharing"
+  }
+]

package/data/seed/mappings/nist-csf-dma.json

@@ -0,0 +1,42 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "DMA",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Art 1-3 define scope for gatekeepers and core platform services"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "DMA",
+    "articles": ["5", "6"],
+    "coverage": "partial",
+    "notes": "Art 5-6 gatekeeper obligations include data handling requirements"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "DMA",
+    "articles": ["15"],
+    "coverage": "partial",
+    "notes": "Art 15 compliance reports require documentation of services"
+  },
+  {
+    "control_id": "PR.AA-05",
+    "control_name": "Access permissions and authorizations are managed",
+    "regulation": "DMA",
+    "articles": ["5", "6"],
+    "coverage": "full",
+    "notes": "Art 5-6 restrict data combination and mandate user consent"
+  },
+  {
+    "control_id": "PR.DS-10",
+    "control_name": "Data is disposed of properly",
+    "regulation": "DMA",
+    "articles": ["6"],
+    "coverage": "partial",
+    "notes": "Art 6 data portability supports user-controlled deletion"
+  }
+]