@ansvar/eu-regulations-mcp 0.1.0 → 0.2.0

package/data/seed/mappings/nist-csf-dora.json

@@ -0,0 +1,210 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "DORA",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "DORA Art 1-2 define scope for financial entities and ICT third-party providers"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "DORA",
+    "articles": ["5", "6", "9"],
+    "coverage": "full",
+    "notes": "Art 5-6 governance, Art 9 ICT risk management framework requirements"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "DORA",
+    "articles": ["5", "6"],
+    "coverage": "full",
+    "notes": "Art 5 governance and organisation, Art 6 management body responsibilities"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "DORA",
+    "articles": ["9", "10"],
+    "coverage": "full",
+    "notes": "Art 9-10 require documented ICT risk management policies"
+  },
+  {
+    "control_id": "GV.OV-01",
+    "control_name": "Cybersecurity risk management oversight",
+    "regulation": "DORA",
+    "articles": ["5", "6"],
+    "coverage": "full",
+    "notes": "Art 5-6 require management body oversight of ICT risk"
+  },
+  {
+    "control_id": "GV.SC-01",
+    "control_name": "Supply chain risk management program",
+    "regulation": "DORA",
+    "articles": ["28", "29", "30", "31"],
+    "coverage": "full",
+    "notes": "Chapter V comprehensive ICT third-party risk management"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "DORA",
+    "articles": ["8"],
+    "coverage": "full",
+    "notes": "Art 8 requires identification and documentation of ICT assets"
+  },
+  {
+    "control_id": "ID.AM-02",
+    "control_name": "Software platforms and applications inventories",
+    "regulation": "DORA",
+    "articles": ["8"],
+    "coverage": "full",
+    "notes": "Art 8 requires inventory of all ICT systems and applications"
+  },
+  {
+    "control_id": "ID.RA-01",
+    "control_name": "Vulnerabilities in assets are identified",
+    "regulation": "DORA",
+    "articles": ["9", "24", "25"],
+    "coverage": "full",
+    "notes": "Art 9 vulnerability management, Art 24-25 digital resilience testing"
+  },
+  {
+    "control_id": "ID.RA-03",
+    "control_name": "Internal and external threats are identified",
+    "regulation": "DORA",
+    "articles": ["9", "10"],
+    "coverage": "full",
+    "notes": "Art 9-10 require threat identification in risk management"
+  },
+  {
+    "control_id": "ID.RA-05",
+    "control_name": "Risk responses are identified",
+    "regulation": "DORA",
+    "articles": ["9", "10"],
+    "coverage": "full",
+    "notes": "Art 9-10 require risk mitigation strategies"
+  },
+  {
+    "control_id": "PR.AA-01",
+    "control_name": "Identities and credentials for authorized users",
+    "regulation": "DORA",
+    "articles": ["9"],
+    "coverage": "full",
+    "notes": "Art 9(4)(c) requires access rights management"
+  },
+  {
+    "control_id": "PR.AA-03",
+    "control_name": "Users and services are authenticated",
+    "regulation": "DORA",
+    "articles": ["9"],
+    "coverage": "full",
+    "notes": "Art 9(4)(c) covers authentication mechanisms"
+  },
+  {
+    "control_id": "PR.AA-05",
+    "control_name": "Access permissions and authorizations are managed",
+    "regulation": "DORA",
+    "articles": ["9"],
+    "coverage": "full",
+    "notes": "Art 9(4)(c) requires access rights management"
+  },
+  {
+    "control_id": "PR.AT-01",
+    "control_name": "Awareness and training provided",
+    "regulation": "DORA",
+    "articles": ["13"],
+    "coverage": "full",
+    "notes": "Art 13(6) requires ICT security awareness programmes"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "DORA",
+    "articles": ["9"],
+    "coverage": "full",
+    "notes": "Art 9(4)(d) covers data protection including encryption"
+  },
+  {
+    "control_id": "PR.DS-02",
+    "control_name": "Data-in-transit is protected",
+    "regulation": "DORA",
+    "articles": ["9"],
+    "coverage": "full",
+    "notes": "Art 9(4)(d) covers network security and data transmission"
+  },
+  {
+    "control_id": "PR.PS-01",
+    "control_name": "Configuration management practices established",
+    "regulation": "DORA",
+    "articles": ["9", "10"],
+    "coverage": "full",
+    "notes": "Art 9-10 require secure configuration of ICT systems"
+  },
+  {
+    "control_id": "PR.IR-01",
+    "control_name": "Incident response plan exists",
+    "regulation": "DORA",
+    "articles": ["17"],
+    "coverage": "full",
+    "notes": "Art 17 requires comprehensive ICT-related incident management process"
+  },
+  {
+    "control_id": "DE.CM-01",
+    "control_name": "Networks and network services are monitored",
+    "regulation": "DORA",
+    "articles": ["9", "10"],
+    "coverage": "full",
+    "notes": "Art 9-10 require continuous monitoring of ICT systems"
+  },
+  {
+    "control_id": "DE.AE-02",
+    "control_name": "Potentially adverse events are analyzed",
+    "regulation": "DORA",
+    "articles": ["17", "18"],
+    "coverage": "full",
+    "notes": "Art 17 incident detection, Art 18 incident classification"
+  },
+  {
+    "control_id": "RS.MA-01",
+    "control_name": "Incident response plan is executed",
+    "regulation": "DORA",
+    "articles": ["17", "18", "19"],
+    "coverage": "full",
+    "notes": "Art 17 incident management, Art 18-19 classification and reporting"
+  },
+  {
+    "control_id": "RS.CO-02",
+    "control_name": "Incidents are reported internally",
+    "regulation": "DORA",
+    "articles": ["17"],
+    "coverage": "full",
+    "notes": "Art 17 requires internal incident communication procedures"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "DORA",
+    "articles": ["19", "20"],
+    "coverage": "full",
+    "notes": "Art 19 major incident reporting (4h, 72h, 1 month), Art 20 information sharing"
+  },
+  {
+    "control_id": "RC.RP-01",
+    "control_name": "Recovery plan is executed",
+    "regulation": "DORA",
+    "articles": ["11", "12"],
+    "coverage": "full",
+    "notes": "Art 11 response and recovery, Art 12 backup policies and restoration"
+  },
+  {
+    "control_id": "RC.CO-03",
+    "control_name": "Recovery activities are communicated",
+    "regulation": "DORA",
+    "articles": ["13", "19"],
+    "coverage": "full",
+    "notes": "Art 13 communication policies, Art 19 final incident report"
+  }
+]

package/data/seed/mappings/nist-csf-dsa.json

@@ -0,0 +1,82 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "DSA",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Art 1-3 define scope for intermediary services in the EU"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "DSA",
+    "articles": ["34", "35"],
+    "coverage": "full",
+    "notes": "Art 34-35 require VLOPs to identify, analyze, and mitigate systemic risks"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "DSA",
+    "articles": ["11", "41"],
+    "coverage": "full",
+    "notes": "Art 11 points of contact, Art 41 compliance officers for VLOPs"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "DSA",
+    "articles": ["14", "34"],
+    "coverage": "full",
+    "notes": "Art 14 terms and conditions, Art 34 VLOP risk policies"
+  },
+  {
+    "control_id": "ID.RA-03",
+    "control_name": "Internal and external threats are identified",
+    "regulation": "DSA",
+    "articles": ["34"],
+    "coverage": "full",
+    "notes": "Art 34 requires VLOPs to identify systemic risks including manipulation"
+  },
+  {
+    "control_id": "ID.RA-05",
+    "control_name": "Risk responses are identified",
+    "regulation": "DSA",
+    "articles": ["35"],
+    "coverage": "full",
+    "notes": "Art 35 requires reasonable, proportionate mitigation measures"
+  },
+  {
+    "control_id": "DE.CM-01",
+    "control_name": "Networks and network services are monitored",
+    "regulation": "DSA",
+    "articles": ["16", "34"],
+    "coverage": "full",
+    "notes": "Art 16 notice mechanism monitoring, Art 34 systemic risk monitoring"
+  },
+  {
+    "control_id": "DE.AE-02",
+    "control_name": "Potentially adverse events are analyzed",
+    "regulation": "DSA",
+    "articles": ["16", "20"],
+    "coverage": "full",
+    "notes": "Art 16 notice assessment, Art 20 illegal content analysis"
+  },
+  {
+    "control_id": "RS.MA-01",
+    "control_name": "Incident response plan is executed",
+    "regulation": "DSA",
+    "articles": ["16", "17"],
+    "coverage": "full",
+    "notes": "Art 16-17 notice-and-action and statement of reasons procedures"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "DSA",
+    "articles": ["18", "42"],
+    "coverage": "full",
+    "notes": "Art 18 criminal offense reporting, Art 42 data access for researchers"
+  }
+]

package/data/seed/mappings/nist-csf-eecc.json

@@ -0,0 +1,90 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "EECC",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Electronic communications regulatory framework"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "EECC",
+    "articles": ["40", "41"],
+    "coverage": "full",
+    "notes": "Security risk management for networks"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "EECC",
+    "articles": ["5", "6", "7"],
+    "coverage": "full",
+    "notes": "NRA and operator responsibilities"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "EECC",
+    "articles": ["40"],
+    "coverage": "full",
+    "notes": "Security measures and policies"
+  },
+  {
+    "control_id": "ID.RA-01",
+    "control_name": "Vulnerabilities in assets are identified",
+    "regulation": "EECC",
+    "articles": ["40"],
+    "coverage": "full",
+    "notes": "Security risk assessment requirements"
+  },
+  {
+    "control_id": "PR.AA-01",
+    "control_name": "Identities and credentials for authorized users",
+    "regulation": "EECC",
+    "articles": ["40"],
+    "coverage": "full",
+    "notes": "Access control for network systems"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "EECC",
+    "articles": ["40", "126"],
+    "coverage": "full",
+    "notes": "Communications data protection"
+  },
+  {
+    "control_id": "PR.DS-02",
+    "control_name": "Data-in-transit is protected",
+    "regulation": "EECC",
+    "articles": ["40", "126"],
+    "coverage": "full",
+    "notes": "Network communications security"
+  },
+  {
+    "control_id": "DE.CM-01",
+    "control_name": "Networks and network services are monitored",
+    "regulation": "EECC",
+    "articles": ["40"],
+    "coverage": "full",
+    "notes": "Network monitoring requirements"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "EECC",
+    "articles": ["40"],
+    "coverage": "full",
+    "notes": "Security incident notification to NRAs"
+  },
+  {
+    "control_id": "RC.RP-01",
+    "control_name": "Recovery plan is executed",
+    "regulation": "EECC",
+    "articles": ["40"],
+    "coverage": "full",
+    "notes": "Business continuity for communications"
+  }
+]

package/data/seed/mappings/nist-csf-ehds.json

@@ -0,0 +1,98 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "EHDS",
+    "articles": ["1", "2", "50"],
+    "coverage": "full",
+    "notes": "EHDS defines scope, context, and applicability to health data holders"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "EHDS",
+    "articles": ["55", "57"],
+    "coverage": "full",
+    "notes": "Health data access bodies responsible for risk management"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "EHDS",
+    "articles": ["55", "57", "60", "61"],
+    "coverage": "full",
+    "notes": "Health data access bodies, data holders, and data users responsibilities"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "EHDS",
+    "articles": ["66", "73"],
+    "coverage": "full",
+    "notes": "Data minimisation and secure processing environment policies"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "EHDS",
+    "articles": ["77", "78", "79"],
+    "coverage": "full",
+    "notes": "Dataset description, quality label, and EU dataset catalogue"
+  },
+  {
+    "control_id": "ID.RA-01",
+    "control_name": "Vulnerabilities in assets are identified",
+    "regulation": "EHDS",
+    "articles": ["73"],
+    "coverage": "partial",
+    "notes": "Secure processing environment security requirements"
+  },
+  {
+    "control_id": "PR.AA-01",
+    "control_name": "Identities and credentials for authorized users",
+    "regulation": "EHDS",
+    "articles": ["67", "68"],
+    "coverage": "full",
+    "notes": "Health data access applications and data permits"
+  },
+  {
+    "control_id": "PR.AA-05",
+    "control_name": "Access permissions and authorizations are managed",
+    "regulation": "EHDS",
+    "articles": ["67", "68", "72"],
+    "coverage": "full",
+    "notes": "Data permits and simplified access procedures"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "EHDS",
+    "articles": ["73", "86"],
+    "coverage": "full",
+    "notes": "Secure processing environment and storage requirements"
+  },
+  {
+    "control_id": "PR.DS-02",
+    "control_name": "Data-in-transit is protected",
+    "regulation": "EHDS",
+    "articles": ["73", "75"],
+    "coverage": "full",
+    "notes": "Secure processing and HealthData@EU cross-border infrastructure"
+  },
+  {
+    "control_id": "DE.CM-01",
+    "control_name": "Networks and network services are monitored",
+    "regulation": "EHDS",
+    "articles": ["73"],
+    "coverage": "partial",
+    "notes": "Secure processing environment monitoring"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "EHDS",
+    "articles": ["59", "63"],
+    "coverage": "full",
+    "notes": "Reporting by health data access bodies and enforcement"
+  }
+]

package/data/seed/mappings/nist-csf-eidas2.json

@@ -0,0 +1,114 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "EIDAS2",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Art 1-3 scope for electronic identification and trust services"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "EIDAS2",
+    "articles": ["19", "24"],
+    "coverage": "full",
+    "notes": "Art 19 security requirements, Art 24 qualified trust service requirements"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "EIDAS2",
+    "articles": ["17", "20"],
+    "coverage": "full",
+    "notes": "Art 17 supervisory body, Art 20 trust service provider obligations"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "EIDAS2",
+    "articles": ["19", "24"],
+    "coverage": "full",
+    "notes": "Art 19 security policies, Art 24 qualified provider requirements"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "EIDAS2",
+    "articles": ["22"],
+    "coverage": "partial",
+    "notes": "Art 22 trusted lists of qualified providers"
+  },
+  {
+    "control_id": "ID.RA-05",
+    "control_name": "Risk responses are identified",
+    "regulation": "EIDAS2",
+    "articles": ["19", "24"],
+    "coverage": "full",
+    "notes": "Art 19-24 security measures and risk management"
+  },
+  {
+    "control_id": "PR.AA-01",
+    "control_name": "Identities and credentials for authorized users",
+    "regulation": "EIDAS2",
+    "articles": ["6a", "6b", "8"],
+    "coverage": "full",
+    "notes": "Art 6a-6b EUDI Wallet, Art 8 assurance levels"
+  },
+  {
+    "control_id": "PR.AA-03",
+    "control_name": "Users and services are authenticated",
+    "regulation": "EIDAS2",
+    "articles": ["6a", "8", "29"],
+    "coverage": "full",
+    "notes": "Art 6a wallet authentication, Art 8 assurance, Art 29 qualified signatures"
+  },
+  {
+    "control_id": "PR.AA-05",
+    "control_name": "Access permissions and authorizations are managed",
+    "regulation": "EIDAS2",
+    "articles": ["6a", "6c"],
+    "coverage": "full",
+    "notes": "Art 6a-6c user control over identity and data sharing"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "EIDAS2",
+    "articles": ["19", "24"],
+    "coverage": "full",
+    "notes": "Art 19 security measures, Art 24 qualified provider security"
+  },
+  {
+    "control_id": "PR.DS-02",
+    "control_name": "Data-in-transit is protected",
+    "regulation": "EIDAS2",
+    "articles": ["19", "26", "29"],
+    "coverage": "full",
+    "notes": "Art 19 security, Art 26 advanced signatures, Art 29 qualified signatures"
+  },
+  {
+    "control_id": "DE.AE-02",
+    "control_name": "Potentially adverse events are analyzed",
+    "regulation": "EIDAS2",
+    "articles": ["19"],
+    "coverage": "full",
+    "notes": "Art 19(2) security breach assessment"
+  },
+  {
+    "control_id": "RS.MA-01",
+    "control_name": "Incident response plan is executed",
+    "regulation": "EIDAS2",
+    "articles": ["19"],
+    "coverage": "full",
+    "notes": "Art 19(2) breach notification within 24 hours"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "EIDAS2",
+    "articles": ["19"],
+    "coverage": "full",
+    "notes": "Art 19(2) notification to supervisory body"
+  }
+]

package/data/seed/mappings/nist-csf-eprivacy.json

@@ -0,0 +1,58 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "EPRIVACY",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Privacy in electronic communications context"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "EPRIVACY",
+    "articles": ["4", "5"],
+    "coverage": "full",
+    "notes": "Security policies for communications services"
+  },
+  {
+    "control_id": "PR.AA-01",
+    "control_name": "Identities and credentials for authorized users",
+    "regulation": "EPRIVACY",
+    "articles": ["5"],
+    "coverage": "full",
+    "notes": "Confidentiality of communications access controls"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "EPRIVACY",
+    "articles": ["4", "5"],
+    "coverage": "full",
+    "notes": "Protection of stored communications data"
+  },
+  {
+    "control_id": "PR.DS-02",
+    "control_name": "Data-in-transit is protected",
+    "regulation": "EPRIVACY",
+    "articles": ["5"],
+    "coverage": "full",
+    "notes": "Confidentiality of communications in transit"
+  },
+  {
+    "control_id": "DE.CM-01",
+    "control_name": "Networks and network services are monitored",
+    "regulation": "EPRIVACY",
+    "articles": ["4"],
+    "coverage": "full",
+    "notes": "Security monitoring requirements"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "EPRIVACY",
+    "articles": ["4"],
+    "coverage": "full",
+    "notes": "Security breach notification requirements"
+  }
+]