@ansvar/eu-regulations-mcp 0.1.0 → 0.2.0

package/data/seed/mappings/nist-csf-mica.json

@@ -0,0 +1,98 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "MICA",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Markets in crypto-assets regulatory context"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "MICA",
+    "articles": ["64", "65"],
+    "coverage": "full",
+    "notes": "Risk management for crypto-asset service providers"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "MICA",
+    "articles": ["59", "60"],
+    "coverage": "full",
+    "notes": "CASP governance and responsibilities"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "MICA",
+    "articles": ["64", "65"],
+    "coverage": "full",
+    "notes": "ICT security policies for CASPs"
+  },
+  {
+    "control_id": "GV.SC-01",
+    "control_name": "Supply chain risk management program",
+    "regulation": "MICA",
+    "articles": ["64"],
+    "coverage": "full",
+    "notes": "Third-party service provider management"
+  },
+  {
+    "control_id": "ID.RA-01",
+    "control_name": "Vulnerabilities in assets are identified",
+    "regulation": "MICA",
+    "articles": ["64"],
+    "coverage": "full",
+    "notes": "ICT system vulnerability assessment"
+  },
+  {
+    "control_id": "PR.AA-01",
+    "control_name": "Identities and credentials for authorized users",
+    "regulation": "MICA",
+    "articles": ["64", "70"],
+    "coverage": "full",
+    "notes": "Access controls for crypto-asset custody"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "MICA",
+    "articles": ["64", "70"],
+    "coverage": "full",
+    "notes": "Crypto-asset safeguarding"
+  },
+  {
+    "control_id": "PR.DS-02",
+    "control_name": "Data-in-transit is protected",
+    "regulation": "MICA",
+    "articles": ["64"],
+    "coverage": "full",
+    "notes": "Secure transmission protocols"
+  },
+  {
+    "control_id": "DE.CM-01",
+    "control_name": "Networks and network services are monitored",
+    "regulation": "MICA",
+    "articles": ["64"],
+    "coverage": "full",
+    "notes": "ICT system monitoring requirements"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "MICA",
+    "articles": ["64"],
+    "coverage": "full",
+    "notes": "ICT incident reporting"
+  },
+  {
+    "control_id": "RC.RP-01",
+    "control_name": "Recovery plan is executed",
+    "regulation": "MICA",
+    "articles": ["64"],
+    "coverage": "full",
+    "notes": "Business continuity and disaster recovery"
+  }
+]

package/data/seed/mappings/nist-csf-mifid2.json

@@ -0,0 +1,74 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "MIFID2",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Investment services regulatory context"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "MIFID2",
+    "articles": ["16", "17"],
+    "coverage": "full",
+    "notes": "Organizational and risk management requirements"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "MIFID2",
+    "articles": ["9", "16"],
+    "coverage": "full",
+    "notes": "Management body and compliance responsibilities"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "MIFID2",
+    "articles": ["16", "17"],
+    "coverage": "full",
+    "notes": "IT systems and security policies"
+  },
+  {
+    "control_id": "GV.SC-01",
+    "control_name": "Supply chain risk management program",
+    "regulation": "MIFID2",
+    "articles": ["16"],
+    "coverage": "full",
+    "notes": "Outsourcing arrangements requirements"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "MIFID2",
+    "articles": ["16", "25"],
+    "coverage": "partial",
+    "notes": "Client asset safeguarding requirements"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "MIFID2",
+    "articles": ["16", "66"],
+    "coverage": "full",
+    "notes": "Transaction record protection"
+  },
+  {
+    "control_id": "PR.IR-01",
+    "control_name": "Incident response plan exists",
+    "regulation": "MIFID2",
+    "articles": ["16", "17"],
+    "coverage": "full",
+    "notes": "Business continuity arrangements"
+  },
+  {
+    "control_id": "RC.RP-01",
+    "control_name": "Recovery plan is executed",
+    "regulation": "MIFID2",
+    "articles": ["16", "17"],
+    "coverage": "full",
+    "notes": "Business continuity and disaster recovery"
+  }
+]

package/data/seed/mappings/nist-csf-mifir.json

@@ -0,0 +1,50 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "MIFIR",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Markets in financial instruments context"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "MIFIR",
+    "articles": ["22", "23", "24"],
+    "coverage": "full",
+    "notes": "Trading venue and competent authority responsibilities"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "MIFIR",
+    "articles": ["25", "26", "27"],
+    "coverage": "full",
+    "notes": "Transaction reporting and record keeping"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "MIFIR",
+    "articles": ["25", "26"],
+    "coverage": "full",
+    "notes": "Transaction data protection requirements"
+  },
+  {
+    "control_id": "PR.DS-02",
+    "control_name": "Data-in-transit is protected",
+    "regulation": "MIFIR",
+    "articles": ["26"],
+    "coverage": "full",
+    "notes": "Secure transaction reporting transmission"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "MIFIR",
+    "articles": ["26", "27"],
+    "coverage": "full",
+    "notes": "Reporting to competent authorities"
+  }
+]

package/data/seed/mappings/nist-csf-nis2.json

@@ -0,0 +1,194 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "NIS2",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "NIS2 Art 1-3 define scope and essential/important entity context"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "NIS2",
+    "articles": ["20", "21"],
+    "coverage": "full",
+    "notes": "Art 20 governance, Art 21 risk-based cybersecurity measures"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "NIS2",
+    "articles": ["20"],
+    "coverage": "full",
+    "notes": "Art 20 requires management body approval and accountability"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "NIS2",
+    "articles": ["21"],
+    "coverage": "full",
+    "notes": "Art 21(2)(a) explicitly requires policies on risks and information security"
+  },
+  {
+    "control_id": "GV.SC-01",
+    "control_name": "Supply chain risk management program",
+    "regulation": "NIS2",
+    "articles": ["21"],
+    "coverage": "full",
+    "notes": "Art 21(2)(d) explicitly requires supply chain security measures"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "NIS2",
+    "articles": ["21"],
+    "coverage": "partial",
+    "notes": "Art 21 risk management implies asset inventory"
+  },
+  {
+    "control_id": "ID.RA-01",
+    "control_name": "Vulnerabilities in assets are identified",
+    "regulation": "NIS2",
+    "articles": ["21"],
+    "coverage": "full",
+    "notes": "Art 21(2)(e) explicitly requires vulnerability handling and disclosure"
+  },
+  {
+    "control_id": "ID.RA-03",
+    "control_name": "Internal and external threats are identified",
+    "regulation": "NIS2",
+    "articles": ["21"],
+    "coverage": "full",
+    "notes": "Art 21(2)(a) requires policies on risk analysis and information security"
+  },
+  {
+    "control_id": "ID.RA-05",
+    "control_name": "Risk responses are identified",
+    "regulation": "NIS2",
+    "articles": ["21"],
+    "coverage": "full",
+    "notes": "Art 21(2) enumerates specific risk management measures"
+  },
+  {
+    "control_id": "PR.AA-01",
+    "control_name": "Identities and credentials for authorized users",
+    "regulation": "NIS2",
+    "articles": ["21"],
+    "coverage": "full",
+    "notes": "Art 21(2)(i) requires access control policies"
+  },
+  {
+    "control_id": "PR.AA-03",
+    "control_name": "Users and services are authenticated",
+    "regulation": "NIS2",
+    "articles": ["21"],
+    "coverage": "full",
+    "notes": "Art 21(2)(j) explicitly requires multi-factor or continuous authentication"
+  },
+  {
+    "control_id": "PR.AA-05",
+    "control_name": "Access permissions and authorizations are managed",
+    "regulation": "NIS2",
+    "articles": ["21"],
+    "coverage": "full",
+    "notes": "Art 21(2)(i) requires access control policies"
+  },
+  {
+    "control_id": "PR.AT-01",
+    "control_name": "Awareness and training provided",
+    "regulation": "NIS2",
+    "articles": ["20", "21"],
+    "coverage": "full",
+    "notes": "Art 20(2) requires management body training, Art 21(2)(g) basic cyber hygiene practices"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "NIS2",
+    "articles": ["21"],
+    "coverage": "full",
+    "notes": "Art 21(2)(h) explicitly requires encryption"
+  },
+  {
+    "control_id": "PR.DS-02",
+    "control_name": "Data-in-transit is protected",
+    "regulation": "NIS2",
+    "articles": ["21"],
+    "coverage": "full",
+    "notes": "Art 21(2)(h) requires cryptography and encryption policies"
+  },
+  {
+    "control_id": "PR.PS-01",
+    "control_name": "Configuration management practices established",
+    "regulation": "NIS2",
+    "articles": ["21"],
+    "coverage": "partial",
+    "notes": "Art 21(2) implies secure configuration as part of risk measures"
+  },
+  {
+    "control_id": "PR.IR-01",
+    "control_name": "Incident response plan exists",
+    "regulation": "NIS2",
+    "articles": ["21"],
+    "coverage": "full",
+    "notes": "Art 21(2)(b) explicitly requires incident handling"
+  },
+  {
+    "control_id": "DE.CM-01",
+    "control_name": "Networks and network services are monitored",
+    "regulation": "NIS2",
+    "articles": ["21"],
+    "coverage": "full",
+    "notes": "Art 21(2) requires security monitoring capabilities"
+  },
+  {
+    "control_id": "DE.AE-02",
+    "control_name": "Potentially adverse events are analyzed",
+    "regulation": "NIS2",
+    "articles": ["21", "23"],
+    "coverage": "full",
+    "notes": "Art 21(2)(b) incident handling, Art 23 incident analysis for notification"
+  },
+  {
+    "control_id": "RS.MA-01",
+    "control_name": "Incident response plan is executed",
+    "regulation": "NIS2",
+    "articles": ["21", "23"],
+    "coverage": "full",
+    "notes": "Art 21(2)(b) incident handling, Art 23 incident notification process"
+  },
+  {
+    "control_id": "RS.CO-02",
+    "control_name": "Incidents are reported internally",
+    "regulation": "NIS2",
+    "articles": ["23"],
+    "coverage": "full",
+    "notes": "Art 23 requires internal awareness for 24h early warning"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "NIS2",
+    "articles": ["23", "24"],
+    "coverage": "full",
+    "notes": "Art 23 notification to CSIRTs, Art 24 voluntary information sharing"
+  },
+  {
+    "control_id": "RC.RP-01",
+    "control_name": "Recovery plan is executed",
+    "regulation": "NIS2",
+    "articles": ["21"],
+    "coverage": "full",
+    "notes": "Art 21(2)(c) business continuity, backup management, disaster recovery"
+  },
+  {
+    "control_id": "RC.CO-03",
+    "control_name": "Recovery activities are communicated",
+    "regulation": "NIS2",
+    "articles": ["21", "23"],
+    "coverage": "full",
+    "notes": "Art 21(2)(c) crisis management, Art 23 final report on incident resolution"
+  }
+]

package/data/seed/mappings/nist-csf-pld.json

@@ -0,0 +1,34 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "PLD",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Product liability regulatory context"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "PLD",
+    "articles": ["7", "8", "9"],
+    "coverage": "full",
+    "notes": "Manufacturer and importer liability"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "PLD",
+    "articles": ["4", "6"],
+    "coverage": "partial",
+    "notes": "Product documentation for liability purposes"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "PLD",
+    "articles": ["8", "9"],
+    "coverage": "partial",
+    "notes": "Defect disclosure and information sharing"
+  }
+]

package/data/seed/mappings/nist-csf-psd2.json

@@ -0,0 +1,98 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "PSD2",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Payment services regulatory context"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "PSD2",
+    "articles": ["95", "97"],
+    "coverage": "full",
+    "notes": "Operational and security risk management"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "PSD2",
+    "articles": ["5", "11"],
+    "coverage": "full",
+    "notes": "Payment institution governance requirements"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "PSD2",
+    "articles": ["95"],
+    "coverage": "full",
+    "notes": "Security policies for payment services"
+  },
+  {
+    "control_id": "GV.SC-01",
+    "control_name": "Supply chain risk management program",
+    "regulation": "PSD2",
+    "articles": ["19"],
+    "coverage": "full",
+    "notes": "Outsourcing of operational functions"
+  },
+  {
+    "control_id": "PR.AA-01",
+    "control_name": "Identities and credentials for authorized users",
+    "regulation": "PSD2",
+    "articles": ["97"],
+    "coverage": "full",
+    "notes": "Strong customer authentication requirements"
+  },
+  {
+    "control_id": "PR.AA-03",
+    "control_name": "Users and services are authenticated",
+    "regulation": "PSD2",
+    "articles": ["97", "98"],
+    "coverage": "full",
+    "notes": "Multi-factor authentication for payments"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "PSD2",
+    "articles": ["95", "97"],
+    "coverage": "full",
+    "notes": "Payment data protection requirements"
+  },
+  {
+    "control_id": "PR.DS-02",
+    "control_name": "Data-in-transit is protected",
+    "regulation": "PSD2",
+    "articles": ["95", "97", "98"],
+    "coverage": "full",
+    "notes": "Secure communication channels"
+  },
+  {
+    "control_id": "DE.CM-01",
+    "control_name": "Networks and network services are monitored",
+    "regulation": "PSD2",
+    "articles": ["95"],
+    "coverage": "full",
+    "notes": "Transaction monitoring requirements"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "PSD2",
+    "articles": ["96"],
+    "coverage": "full",
+    "notes": "Major incident reporting to competent authorities"
+  },
+  {
+    "control_id": "RC.RP-01",
+    "control_name": "Recovery plan is executed",
+    "regulation": "PSD2",
+    "articles": ["95"],
+    "coverage": "full",
+    "notes": "Business continuity for payment services"
+  }
+]

package/data/seed/mappings/nist-csf-red.json

@@ -0,0 +1,58 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "RED",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Radio equipment regulatory context"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "RED",
+    "articles": ["3"],
+    "coverage": "full",
+    "notes": "Essential requirements for radio equipment"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "RED",
+    "articles": ["10", "11", "12", "13"],
+    "coverage": "full",
+    "notes": "Economic operator obligations"
+  },
+  {
+    "control_id": "GV.SC-01",
+    "control_name": "Supply chain risk management program",
+    "regulation": "RED",
+    "articles": ["10", "11", "12"],
+    "coverage": "full",
+    "notes": "Supply chain requirements for radio equipment"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "RED",
+    "articles": ["3"],
+    "coverage": "partial",
+    "notes": "Privacy safeguards in radio equipment"
+  },
+  {
+    "control_id": "PR.DS-02",
+    "control_name": "Data-in-transit is protected",
+    "regulation": "RED",
+    "articles": ["3"],
+    "coverage": "partial",
+    "notes": "Network protection for radio communications"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "RED",
+    "articles": ["40", "41"],
+    "coverage": "full",
+    "notes": "Non-compliance reporting to authorities"
+  }
+]

package/data/seed/mappings/nist-csf-sfdr.json

@@ -0,0 +1,42 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "SFDR",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Sustainability disclosure requirements context"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "SFDR",
+    "articles": ["3", "4"],
+    "coverage": "full",
+    "notes": "Financial market participant responsibilities"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "SFDR",
+    "articles": ["4", "5"],
+    "coverage": "partial",
+    "notes": "Policies integrating sustainability risks"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "SFDR",
+    "articles": ["7", "8", "9"],
+    "coverage": "partial",
+    "notes": "Financial product sustainability data inventories"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "SFDR",
+    "articles": ["12", "13"],
+    "coverage": "partial",
+    "notes": "Protection of sustainability disclosure data"
+  }
+]