@ansvar/eu-regulations-mcp 0.1.0 → 0.2.1

package/data/seed/mappings/iso27001-ai-act.json

@@ -0,0 +1,114 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "AI_ACT",
+    "articles": ["9", "17"],
+    "coverage": "full",
+    "notes": "Art 9 risk management system, Art 17 quality management system for high-risk AI"
+  },
+  {
+    "control_id": "A.5.2",
+    "control_name": "Information security roles and responsibilities",
+    "regulation": "AI_ACT",
+    "articles": ["16", "26", "27"],
+    "coverage": "full",
+    "notes": "Art 16 provider obligations, Art 26 deployer obligations, Art 27 fundamental rights impact assessment"
+  },
+  {
+    "control_id": "A.5.8",
+    "control_name": "Information security in project management",
+    "regulation": "AI_ACT",
+    "articles": ["9", "10", "17"],
+    "coverage": "full",
+    "notes": "Art 9-10 risk management and data governance, Art 17 quality management throughout AI lifecycle"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "AI_ACT",
+    "articles": ["1", "2", "5", "6"],
+    "coverage": "full",
+    "notes": "Art 1-2 scope, Art 5 prohibited practices, Art 6 high-risk AI classification"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "AI_ACT",
+    "articles": ["12", "18", "19"],
+    "coverage": "full",
+    "notes": "Art 12 automatic logging, Art 18 technical documentation, Art 19 record keeping requirements"
+  },
+  {
+    "control_id": "A.5.34",
+    "control_name": "Privacy and protection of PII",
+    "regulation": "AI_ACT",
+    "articles": ["10", "15"],
+    "coverage": "full",
+    "notes": "Art 10 data governance including privacy requirements, Art 15 data minimisation for biometric AI"
+  },
+  {
+    "control_id": "A.6.3",
+    "control_name": "Information security awareness, education and training",
+    "regulation": "AI_ACT",
+    "articles": ["4", "14"],
+    "coverage": "full",
+    "notes": "Art 4 AI literacy requirements, Art 14 human oversight requires trained personnel"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "AI_ACT",
+    "articles": ["73"],
+    "coverage": "full",
+    "notes": "Art 73 requires reporting of serious incidents and malfunctioning of high-risk AI systems"
+  },
+  {
+    "control_id": "A.8.2",
+    "control_name": "Privileged access rights",
+    "regulation": "AI_ACT",
+    "articles": ["14", "15"],
+    "coverage": "partial",
+    "notes": "Art 14-15 human oversight and access controls for AI system operation"
+  },
+  {
+    "control_id": "A.8.8",
+    "control_name": "Management of technical vulnerabilities",
+    "regulation": "AI_ACT",
+    "articles": ["9", "15"],
+    "coverage": "partial",
+    "notes": "Art 9 risk management includes security vulnerabilities, Art 15 robustness requirements"
+  },
+  {
+    "control_id": "A.8.10",
+    "control_name": "Information deletion",
+    "regulation": "AI_ACT",
+    "articles": ["10"],
+    "coverage": "partial",
+    "notes": "Art 10 data governance includes data retention and deletion policies"
+  },
+  {
+    "control_id": "A.8.16",
+    "control_name": "Monitoring activities",
+    "regulation": "AI_ACT",
+    "articles": ["12", "72"],
+    "coverage": "full",
+    "notes": "Art 12 automatic logging and monitoring, Art 72 post-market monitoring obligations"
+  },
+  {
+    "control_id": "A.8.25",
+    "control_name": "Secure development life cycle",
+    "regulation": "AI_ACT",
+    "articles": ["9", "10", "17"],
+    "coverage": "full",
+    "notes": "Art 9 risk management, Art 10 data governance, Art 17 quality management throughout lifecycle"
+  },
+  {
+    "control_id": "A.8.29",
+    "control_name": "Security testing in development and acceptance",
+    "regulation": "AI_ACT",
+    "articles": ["9", "15", "43"],
+    "coverage": "full",
+    "notes": "Art 9 testing under risk management, Art 15 accuracy and robustness testing, Art 43 conformity assessment"
+  }
+]

package/data/seed/mappings/iso27001-aifmd.json

@@ -0,0 +1,50 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "AIFMD",
+    "articles": ["12", "18"],
+    "coverage": "full",
+    "notes": "General operating conditions and risk management policies"
+  },
+  {
+    "control_id": "A.5.2",
+    "control_name": "Information security roles and responsibilities",
+    "regulation": "AIFMD",
+    "articles": ["8", "12"],
+    "coverage": "full",
+    "notes": "Management responsibilities and organizational requirements"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "AIFMD",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Authorization and operating requirements for AIFMs"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "AIFMD",
+    "articles": ["22", "23"],
+    "coverage": "full",
+    "notes": "Transparency and disclosure requirements"
+  },
+  {
+    "control_id": "A.5.34",
+    "control_name": "Privacy and protection of PII",
+    "regulation": "AIFMD",
+    "articles": ["12"],
+    "coverage": "partial",
+    "notes": "Investor information protection"
+  },
+  {
+    "control_id": "A.8.3",
+    "control_name": "Information access restriction",
+    "regulation": "AIFMD",
+    "articles": ["12", "21"],
+    "coverage": "partial",
+    "notes": "Access controls for fund assets and information"
+  }
+]

package/data/seed/mappings/iso27001-cbam.json

@@ -0,0 +1,26 @@
+[
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "CBAM",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Carbon border adjustment mechanism requirements"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "CBAM",
+    "articles": ["7", "8", "9"],
+    "coverage": "full",
+    "notes": "CBAM reporting and documentation requirements"
+  },
+  {
+    "control_id": "A.8.12",
+    "control_name": "Data leakage prevention",
+    "regulation": "CBAM",
+    "articles": ["10", "11"],
+    "coverage": "partial",
+    "notes": "Protection of emissions data and declarations"
+  }
+]

package/data/seed/mappings/iso27001-cer.json

@@ -0,0 +1,74 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "CER",
+    "articles": ["13", "14"],
+    "coverage": "full",
+    "notes": "Resilience policies for critical entities"
+  },
+  {
+    "control_id": "A.5.2",
+    "control_name": "Information security roles and responsibilities",
+    "regulation": "CER",
+    "articles": ["13"],
+    "coverage": "full",
+    "notes": "Critical entity resilience responsibilities"
+  },
+  {
+    "control_id": "A.5.5",
+    "control_name": "Contact with authorities",
+    "regulation": "CER",
+    "articles": ["9", "15"],
+    "coverage": "full",
+    "notes": "Cooperation with competent authorities"
+  },
+  {
+    "control_id": "A.5.24",
+    "control_name": "Information security incident management planning and preparation",
+    "regulation": "CER",
+    "articles": ["13", "14"],
+    "coverage": "full",
+    "notes": "Incident response and resilience measures"
+  },
+  {
+    "control_id": "A.5.29",
+    "control_name": "Information security during disruption",
+    "regulation": "CER",
+    "articles": ["13"],
+    "coverage": "full",
+    "notes": "Business continuity for critical services"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "CER",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Critical entity resilience requirements"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "CER",
+    "articles": ["15"],
+    "coverage": "full",
+    "notes": "Incident notification to competent authorities"
+  },
+  {
+    "control_id": "A.7.1",
+    "control_name": "Physical security perimeters",
+    "regulation": "CER",
+    "articles": ["13"],
+    "coverage": "full",
+    "notes": "Physical resilience measures for critical infrastructure"
+  },
+  {
+    "control_id": "A.7.5",
+    "control_name": "Protecting against physical and environmental threats",
+    "regulation": "CER",
+    "articles": ["13"],
+    "coverage": "full",
+    "notes": "Protection against natural and man-made threats"
+  }
+]

package/data/seed/mappings/iso27001-cra.json

@@ -0,0 +1,130 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "CRA",
+    "articles": ["10", "11"],
+    "coverage": "full",
+    "notes": "Art 10-11 require manufacturers to have policies for secure development and vulnerability handling"
+  },
+  {
+    "control_id": "A.5.8",
+    "control_name": "Information security in project management",
+    "regulation": "CRA",
+    "articles": ["10", "13"],
+    "coverage": "full",
+    "notes": "Art 10 security throughout product lifecycle, Art 13 product documentation requirements"
+  },
+  {
+    "control_id": "A.5.19",
+    "control_name": "Information security in supplier relationships",
+    "regulation": "CRA",
+    "articles": ["13", "18", "19"],
+    "coverage": "full",
+    "notes": "Art 13 SBOM requirements, Art 18-19 importer and distributor obligations for supply chain security"
+  },
+  {
+    "control_id": "A.5.20",
+    "control_name": "Addressing information security within supplier agreements",
+    "regulation": "CRA",
+    "articles": ["13", "18"],
+    "coverage": "full",
+    "notes": "Art 13 technical documentation including component information, Art 18 importer verification duties"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "CRA",
+    "articles": ["1", "2", "3", "4"],
+    "coverage": "full",
+    "notes": "Art 1-4 define scope, applicability, and CE marking requirements for digital products"
+  },
+  {
+    "control_id": "A.6.3",
+    "control_name": "Information security awareness, education and training",
+    "regulation": "CRA",
+    "articles": ["10"],
+    "coverage": "partial",
+    "notes": "Art 10(6) requires manufacturers to have competent personnel for cybersecurity"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "CRA",
+    "articles": ["14"],
+    "coverage": "full",
+    "notes": "Art 14 requires notification of exploited vulnerabilities within 24 hours to ENISA and national CSIRTs"
+  },
+  {
+    "control_id": "A.8.8",
+    "control_name": "Management of technical vulnerabilities",
+    "regulation": "CRA",
+    "articles": ["10", "11", "Annex I"],
+    "coverage": "full",
+    "notes": "Art 10 vulnerability handling, Art 11 coordinated disclosure, Annex I Part II vulnerability requirements"
+  },
+  {
+    "control_id": "A.8.9",
+    "control_name": "Configuration management",
+    "regulation": "CRA",
+    "articles": ["10", "Annex I"],
+    "coverage": "full",
+    "notes": "Annex I Part I requires secure default configuration with no known vulnerabilities"
+  },
+  {
+    "control_id": "A.8.24",
+    "control_name": "Use of cryptography",
+    "regulation": "CRA",
+    "articles": ["Annex I"],
+    "coverage": "full",
+    "notes": "Annex I Part I requires protection of confidentiality, integrity with state-of-the-art cryptography"
+  },
+  {
+    "control_id": "A.8.25",
+    "control_name": "Secure development life cycle",
+    "regulation": "CRA",
+    "articles": ["10", "Annex I"],
+    "coverage": "full",
+    "notes": "Art 10 requires security throughout product lifecycle, Annex I mandates secure by design"
+  },
+  {
+    "control_id": "A.8.26",
+    "control_name": "Application security requirements",
+    "regulation": "CRA",
+    "articles": ["Annex I"],
+    "coverage": "full",
+    "notes": "Annex I Part I essential cybersecurity requirements: confidentiality, integrity, availability, authentication"
+  },
+  {
+    "control_id": "A.8.28",
+    "control_name": "Secure coding",
+    "regulation": "CRA",
+    "articles": ["10", "Annex I"],
+    "coverage": "full",
+    "notes": "Art 10 secure development, Annex I requires products delivered without known exploitable vulnerabilities"
+  },
+  {
+    "control_id": "A.8.29",
+    "control_name": "Security testing in development and acceptance",
+    "regulation": "CRA",
+    "articles": ["10", "24", "Annex I"],
+    "coverage": "full",
+    "notes": "Art 10 requires testing, Art 24 conformity assessment, Annex I requires documented risk assessment"
+  },
+  {
+    "control_id": "A.8.31",
+    "control_name": "Separation of development, test and production environments",
+    "regulation": "CRA",
+    "articles": ["10"],
+    "coverage": "partial",
+    "notes": "Art 10 implies separation through secure development process requirements"
+  },
+  {
+    "control_id": "A.8.32",
+    "control_name": "Change management",
+    "regulation": "CRA",
+    "articles": ["10", "11"],
+    "coverage": "full",
+    "notes": "Art 10 security updates, Art 11 requires 5-year support period for security patches"
+  }
+]

package/data/seed/mappings/iso27001-csddd.json

@@ -0,0 +1,50 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "CSDDD",
+    "articles": ["5", "7"],
+    "coverage": "partial",
+    "notes": "Due diligence policies including data handling"
+  },
+  {
+    "control_id": "A.5.19",
+    "control_name": "Information security in supplier relationships",
+    "regulation": "CSDDD",
+    "articles": ["6", "7", "8"],
+    "coverage": "full",
+    "notes": "Supply chain due diligence requirements"
+  },
+  {
+    "control_id": "A.5.21",
+    "control_name": "Managing information security in the ICT supply chain",
+    "regulation": "CSDDD",
+    "articles": ["6", "7"],
+    "coverage": "partial",
+    "notes": "Value chain risk assessment"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "CSDDD",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Corporate due diligence obligations"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "CSDDD",
+    "articles": ["11"],
+    "coverage": "full",
+    "notes": "Due diligence documentation requirements"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "CSDDD",
+    "articles": ["14", "15"],
+    "coverage": "partial",
+    "notes": "Grievance mechanism and reporting"
+  }
+]

package/data/seed/mappings/iso27001-csrd.json

@@ -0,0 +1,26 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "CSRD",
+    "articles": ["1"],
+    "coverage": "partial",
+    "notes": "Governance policies for sustainability reporting"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "CSRD",
+    "articles": ["1"],
+    "coverage": "full",
+    "notes": "Sustainability reporting legal requirements"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "CSRD",
+    "articles": ["1"],
+    "coverage": "full",
+    "notes": "Sustainability data record keeping"
+  }
+]

package/data/seed/mappings/iso27001-cyber_solidarity.json

@@ -0,0 +1,82 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["1", "3"],
+    "coverage": "full",
+    "notes": "Establishes EU-wide cybersecurity policy framework"
+  },
+  {
+    "control_id": "A.5.2",
+    "control_name": "Information security roles and responsibilities",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["3", "4", "5"],
+    "coverage": "full",
+    "notes": "National and Cross-Border Cyber Hubs have defined responsibilities"
+  },
+  {
+    "control_id": "A.5.5",
+    "control_name": "Contact with authorities",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["3", "12"],
+    "coverage": "full",
+    "notes": "Framework for coordination with national authorities"
+  },
+  {
+    "control_id": "A.5.6",
+    "control_name": "Contact with special interest groups",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["12", "14"],
+    "coverage": "full",
+    "notes": "EU Cybersecurity Reserve includes private sector providers"
+  },
+  {
+    "control_id": "A.5.7",
+    "control_name": "Threat intelligence",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["3", "4", "5", "6"],
+    "coverage": "full",
+    "notes": "European Cybersecurity Alert System for threat detection"
+  },
+  {
+    "control_id": "A.5.24",
+    "control_name": "Information security incident management planning and preparation",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["9", "10", "11"],
+    "coverage": "full",
+    "notes": "Cybersecurity Emergency Mechanism for incident preparedness"
+  },
+  {
+    "control_id": "A.5.25",
+    "control_name": "Assessment and decision on information security events",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["6", "7", "8"],
+    "coverage": "full",
+    "notes": "Alert system for assessing cyber threats across EU"
+  },
+  {
+    "control_id": "A.5.26",
+    "control_name": "Response to information security incidents",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["12", "13", "14"],
+    "coverage": "full",
+    "notes": "EU Cybersecurity Reserve provides rapid incident response"
+  },
+  {
+    "control_id": "A.5.29",
+    "control_name": "Information security during disruption",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["9", "10"],
+    "coverage": "full",
+    "notes": "Cybersecurity Emergency Mechanism for significant incidents"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "CYBER_SOLIDARITY",
+    "articles": ["6", "7"],
+    "coverage": "full",
+    "notes": "Cross-border information sharing through Cyber Hubs"
+  }
+]

package/data/seed/mappings/iso27001-cybersecurity-act.json

@@ -0,0 +1,90 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["46", "47", "51"],
+    "coverage": "full",
+    "notes": "Art 46-47 certification requirements, Art 51 security objectives for certification schemes"
+  },
+  {
+    "control_id": "A.5.2",
+    "control_name": "Information security roles and responsibilities",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["4", "5", "6", "7"],
+    "coverage": "full",
+    "notes": "ENISA objectives and tasks (Art 4-7) define EU cybersecurity coordination roles"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["1", "2", "46"],
+    "coverage": "full",
+    "notes": "Art 1-2 scope, Art 46 EU cybersecurity certification framework"
+  },
+  {
+    "control_id": "A.5.35",
+    "control_name": "Independent review of information security",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["56", "58", "60"],
+    "coverage": "full",
+    "notes": "Art 56-60 conformity assessment bodies and third-party certification requirements"
+  },
+  {
+    "control_id": "A.5.36",
+    "control_name": "Compliance with policies, rules and standards for information security",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["51", "52", "54"],
+    "coverage": "full",
+    "notes": "Art 51 security objectives, Art 52 assurance levels (basic/substantial/high), Art 54 certification criteria"
+  },
+  {
+    "control_id": "A.6.3",
+    "control_name": "Information security awareness, education and training",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["10", "12"],
+    "coverage": "partial",
+    "notes": "Art 10 capacity building, Art 12 knowledge development and information"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["8", "22"],
+    "coverage": "partial",
+    "notes": "Art 8 operational cooperation, Art 22 EU Cybersecurity Certification Group coordinates incident response"
+  },
+  {
+    "control_id": "A.8.8",
+    "control_name": "Management of technical vulnerabilities",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["51", "54"],
+    "coverage": "full",
+    "notes": "Art 51(f) requires minimising known vulnerabilities, Art 54 specifies vulnerability management requirements"
+  },
+  {
+    "control_id": "A.8.24",
+    "control_name": "Use of cryptography",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["51"],
+    "coverage": "partial",
+    "notes": "Art 51(c-d) requires protection of data confidentiality and integrity through appropriate measures"
+  },
+  {
+    "control_id": "A.8.25",
+    "control_name": "Secure development life cycle",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["51", "52"],
+    "coverage": "partial",
+    "notes": "Art 51(a) security by design, Art 52 assurance levels define development rigor requirements"
+  },
+  {
+    "control_id": "A.8.29",
+    "control_name": "Security testing in development and acceptance",
+    "regulation": "CYBERSECURITY_ACT",
+    "articles": ["52", "56", "58"],
+    "coverage": "full",
+    "notes": "Art 52 assurance levels require testing, Art 56-58 conformity assessment procedures"
+  }
+]