@ansvar/eu-regulations-mcp 0.1.0 → 0.2.1

package/data/seed/mappings/iso27001-eudr.json

@@ -0,0 +1,34 @@
+[
+  {
+    "control_id": "A.5.19",
+    "control_name": "Information security in supplier relationships",
+    "regulation": "EUDR",
+    "articles": ["8", "9", "10"],
+    "coverage": "full",
+    "notes": "Supply chain due diligence for deforestation-free products"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "EUDR",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Deforestation-free supply chain requirements"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "EUDR",
+    "articles": ["9", "12"],
+    "coverage": "full",
+    "notes": "Due diligence statements and traceability records"
+  },
+  {
+    "control_id": "A.8.12",
+    "control_name": "Data leakage prevention",
+    "regulation": "EUDR",
+    "articles": ["9"],
+    "coverage": "partial",
+    "notes": "Protection of supply chain traceability data"
+  }
+]

package/data/seed/mappings/iso27001-gpsr.json

@@ -0,0 +1,42 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "GPSR",
+    "articles": ["9", "10"],
+    "coverage": "partial",
+    "notes": "Product safety management policies"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "GPSR",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "General product safety requirements"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "GPSR",
+    "articles": ["9", "10", "11", "12"],
+    "coverage": "full",
+    "notes": "Technical documentation and traceability"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "GPSR",
+    "articles": ["20", "21"],
+    "coverage": "full",
+    "notes": "Product safety incident notification"
+  },
+  {
+    "control_id": "A.8.28",
+    "control_name": "Secure coding",
+    "regulation": "GPSR",
+    "articles": ["6", "7"],
+    "coverage": "partial",
+    "notes": "Safety requirements for connected products"
+  }
+]

package/data/seed/mappings/iso27001-ivdr.json

@@ -0,0 +1,66 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "IVDR",
+    "articles": ["10", "23"],
+    "coverage": "full",
+    "notes": "Quality management system and cybersecurity requirements"
+  },
+  {
+    "control_id": "A.5.8",
+    "control_name": "Information security in project management",
+    "regulation": "IVDR",
+    "articles": ["10", "56"],
+    "coverage": "full",
+    "notes": "Security in IVD device design and development"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "IVDR",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Regulatory framework for in vitro diagnostic devices"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "IVDR",
+    "articles": ["10", "24"],
+    "coverage": "full",
+    "notes": "Technical documentation and UDI-DI requirements"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "IVDR",
+    "articles": ["82", "83", "84"],
+    "coverage": "full",
+    "notes": "Vigilance reporting for serious incidents"
+  },
+  {
+    "control_id": "A.8.9",
+    "control_name": "Configuration management",
+    "regulation": "IVDR",
+    "articles": ["10"],
+    "coverage": "full",
+    "notes": "Device configuration and software version control"
+  },
+  {
+    "control_id": "A.8.24",
+    "control_name": "Use of cryptography",
+    "regulation": "IVDR",
+    "articles": ["10"],
+    "coverage": "partial",
+    "notes": "Security measures for connected IVD devices"
+  },
+  {
+    "control_id": "A.8.28",
+    "control_name": "Secure coding",
+    "regulation": "IVDR",
+    "articles": ["10"],
+    "coverage": "full",
+    "notes": "Software requirements in general safety and performance"
+  }
+]

package/data/seed/mappings/iso27001-led.json

@@ -0,0 +1,74 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "LED",
+    "articles": ["19", "29"],
+    "coverage": "full",
+    "notes": "Security policies required for law enforcement data processing"
+  },
+  {
+    "control_id": "A.5.2",
+    "control_name": "Information security roles and responsibilities",
+    "regulation": "LED",
+    "articles": ["32", "33", "34"],
+    "coverage": "full",
+    "notes": "Data protection officer designation and controller responsibilities"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "LED",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Legal framework for law enforcement data processing"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "LED",
+    "articles": ["24", "25"],
+    "coverage": "full",
+    "notes": "Logging and record-keeping requirements"
+  },
+  {
+    "control_id": "A.5.34",
+    "control_name": "Privacy and protection of PII",
+    "regulation": "LED",
+    "articles": ["4", "8", "9", "13", "14", "15", "16"],
+    "coverage": "full",
+    "notes": "Data subject rights and data protection principles"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "LED",
+    "articles": ["30", "31"],
+    "coverage": "full",
+    "notes": "Personal data breach notification to supervisory authority"
+  },
+  {
+    "control_id": "A.8.3",
+    "control_name": "Information access restriction",
+    "regulation": "LED",
+    "articles": ["19", "29"],
+    "coverage": "full",
+    "notes": "Access controls for law enforcement data"
+  },
+  {
+    "control_id": "A.8.10",
+    "control_name": "Information deletion",
+    "regulation": "LED",
+    "articles": ["5", "16"],
+    "coverage": "full",
+    "notes": "Data minimization and right to erasure"
+  },
+  {
+    "control_id": "A.8.11",
+    "control_name": "Data masking",
+    "regulation": "LED",
+    "articles": ["4", "19"],
+    "coverage": "partial",
+    "notes": "Distinction between data subjects and pseudonymization"
+  }
+]

package/data/seed/mappings/iso27001-machinery.json

@@ -0,0 +1,50 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "MACHINERY",
+    "articles": ["10", "18"],
+    "coverage": "partial",
+    "notes": "Security policies for machinery with digital components"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "MACHINERY",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Health and safety requirements for machinery"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "MACHINERY",
+    "articles": ["10", "11", "12"],
+    "coverage": "full",
+    "notes": "Technical documentation requirements"
+  },
+  {
+    "control_id": "A.8.9",
+    "control_name": "Configuration management",
+    "regulation": "MACHINERY",
+    "articles": ["18"],
+    "coverage": "partial",
+    "notes": "Software configuration for safety functions"
+  },
+  {
+    "control_id": "A.8.24",
+    "control_name": "Use of cryptography",
+    "regulation": "MACHINERY",
+    "articles": ["18"],
+    "coverage": "partial",
+    "notes": "Security for connected machinery"
+  },
+  {
+    "control_id": "A.8.28",
+    "control_name": "Secure coding",
+    "regulation": "MACHINERY",
+    "articles": ["18"],
+    "coverage": "full",
+    "notes": "Software safety requirements including cybersecurity"
+  }
+]

package/data/seed/mappings/iso27001-mdr.json

@@ -0,0 +1,82 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "MDR",
+    "articles": ["10", "23"],
+    "coverage": "full",
+    "notes": "Quality management system and cybersecurity requirements"
+  },
+  {
+    "control_id": "A.5.8",
+    "control_name": "Information security in project management",
+    "regulation": "MDR",
+    "articles": ["10", "61"],
+    "coverage": "full",
+    "notes": "Security considerations in device design and development"
+  },
+  {
+    "control_id": "A.5.23",
+    "control_name": "Information security for use of cloud services",
+    "regulation": "MDR",
+    "articles": ["10"],
+    "coverage": "partial",
+    "notes": "Connected device security requirements"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "MDR",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Comprehensive regulatory framework for medical devices"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "MDR",
+    "articles": ["10", "87"],
+    "coverage": "full",
+    "notes": "Technical documentation and UDI requirements"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "MDR",
+    "articles": ["87", "88", "89"],
+    "coverage": "full",
+    "notes": "Vigilance reporting for serious incidents"
+  },
+  {
+    "control_id": "A.8.9",
+    "control_name": "Configuration management",
+    "regulation": "MDR",
+    "articles": ["10"],
+    "coverage": "full",
+    "notes": "Device configuration and version control requirements"
+  },
+  {
+    "control_id": "A.8.24",
+    "control_name": "Use of cryptography",
+    "regulation": "MDR",
+    "articles": ["10"],
+    "coverage": "partial",
+    "notes": "Security measures for connected medical devices"
+  },
+  {
+    "control_id": "A.8.28",
+    "control_name": "Secure coding",
+    "regulation": "MDR",
+    "articles": ["10"],
+    "coverage": "full",
+    "notes": "Software safety and security requirements in Annex I"
+  },
+  {
+    "control_id": "A.8.31",
+    "control_name": "Separation of development, test and production environments",
+    "regulation": "MDR",
+    "articles": ["10"],
+    "coverage": "partial",
+    "notes": "Quality management includes development environment controls"
+  }
+]

package/data/seed/mappings/iso27001-mica.json

@@ -0,0 +1,66 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "MICA",
+    "articles": ["68", "75"],
+    "coverage": "full",
+    "notes": "ICT security policies for crypto-asset service providers"
+  },
+  {
+    "control_id": "A.5.2",
+    "control_name": "Information security roles and responsibilities",
+    "regulation": "MICA",
+    "articles": ["68", "75"],
+    "coverage": "full",
+    "notes": "Governance arrangements for CASPs"
+  },
+  {
+    "control_id": "A.5.7",
+    "control_name": "Threat intelligence",
+    "regulation": "MICA",
+    "articles": ["68"],
+    "coverage": "partial",
+    "notes": "Security monitoring requirements"
+  },
+  {
+    "control_id": "A.5.24",
+    "control_name": "Information security incident management planning and preparation",
+    "regulation": "MICA",
+    "articles": ["68"],
+    "coverage": "full",
+    "notes": "Business continuity and incident response"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "MICA",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Comprehensive framework for crypto-asset markets"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "MICA",
+    "articles": ["68", "75"],
+    "coverage": "full",
+    "notes": "Record keeping for crypto transactions"
+  },
+  {
+    "control_id": "A.8.3",
+    "control_name": "Information access restriction",
+    "regulation": "MICA",
+    "articles": ["68", "75"],
+    "coverage": "full",
+    "notes": "Access controls for crypto-asset custody"
+  },
+  {
+    "control_id": "A.8.24",
+    "control_name": "Use of cryptography",
+    "regulation": "MICA",
+    "articles": ["68"],
+    "coverage": "full",
+    "notes": "Cryptographic controls for digital assets"
+  }
+]

package/data/seed/mappings/iso27001-mifid2.json

@@ -0,0 +1,66 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "MIFID2",
+    "articles": ["16", "17"],
+    "coverage": "full",
+    "notes": "Organizational requirements and algorithmic trading controls"
+  },
+  {
+    "control_id": "A.5.2",
+    "control_name": "Information security roles and responsibilities",
+    "regulation": "MIFID2",
+    "articles": ["9", "16"],
+    "coverage": "full",
+    "notes": "Management body responsibilities and compliance function"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "MIFID2",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Comprehensive framework for investment services"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "MIFID2",
+    "articles": ["16", "25"],
+    "coverage": "full",
+    "notes": "Record keeping and client information requirements"
+  },
+  {
+    "control_id": "A.5.34",
+    "control_name": "Privacy and protection of PII",
+    "regulation": "MIFID2",
+    "articles": ["16"],
+    "coverage": "partial",
+    "notes": "Client data protection requirements"
+  },
+  {
+    "control_id": "A.8.1",
+    "control_name": "User endpoint devices",
+    "regulation": "MIFID2",
+    "articles": ["17"],
+    "coverage": "partial",
+    "notes": "Controls for algorithmic trading systems"
+  },
+  {
+    "control_id": "A.8.4",
+    "control_name": "Access to source code",
+    "regulation": "MIFID2",
+    "articles": ["17"],
+    "coverage": "partial",
+    "notes": "Algorithm source code access controls"
+  },
+  {
+    "control_id": "A.8.6",
+    "control_name": "Capacity management",
+    "regulation": "MIFID2",
+    "articles": ["17", "48"],
+    "coverage": "full",
+    "notes": "System capacity and resilience requirements"
+  }
+]

package/data/seed/mappings/iso27001-mifir.json

@@ -0,0 +1,42 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "MIFIR",
+    "articles": ["1", "2"],
+    "coverage": "partial",
+    "notes": "Framework for trading transparency and reporting"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "MIFIR",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Uniform requirements for trading venues"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "MIFIR",
+    "articles": ["25", "26"],
+    "coverage": "full",
+    "notes": "Transaction reporting and record keeping"
+  },
+  {
+    "control_id": "A.8.12",
+    "control_name": "Data leakage prevention",
+    "regulation": "MIFIR",
+    "articles": ["1", "25"],
+    "coverage": "partial",
+    "notes": "Controls for trade data protection"
+  },
+  {
+    "control_id": "A.8.16",
+    "control_name": "Monitoring activities",
+    "regulation": "MIFIR",
+    "articles": ["25", "26"],
+    "coverage": "full",
+    "notes": "Transaction monitoring and reporting"
+  }
+]

package/data/seed/mappings/iso27001-pld.json

@@ -0,0 +1,26 @@
+[
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "PLD",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Liability framework for defective products"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "PLD",
+    "articles": ["9", "10"],
+    "coverage": "full",
+    "notes": "Evidence preservation for liability claims"
+  },
+  {
+    "control_id": "A.8.28",
+    "control_name": "Secure coding",
+    "regulation": "PLD",
+    "articles": ["2", "6"],
+    "coverage": "full",
+    "notes": "Software defects can establish product liability"
+  }
+]

package/data/seed/mappings/iso27001-psd2.json

@@ -0,0 +1,82 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "PSD2",
+    "articles": ["5", "95"],
+    "coverage": "full",
+    "notes": "Security policies for payment service providers"
+  },
+  {
+    "control_id": "A.5.2",
+    "control_name": "Information security roles and responsibilities",
+    "regulation": "PSD2",
+    "articles": ["5", "11"],
+    "coverage": "full",
+    "notes": "Governance and internal control requirements"
+  },
+  {
+    "control_id": "A.5.24",
+    "control_name": "Information security incident management planning and preparation",
+    "regulation": "PSD2",
+    "articles": ["96"],
+    "coverage": "full",
+    "notes": "Incident reporting framework for PSPs"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "PSD2",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Authorization and operating requirements for PSPs"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "PSD2",
+    "articles": ["5", "40"],
+    "coverage": "full",
+    "notes": "Record keeping and transparency requirements"
+  },
+  {
+    "control_id": "A.5.34",
+    "control_name": "Privacy and protection of PII",
+    "regulation": "PSD2",
+    "articles": ["94"],
+    "coverage": "full",
+    "notes": "Data protection requirements for payment data"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "PSD2",
+    "articles": ["96"],
+    "coverage": "full",
+    "notes": "Major incident notification requirements"
+  },
+  {
+    "control_id": "A.8.3",
+    "control_name": "Information access restriction",
+    "regulation": "PSD2",
+    "articles": ["66", "67", "97"],
+    "coverage": "full",
+    "notes": "Strong customer authentication requirements"
+  },
+  {
+    "control_id": "A.8.5",
+    "control_name": "Secure authentication",
+    "regulation": "PSD2",
+    "articles": ["97", "98"],
+    "coverage": "full",
+    "notes": "SCA and secure communication requirements"
+  },
+  {
+    "control_id": "A.8.24",
+    "control_name": "Use of cryptography",
+    "regulation": "PSD2",
+    "articles": ["95", "97"],
+    "coverage": "full",
+    "notes": "Encryption requirements for payment transactions"
+  }
+]