@ansvar/eu-regulations-mcp 0.1.0 → 0.2.1

package/data/seed/mappings/iso27001-red.json

@@ -0,0 +1,42 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "RED",
+    "articles": ["3", "10"],
+    "coverage": "partial",
+    "notes": "Security requirements for radio equipment"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "RED",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Framework for radio equipment market access"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "RED",
+    "articles": ["10", "11", "12"],
+    "coverage": "full",
+    "notes": "Technical documentation and conformity records"
+  },
+  {
+    "control_id": "A.8.24",
+    "control_name": "Use of cryptography",
+    "regulation": "RED",
+    "articles": ["3"],
+    "coverage": "partial",
+    "notes": "Security requirements including encryption for connected devices"
+  },
+  {
+    "control_id": "A.8.28",
+    "control_name": "Secure coding",
+    "regulation": "RED",
+    "articles": ["3"],
+    "coverage": "partial",
+    "notes": "Software security for radio equipment"
+  }
+]

package/data/seed/mappings/iso27001-sfdr.json

@@ -0,0 +1,50 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "SFDR",
+    "articles": ["3", "4"],
+    "coverage": "partial",
+    "notes": "Policies on integration of sustainability risks in investment decisions"
+  },
+  {
+    "control_id": "A.5.10",
+    "control_name": "Acceptable use of information and other associated assets",
+    "regulation": "SFDR",
+    "articles": ["4", "7"],
+    "coverage": "partial",
+    "notes": "Rules on use of sustainability information for disclosure"
+  },
+  {
+    "control_id": "A.5.12",
+    "control_name": "Classification of information",
+    "regulation": "SFDR",
+    "articles": ["8", "9"],
+    "coverage": "full",
+    "notes": "Financial products classified by sustainability characteristics"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "SFDR",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Establishes disclosure requirements for financial services sector"
+  },
+  {
+    "control_id": "A.5.33",
+    "control_name": "Protection of records",
+    "regulation": "SFDR",
+    "articles": ["10", "11"],
+    "coverage": "partial",
+    "notes": "Website disclosures and periodic reporting requirements"
+  },
+  {
+    "control_id": "A.5.34",
+    "control_name": "Privacy and protection of PII",
+    "regulation": "SFDR",
+    "articles": ["1"],
+    "coverage": "partial",
+    "notes": "SFDR complements GDPR requirements"
+  }
+]

package/data/seed/mappings/iso27001-un-r155.json

@@ -0,0 +1,130 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "UN_R155",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7 requires Cyber Security Management System (CSMS) with documented policies"
+  },
+  {
+    "control_id": "A.5.2",
+    "control_name": "Information security roles and responsibilities",
+    "regulation": "UN_R155",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7.2.2.2 requires defined organizational roles for cybersecurity"
+  },
+  {
+    "control_id": "A.5.8",
+    "control_name": "Information security in project management",
+    "regulation": "UN_R155",
+    "articles": ["7", "Annex 5"],
+    "coverage": "full",
+    "notes": "Section 7 CSMS covers vehicle development lifecycle, Annex 5 lists threats to mitigate"
+  },
+  {
+    "control_id": "A.5.19",
+    "control_name": "Information security in supplier relationships",
+    "regulation": "UN_R155",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7.2.2.3 requires managing cybersecurity risks from suppliers and service providers"
+  },
+  {
+    "control_id": "A.5.20",
+    "control_name": "Addressing information security within supplier agreements",
+    "regulation": "UN_R155",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7.2.2.3 requires supplier contracts to address cybersecurity requirements"
+  },
+  {
+    "control_id": "A.5.29",
+    "control_name": "Information security during disruption",
+    "regulation": "UN_R155",
+    "articles": ["7", "Annex 5"],
+    "coverage": "partial",
+    "notes": "Annex 5 includes availability threats; CSMS must address operational continuity"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "UN_R155",
+    "articles": ["1", "5"],
+    "coverage": "full",
+    "notes": "Section 1 scope, Section 5 type approval requirements for vehicle cybersecurity"
+  },
+  {
+    "control_id": "A.6.3",
+    "control_name": "Information security awareness, education and training",
+    "regulation": "UN_R155",
+    "articles": ["7"],
+    "coverage": "partial",
+    "notes": "Section 7.2.2.2 implies competent personnel for CSMS implementation"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "UN_R155",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7.2.2.4 requires monitoring, detecting and responding to cyber attacks"
+  },
+  {
+    "control_id": "A.8.8",
+    "control_name": "Management of technical vulnerabilities",
+    "regulation": "UN_R155",
+    "articles": ["7", "Annex 5"],
+    "coverage": "full",
+    "notes": "Section 7.2.2.5 requires identification and remediation of vulnerabilities"
+  },
+  {
+    "control_id": "A.8.9",
+    "control_name": "Configuration management",
+    "regulation": "UN_R155",
+    "articles": ["7"],
+    "coverage": "partial",
+    "notes": "Section 7 CSMS includes secure configuration management for vehicle systems"
+  },
+  {
+    "control_id": "A.8.16",
+    "control_name": "Monitoring activities",
+    "regulation": "UN_R155",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7.2.2.4 requires monitoring and detection of cyber threats"
+  },
+  {
+    "control_id": "A.8.24",
+    "control_name": "Use of cryptography",
+    "regulation": "UN_R155",
+    "articles": ["7", "Annex 5"],
+    "coverage": "full",
+    "notes": "Annex 5 Part A.3.1 lists cryptographic controls as mitigations for threats"
+  },
+  {
+    "control_id": "A.8.25",
+    "control_name": "Secure development life cycle",
+    "regulation": "UN_R155",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7.2.2.2 requires cybersecurity in vehicle type development process"
+  },
+  {
+    "control_id": "A.8.26",
+    "control_name": "Application security requirements",
+    "regulation": "UN_R155",
+    "articles": ["7", "Annex 5"],
+    "coverage": "full",
+    "notes": "Annex 5 defines security requirements for vehicle software and communications"
+  },
+  {
+    "control_id": "A.8.29",
+    "control_name": "Security testing in development and acceptance",
+    "regulation": "UN_R155",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7.2.2.2 requires testing and validation of cybersecurity measures"
+  }
+]

package/data/seed/mappings/iso27001-un-r156.json

@@ -0,0 +1,106 @@
+[
+  {
+    "control_id": "A.5.1",
+    "control_name": "Policies for information security",
+    "regulation": "UN_R156",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7 requires Software Update Management System (SUMS) with documented policies"
+  },
+  {
+    "control_id": "A.5.2",
+    "control_name": "Information security roles and responsibilities",
+    "regulation": "UN_R156",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7.1.2 requires defined organizational processes for software update management"
+  },
+  {
+    "control_id": "A.5.8",
+    "control_name": "Information security in project management",
+    "regulation": "UN_R156",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7 SUMS covers software update lifecycle including OTA updates"
+  },
+  {
+    "control_id": "A.5.19",
+    "control_name": "Information security in supplier relationships",
+    "regulation": "UN_R156",
+    "articles": ["7"],
+    "coverage": "partial",
+    "notes": "Section 7 implies supplier management for software components affecting vehicle type"
+  },
+  {
+    "control_id": "A.5.31",
+    "control_name": "Legal, statutory, regulatory and contractual requirements",
+    "regulation": "UN_R156",
+    "articles": ["1", "5"],
+    "coverage": "full",
+    "notes": "Section 1 scope, Section 5 type approval requirements for software updates"
+  },
+  {
+    "control_id": "A.6.8",
+    "control_name": "Information security event reporting",
+    "regulation": "UN_R156",
+    "articles": ["7"],
+    "coverage": "partial",
+    "notes": "Section 7.1.3 requires documentation of software update processes including failures"
+  },
+  {
+    "control_id": "A.8.8",
+    "control_name": "Management of technical vulnerabilities",
+    "regulation": "UN_R156",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7 SUMS addresses security-relevant software updates and patches"
+  },
+  {
+    "control_id": "A.8.9",
+    "control_name": "Configuration management",
+    "regulation": "UN_R156",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7.1.2 requires RXSWIN (Rx Software Identification Number) for version tracking"
+  },
+  {
+    "control_id": "A.8.15",
+    "control_name": "Logging",
+    "regulation": "UN_R156",
+    "articles": ["7"],
+    "coverage": "partial",
+    "notes": "Section 7 requires documentation and traceability of software updates"
+  },
+  {
+    "control_id": "A.8.24",
+    "control_name": "Use of cryptography",
+    "regulation": "UN_R156",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7.2 requires integrity verification of software updates using cryptographic mechanisms"
+  },
+  {
+    "control_id": "A.8.25",
+    "control_name": "Secure development life cycle",
+    "regulation": "UN_R156",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7 integrates SUMS into vehicle development and maintenance lifecycle"
+  },
+  {
+    "control_id": "A.8.29",
+    "control_name": "Security testing in development and acceptance",
+    "regulation": "UN_R156",
+    "articles": ["7"],
+    "coverage": "full",
+    "notes": "Section 7.2 requires testing and validation before software updates are released"
+  },
+  {
+    "control_id": "A.8.32",
+    "control_name": "Change management",
+    "regulation": "UN_R156",
+    "articles": ["7", "8"],
+    "coverage": "full",
+    "notes": "Section 7 SUMS manages software changes, Section 8 covers vehicle type modifications"
+  }
+]

package/data/seed/mappings/nist-csf-ai-act.json

@@ -0,0 +1,138 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "AI_ACT",
+    "articles": ["1", "2", "5", "6"],
+    "coverage": "full",
+    "notes": "Art 1-2 scope, Art 5 prohibited practices, Art 6 high-risk classification"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "AI_ACT",
+    "articles": ["9"],
+    "coverage": "full",
+    "notes": "Art 9 comprehensive risk management system for high-risk AI"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "AI_ACT",
+    "articles": ["16", "26", "27"],
+    "coverage": "full",
+    "notes": "Art 16 provider, Art 26 deployer, Art 27 fundamental rights obligations"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "AI_ACT",
+    "articles": ["9", "15", "17"],
+    "coverage": "full",
+    "notes": "Art 9 risk management, Art 15 robustness, Art 17 quality management"
+  },
+  {
+    "control_id": "GV.OV-01",
+    "control_name": "Cybersecurity risk management oversight",
+    "regulation": "AI_ACT",
+    "articles": ["72"],
+    "coverage": "full",
+    "notes": "Art 72 post-market monitoring obligations"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "AI_ACT",
+    "articles": ["18", "71"],
+    "coverage": "full",
+    "notes": "Art 18 technical documentation, Art 71 EU AI database registration"
+  },
+  {
+    "control_id": "ID.RA-01",
+    "control_name": "Vulnerabilities in assets are identified",
+    "regulation": "AI_ACT",
+    "articles": ["9", "15"],
+    "coverage": "full",
+    "notes": "Art 9 risk identification, Art 15 robustness requirements"
+  },
+  {
+    "control_id": "ID.RA-03",
+    "control_name": "Internal and external threats are identified",
+    "regulation": "AI_ACT",
+    "articles": ["9", "15"],
+    "coverage": "full",
+    "notes": "Art 9 threat assessment in risk management, Art 15 adversarial robustness"
+  },
+  {
+    "control_id": "ID.RA-05",
+    "control_name": "Risk responses are identified",
+    "regulation": "AI_ACT",
+    "articles": ["9"],
+    "coverage": "full",
+    "notes": "Art 9 requires risk mitigation measures throughout lifecycle"
+  },
+  {
+    "control_id": "PR.AA-05",
+    "control_name": "Access permissions and authorizations are managed",
+    "regulation": "AI_ACT",
+    "articles": ["14"],
+    "coverage": "full",
+    "notes": "Art 14 human oversight includes access controls"
+  },
+  {
+    "control_id": "PR.AT-01",
+    "control_name": "Awareness and training provided",
+    "regulation": "AI_ACT",
+    "articles": ["4", "14"],
+    "coverage": "full",
+    "notes": "Art 4 AI literacy requirements, Art 14 trained human oversight"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "AI_ACT",
+    "articles": ["10"],
+    "coverage": "partial",
+    "notes": "Art 10 data governance includes data protection measures"
+  },
+  {
+    "control_id": "PR.DS-10",
+    "control_name": "Data is disposed of properly",
+    "regulation": "AI_ACT",
+    "articles": ["10"],
+    "coverage": "partial",
+    "notes": "Art 10 data governance includes retention policies"
+  },
+  {
+    "control_id": "DE.CM-01",
+    "control_name": "Networks and network services are monitored",
+    "regulation": "AI_ACT",
+    "articles": ["12", "72"],
+    "coverage": "full",
+    "notes": "Art 12 automatic logging, Art 72 post-market monitoring"
+  },
+  {
+    "control_id": "DE.AE-02",
+    "control_name": "Potentially adverse events are analyzed",
+    "regulation": "AI_ACT",
+    "articles": ["12", "72"],
+    "coverage": "full",
+    "notes": "Art 12 logging for analysis, Art 72 incident analysis"
+  },
+  {
+    "control_id": "RS.MA-01",
+    "control_name": "Incident response plan is executed",
+    "regulation": "AI_ACT",
+    "articles": ["73"],
+    "coverage": "full",
+    "notes": "Art 73 serious incident reporting requirements"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "AI_ACT",
+    "articles": ["73"],
+    "coverage": "full",
+    "notes": "Art 73 requires reporting to market surveillance authorities"
+  }
+]

package/data/seed/mappings/nist-csf-aifmd.json

@@ -0,0 +1,58 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "AIFMD",
+    "articles": ["1", "2", "3", "4"],
+    "coverage": "full",
+    "notes": "Alternative investment fund management context"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "AIFMD",
+    "articles": ["15", "16"],
+    "coverage": "full",
+    "notes": "Risk management requirements for AIFMs"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "AIFMD",
+    "articles": ["18", "19", "20"],
+    "coverage": "full",
+    "notes": "AIFM organizational requirements"
+  },
+  {
+    "control_id": "GV.SC-01",
+    "control_name": "Supply chain risk management program",
+    "regulation": "AIFMD",
+    "articles": ["20"],
+    "coverage": "full",
+    "notes": "Delegation arrangements and oversight"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "AIFMD",
+    "articles": ["21"],
+    "coverage": "full",
+    "notes": "Depositary asset safekeeping"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "AIFMD",
+    "articles": ["22", "24"],
+    "coverage": "partial",
+    "notes": "Record keeping and reporting data protection"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "AIFMD",
+    "articles": ["24", "25"],
+    "coverage": "full",
+    "notes": "Reporting to competent authorities"
+  }
+]

package/data/seed/mappings/nist-csf-cbam.json

@@ -0,0 +1,42 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "CBAM",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Carbon border adjustment mechanism context"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "CBAM",
+    "articles": ["5", "6", "7"],
+    "coverage": "full",
+    "notes": "Authorized CBAM declarant responsibilities"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "CBAM",
+    "articles": ["7", "8", "9"],
+    "coverage": "full",
+    "notes": "CBAM declarations and embedded emissions data"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "CBAM",
+    "articles": ["10", "11"],
+    "coverage": "partial",
+    "notes": "Protection of emissions data and declarations"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "CBAM",
+    "articles": ["33", "34"],
+    "coverage": "full",
+    "notes": "Reporting to competent authorities"
+  }
+]

package/data/seed/mappings/nist-csf-cer.json

@@ -0,0 +1,90 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "CER",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Critical entities resilience regulatory context"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "CER",
+    "articles": ["12", "13"],
+    "coverage": "full",
+    "notes": "Risk assessment for critical entities"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "CER",
+    "articles": ["9", "13"],
+    "coverage": "full",
+    "notes": "Critical entity resilience responsibilities"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "CER",
+    "articles": ["13", "14"],
+    "coverage": "full",
+    "notes": "Resilience policies for critical entities"
+  },
+  {
+    "control_id": "ID.RA-01",
+    "control_name": "Vulnerabilities in assets are identified",
+    "regulation": "CER",
+    "articles": ["12"],
+    "coverage": "full",
+    "notes": "National risk assessment requirements"
+  },
+  {
+    "control_id": "ID.RA-03",
+    "control_name": "Internal and external threats are identified",
+    "regulation": "CER",
+    "articles": ["12", "13"],
+    "coverage": "full",
+    "notes": "Threat identification for critical infrastructure"
+  },
+  {
+    "control_id": "PR.IR-01",
+    "control_name": "Incident response plan exists",
+    "regulation": "CER",
+    "articles": ["13", "14"],
+    "coverage": "full",
+    "notes": "Incident response and resilience measures"
+  },
+  {
+    "control_id": "DE.CM-01",
+    "control_name": "Networks and network services are monitored",
+    "regulation": "CER",
+    "articles": ["13"],
+    "coverage": "partial",
+    "notes": "Physical and technical monitoring measures"
+  },
+  {
+    "control_id": "RS.CO-02",
+    "control_name": "Incidents are reported internally",
+    "regulation": "CER",
+    "articles": ["15"],
+    "coverage": "full",
+    "notes": "Internal incident notification processes"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "CER",
+    "articles": ["9", "15"],
+    "coverage": "full",
+    "notes": "Incident notification to competent authorities"
+  },
+  {
+    "control_id": "RC.RP-01",
+    "control_name": "Recovery plan is executed",
+    "regulation": "CER",
+    "articles": ["13"],
+    "coverage": "full",
+    "notes": "Business continuity for critical services"
+  }
+]