@ansvar/eu-regulations-mcp 0.1.0 → 0.2.1

package/data/seed/mappings/nist-csf-eu_taxonomy.json

@@ -0,0 +1,34 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "EU_TAXONOMY",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Taxonomy framework for sustainable activities"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "EU_TAXONOMY",
+    "articles": ["8", "18"],
+    "coverage": "full",
+    "notes": "Disclosure obligations and responsibilities"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "EU_TAXONOMY",
+    "articles": ["8", "10"],
+    "coverage": "partial",
+    "notes": "Inventory of taxonomy-aligned activities"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "EU_TAXONOMY",
+    "articles": ["8"],
+    "coverage": "partial",
+    "notes": "Protection of taxonomy disclosure data"
+  }
+]

package/data/seed/mappings/nist-csf-eucc.json

@@ -0,0 +1,66 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "EUCC",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Common Criteria cybersecurity certification context"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "EUCC",
+    "articles": ["3", "4"],
+    "coverage": "full",
+    "notes": "Security evaluation and assurance levels"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "EUCC",
+    "articles": ["18", "19", "20"],
+    "coverage": "full",
+    "notes": "NCCAs, CABs, and certification body roles"
+  },
+  {
+    "control_id": "ID.RA-01",
+    "control_name": "Vulnerabilities in assets are identified",
+    "regulation": "EUCC",
+    "articles": ["7", "8", "9"],
+    "coverage": "full",
+    "notes": "Vulnerability analysis during certification"
+  },
+  {
+    "control_id": "ID.RA-05",
+    "control_name": "Risk responses are identified",
+    "regulation": "EUCC",
+    "articles": ["10", "11"],
+    "coverage": "full",
+    "notes": "Security targets and protection profiles"
+  },
+  {
+    "control_id": "PR.PS-01",
+    "control_name": "Configuration management practices established",
+    "regulation": "EUCC",
+    "articles": ["35", "36"],
+    "coverage": "full",
+    "notes": "ICT product configuration management"
+  },
+  {
+    "control_id": "DE.CM-01",
+    "control_name": "Networks and network services are monitored",
+    "regulation": "EUCC",
+    "articles": ["28", "29"],
+    "coverage": "partial",
+    "notes": "Ongoing surveillance requirements"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "EUCC",
+    "articles": ["28", "30"],
+    "coverage": "full",
+    "notes": "Vulnerability disclosure and reporting"
+  }
+]

package/data/seed/mappings/nist-csf-eudr.json

@@ -0,0 +1,58 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "EUDR",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Deforestation-free products regulatory context"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "EUDR",
+    "articles": ["8", "10"],
+    "coverage": "full",
+    "notes": "Due diligence risk assessment"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "EUDR",
+    "articles": ["3", "4", "5"],
+    "coverage": "full",
+    "notes": "Operator and trader responsibilities"
+  },
+  {
+    "control_id": "GV.SC-01",
+    "control_name": "Supply chain risk management program",
+    "regulation": "EUDR",
+    "articles": ["8", "9", "10"],
+    "coverage": "full",
+    "notes": "Supply chain due diligence for deforestation-free products"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "EUDR",
+    "articles": ["9", "12"],
+    "coverage": "full",
+    "notes": "Geolocation data and traceability records"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "EUDR",
+    "articles": ["9"],
+    "coverage": "partial",
+    "notes": "Protection of supply chain traceability data"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "EUDR",
+    "articles": ["31", "32"],
+    "coverage": "full",
+    "notes": "Due diligence statements and reporting"
+  }
+]

package/data/seed/mappings/nist-csf-gdpr.json

@@ -0,0 +1,178 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "GDPR",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "GDPR Art 1-3 define organizational context for data protection compliance"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "GDPR",
+    "articles": ["24", "32"],
+    "coverage": "full",
+    "notes": "Art 24 controller responsibility, Art 32 security of processing based on risk"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "GDPR",
+    "articles": ["24", "26", "37", "38", "39"],
+    "coverage": "full",
+    "notes": "Controller/processor responsibilities (Art 24, 26), DPO designation and tasks (Art 37-39)"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "GDPR",
+    "articles": ["24", "32"],
+    "coverage": "partial",
+    "notes": "Art 24 requires appropriate policies, Art 32 security measures"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "GDPR",
+    "articles": ["30"],
+    "coverage": "partial",
+    "notes": "Art 30 requires records of processing activities including data categories"
+  },
+  {
+    "control_id": "ID.AM-02",
+    "control_name": "Software platforms and applications inventories",
+    "regulation": "GDPR",
+    "articles": ["30", "32"],
+    "coverage": "partial",
+    "notes": "Art 30 records of processing, Art 32 implies knowledge of systems processing data"
+  },
+  {
+    "control_id": "ID.RA-01",
+    "control_name": "Vulnerabilities in assets are identified",
+    "regulation": "GDPR",
+    "articles": ["32", "35"],
+    "coverage": "partial",
+    "notes": "Art 32 risk assessment for security, Art 35 DPIA for high-risk processing"
+  },
+  {
+    "control_id": "ID.RA-03",
+    "control_name": "Internal and external threats are identified",
+    "regulation": "GDPR",
+    "articles": ["32", "35"],
+    "coverage": "partial",
+    "notes": "Art 32 requires protection against threats, Art 35 threat identification in DPIA"
+  },
+  {
+    "control_id": "ID.RA-05",
+    "control_name": "Risk responses are identified",
+    "regulation": "GDPR",
+    "articles": ["32", "35"],
+    "coverage": "full",
+    "notes": "Art 32 appropriate security measures, Art 35 measures to address risks"
+  },
+  {
+    "control_id": "PR.AA-01",
+    "control_name": "Identities and credentials for authorized users",
+    "regulation": "GDPR",
+    "articles": ["25", "32"],
+    "coverage": "partial",
+    "notes": "Art 25 data protection by design, Art 32 access control as security measure"
+  },
+  {
+    "control_id": "PR.AA-03",
+    "control_name": "Users and services are authenticated",
+    "regulation": "GDPR",
+    "articles": ["32"],
+    "coverage": "partial",
+    "notes": "Art 32 requires appropriate technical measures including authentication"
+  },
+  {
+    "control_id": "PR.AA-05",
+    "control_name": "Access permissions and authorizations are managed",
+    "regulation": "GDPR",
+    "articles": ["25", "32"],
+    "coverage": "full",
+    "notes": "Art 25 data minimization by default, Art 32 access control measures"
+  },
+  {
+    "control_id": "PR.AT-01",
+    "control_name": "Awareness and training provided",
+    "regulation": "GDPR",
+    "articles": ["39", "47"],
+    "coverage": "partial",
+    "notes": "Art 39 DPO tasks include awareness, Art 47 BCR training requirements"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "GDPR",
+    "articles": ["32"],
+    "coverage": "full",
+    "notes": "Art 32 explicitly mentions encryption and pseudonymisation"
+  },
+  {
+    "control_id": "PR.DS-02",
+    "control_name": "Data-in-transit is protected",
+    "regulation": "GDPR",
+    "articles": ["32"],
+    "coverage": "full",
+    "notes": "Art 32 requires appropriate security for data transmission"
+  },
+  {
+    "control_id": "PR.DS-10",
+    "control_name": "Data is disposed of properly",
+    "regulation": "GDPR",
+    "articles": ["5", "17"],
+    "coverage": "full",
+    "notes": "Art 5 storage limitation, Art 17 right to erasure"
+  },
+  {
+    "control_id": "DE.CM-01",
+    "control_name": "Networks and network services are monitored",
+    "regulation": "GDPR",
+    "articles": ["32"],
+    "coverage": "partial",
+    "notes": "Art 32 implies monitoring as part of security measures"
+  },
+  {
+    "control_id": "DE.AE-02",
+    "control_name": "Potentially adverse events are analyzed",
+    "regulation": "GDPR",
+    "articles": ["33"],
+    "coverage": "full",
+    "notes": "Art 33 requires assessing breach impact for notification"
+  },
+  {
+    "control_id": "RS.MA-01",
+    "control_name": "Incident response plan is executed",
+    "regulation": "GDPR",
+    "articles": ["33", "34"],
+    "coverage": "full",
+    "notes": "Art 33 breach notification to authority, Art 34 notification to data subjects"
+  },
+  {
+    "control_id": "RS.CO-02",
+    "control_name": "Incidents are reported internally",
+    "regulation": "GDPR",
+    "articles": ["33"],
+    "coverage": "full",
+    "notes": "Art 33 requires internal awareness to notify within 72 hours"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "GDPR",
+    "articles": ["33", "34"],
+    "coverage": "full",
+    "notes": "Art 33 notification to supervisory authority, Art 34 to data subjects"
+  },
+  {
+    "control_id": "RC.RP-01",
+    "control_name": "Recovery plan is executed",
+    "regulation": "GDPR",
+    "articles": ["32"],
+    "coverage": "partial",
+    "notes": "Art 32(1)(c) ability to restore availability and access to data"
+  }
+]

package/data/seed/mappings/nist-csf-gpsr.json

@@ -0,0 +1,58 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "GPSR",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "General product safety regulatory context"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "GPSR",
+    "articles": ["6", "9"],
+    "coverage": "full",
+    "notes": "Product safety risk assessment"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "GPSR",
+    "articles": ["9", "10", "11"],
+    "coverage": "full",
+    "notes": "Economic operator responsibilities"
+  },
+  {
+    "control_id": "GV.SC-01",
+    "control_name": "Supply chain risk management program",
+    "regulation": "GPSR",
+    "articles": ["9", "10", "11", "12"],
+    "coverage": "full",
+    "notes": "Supply chain traceability requirements"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "GPSR",
+    "articles": ["9", "18"],
+    "coverage": "full",
+    "notes": "Product traceability and documentation"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "GPSR",
+    "articles": ["19", "20", "21"],
+    "coverage": "full",
+    "notes": "Product safety notifications via Safety Gate"
+  },
+  {
+    "control_id": "RS.MA-01",
+    "control_name": "Incident response plan is executed",
+    "regulation": "GPSR",
+    "articles": ["19", "20"],
+    "coverage": "full",
+    "notes": "Dangerous product response procedures"
+  }
+]

package/data/seed/mappings/nist-csf-ivdr.json

@@ -0,0 +1,66 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "IVDR",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "In vitro diagnostic device regulatory context"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "IVDR",
+    "articles": ["10", "14"],
+    "coverage": "full",
+    "notes": "Risk management for IVD devices"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "IVDR",
+    "articles": ["10", "11", "15"],
+    "coverage": "full",
+    "notes": "Manufacturer and authorized representative duties"
+  },
+  {
+    "control_id": "GV.SC-01",
+    "control_name": "Supply chain risk management program",
+    "regulation": "IVDR",
+    "articles": ["10", "22"],
+    "coverage": "full",
+    "notes": "Supply chain controls for IVD devices"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "IVDR",
+    "articles": ["24", "25", "26"],
+    "coverage": "full",
+    "notes": "UDI system and device identification"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "IVDR",
+    "articles": ["100", "101"],
+    "coverage": "partial",
+    "notes": "EUDAMED database security"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "IVDR",
+    "articles": ["82", "83", "84"],
+    "coverage": "full",
+    "notes": "Vigilance reporting and incident notification"
+  },
+  {
+    "control_id": "RS.MA-01",
+    "control_name": "Incident response plan is executed",
+    "regulation": "IVDR",
+    "articles": ["82", "83"],
+    "coverage": "full",
+    "notes": "Serious incident reporting procedures"
+  }
+]

package/data/seed/mappings/nist-csf-led.json

@@ -0,0 +1,74 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "LED",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Law enforcement data processing context"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "LED",
+    "articles": ["19", "20", "21"],
+    "coverage": "full",
+    "notes": "Controller and processor responsibilities"
+  },
+  {
+    "control_id": "GV.PO-01",
+    "control_name": "Cybersecurity policy",
+    "regulation": "LED",
+    "articles": ["29", "30"],
+    "coverage": "full",
+    "notes": "Security of processing policies"
+  },
+  {
+    "control_id": "PR.AA-01",
+    "control_name": "Identities and credentials for authorized users",
+    "regulation": "LED",
+    "articles": ["29"],
+    "coverage": "full",
+    "notes": "Access controls for law enforcement data"
+  },
+  {
+    "control_id": "PR.AA-05",
+    "control_name": "Access permissions and authorizations are managed",
+    "regulation": "LED",
+    "articles": ["12", "29"],
+    "coverage": "full",
+    "notes": "Differentiation between categories of personal data"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "LED",
+    "articles": ["29"],
+    "coverage": "full",
+    "notes": "Security of stored law enforcement data"
+  },
+  {
+    "control_id": "PR.DS-02",
+    "control_name": "Data-in-transit is protected",
+    "regulation": "LED",
+    "articles": ["29", "35"],
+    "coverage": "full",
+    "notes": "Security of data transfers"
+  },
+  {
+    "control_id": "DE.CM-01",
+    "control_name": "Networks and network services are monitored",
+    "regulation": "LED",
+    "articles": ["29"],
+    "coverage": "full",
+    "notes": "Logging and monitoring requirements"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "LED",
+    "articles": ["30", "31"],
+    "coverage": "full",
+    "notes": "Personal data breach notification"
+  }
+]

package/data/seed/mappings/nist-csf-machinery.json

@@ -0,0 +1,58 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "MACHINERY",
+    "articles": ["1", "2", "3"],
+    "coverage": "full",
+    "notes": "Machinery and related products regulatory context"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "MACHINERY",
+    "articles": ["5", "10"],
+    "coverage": "full",
+    "notes": "Risk assessment and risk reduction for machinery"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "MACHINERY",
+    "articles": ["10", "11", "12", "13"],
+    "coverage": "full",
+    "notes": "Manufacturer and economic operator obligations"
+  },
+  {
+    "control_id": "GV.SC-01",
+    "control_name": "Supply chain risk management program",
+    "regulation": "MACHINERY",
+    "articles": ["10", "11", "12"],
+    "coverage": "full",
+    "notes": "Supply chain obligations for machinery"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "MACHINERY",
+    "articles": ["10"],
+    "coverage": "partial",
+    "notes": "Technical documentation requirements"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "MACHINERY",
+    "articles": ["5"],
+    "coverage": "partial",
+    "notes": "Digital components data protection"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "MACHINERY",
+    "articles": ["43", "44"],
+    "coverage": "full",
+    "notes": "Non-compliance reporting to authorities"
+  }
+]

package/data/seed/mappings/nist-csf-mdr.json

@@ -0,0 +1,66 @@
+[
+  {
+    "control_id": "GV.OC-01",
+    "control_name": "Organizational context",
+    "regulation": "MDR",
+    "articles": ["1", "2"],
+    "coverage": "full",
+    "notes": "Medical device regulatory context"
+  },
+  {
+    "control_id": "GV.RM-01",
+    "control_name": "Risk management objectives",
+    "regulation": "MDR",
+    "articles": ["10", "14"],
+    "coverage": "full",
+    "notes": "Risk management for medical devices"
+  },
+  {
+    "control_id": "GV.RR-01",
+    "control_name": "Organizational roles and responsibilities",
+    "regulation": "MDR",
+    "articles": ["10", "11", "15"],
+    "coverage": "full",
+    "notes": "Manufacturer and authorized representative duties"
+  },
+  {
+    "control_id": "GV.SC-01",
+    "control_name": "Supply chain risk management program",
+    "regulation": "MDR",
+    "articles": ["10", "25"],
+    "coverage": "full",
+    "notes": "Supply chain controls for medical devices"
+  },
+  {
+    "control_id": "ID.AM-01",
+    "control_name": "Inventories of assets",
+    "regulation": "MDR",
+    "articles": ["27", "28", "29"],
+    "coverage": "full",
+    "notes": "UDI system and device identification"
+  },
+  {
+    "control_id": "PR.DS-01",
+    "control_name": "Data-at-rest is protected",
+    "regulation": "MDR",
+    "articles": ["110", "111"],
+    "coverage": "partial",
+    "notes": "EUDAMED database security"
+  },
+  {
+    "control_id": "RS.CO-03",
+    "control_name": "Information is shared with designated external parties",
+    "regulation": "MDR",
+    "articles": ["87", "88", "89"],
+    "coverage": "full",
+    "notes": "Vigilance reporting and incident notification"
+  },
+  {
+    "control_id": "RS.MA-01",
+    "control_name": "Incident response plan is executed",
+    "regulation": "MDR",
+    "articles": ["87", "88"],
+    "coverage": "full",
+    "notes": "Serious incident reporting procedures"
+  }
+]