@ansvar/eu-regulations-mcp 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (58) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +242 -0
  3. package/data/seed/ai-act.json +1026 -0
  4. package/data/seed/applicability/dora.json +92 -0
  5. package/data/seed/applicability/gdpr.json +74 -0
  6. package/data/seed/applicability/nis2.json +83 -0
  7. package/data/seed/cra.json +690 -0
  8. package/data/seed/cybersecurity-act.json +534 -0
  9. package/data/seed/dora.json +719 -0
  10. package/data/seed/gdpr.json +732 -0
  11. package/data/seed/mappings/iso27001-dora.json +106 -0
  12. package/data/seed/mappings/iso27001-gdpr.json +114 -0
  13. package/data/seed/mappings/iso27001-nis2.json +98 -0
  14. package/data/seed/nis2.json +492 -0
  15. package/dist/index.d.ts +3 -0
  16. package/dist/index.d.ts.map +1 -0
  17. package/dist/index.js +271 -0
  18. package/dist/index.js.map +1 -0
  19. package/dist/tools/applicability.d.ts +20 -0
  20. package/dist/tools/applicability.d.ts.map +1 -0
  21. package/dist/tools/applicability.js +42 -0
  22. package/dist/tools/applicability.js.map +1 -0
  23. package/dist/tools/article.d.ts +17 -0
  24. package/dist/tools/article.d.ts.map +1 -0
  25. package/dist/tools/article.js +29 -0
  26. package/dist/tools/article.js.map +1 -0
  27. package/dist/tools/compare.d.ts +18 -0
  28. package/dist/tools/compare.d.ts.map +1 -0
  29. package/dist/tools/compare.js +60 -0
  30. package/dist/tools/compare.js.map +1 -0
  31. package/dist/tools/definitions.d.ts +14 -0
  32. package/dist/tools/definitions.d.ts.map +1 -0
  33. package/dist/tools/definitions.js +26 -0
  34. package/dist/tools/definitions.js.map +1 -0
  35. package/dist/tools/list.d.ts +22 -0
  36. package/dist/tools/list.d.ts.map +1 -0
  37. package/dist/tools/list.js +67 -0
  38. package/dist/tools/list.js.map +1 -0
  39. package/dist/tools/map.d.ts +19 -0
  40. package/dist/tools/map.d.ts.map +1 -0
  41. package/dist/tools/map.js +44 -0
  42. package/dist/tools/map.js.map +1 -0
  43. package/dist/tools/search.d.ts +15 -0
  44. package/dist/tools/search.d.ts.map +1 -0
  45. package/dist/tools/search.js +62 -0
  46. package/dist/tools/search.js.map +1 -0
  47. package/package.json +70 -0
  48. package/scripts/build-db.ts +292 -0
  49. package/scripts/check-updates.ts +192 -0
  50. package/scripts/ingest-eurlex.ts +219 -0
  51. package/src/index.ts +294 -0
  52. package/src/tools/applicability.ts +84 -0
  53. package/src/tools/article.ts +61 -0
  54. package/src/tools/compare.ts +94 -0
  55. package/src/tools/definitions.ts +54 -0
  56. package/src/tools/list.ts +116 -0
  57. package/src/tools/map.ts +84 -0
  58. package/src/tools/search.ts +95 -0
package/data/seed/mappings/iso27001-dora.json ADDED
@@ -0,0 +1,106 @@
1
+ [
2
+ {
3
+ "control_id": "A.5.1",
4
+ "control_name": "Policies for information security",
5
+ "regulation": "DORA",
6
+ "articles": ["5", "6", "9", "10"],
7
+ "coverage": "full",
8
+ "notes": "Art 5-6 governance requirements, Art 9-10 ICT risk management policies"
9
+ },
10
+ {
11
+ "control_id": "A.5.2",
12
+ "control_name": "Information security roles and responsibilities",
13
+ "regulation": "DORA",
14
+ "articles": ["5", "6"],
15
+ "coverage": "full",
16
+ "notes": "Art 5 governance and organisation, Art 6 management body responsibilities"
17
+ },
18
+ {
19
+ "control_id": "A.5.23",
20
+ "control_name": "Information security for use of cloud services",
21
+ "regulation": "DORA",
22
+ "articles": ["28", "29", "30", "31"],
23
+ "coverage": "full",
24
+ "notes": "Chapter V covers ICT third-party risk management including cloud services"
25
+ },
26
+ {
27
+ "control_id": "A.5.29",
28
+ "control_name": "Information security during disruption",
29
+ "regulation": "DORA",
30
+ "articles": ["11", "12"],
31
+ "coverage": "full",
32
+ "notes": "Art 11 response and recovery, Art 12 backup policies and restoration"
33
+ },
34
+ {
35
+ "control_id": "A.5.30",
36
+ "control_name": "ICT readiness for business continuity",
37
+ "regulation": "DORA",
38
+ "articles": ["11", "12", "13"],
39
+ "coverage": "full",
40
+ "notes": "Art 11-13 cover business continuity, backup, restoration, and communication"
41
+ },
42
+ {
43
+ "control_id": "A.6.8",
44
+ "control_name": "Information security event reporting",
45
+ "regulation": "DORA",
46
+ "articles": ["17", "18", "19", "20"],
47
+ "coverage": "full",
48
+ "notes": "Art 17 incident management, Art 19 major incident reporting (4h initial, 72h intermediate, 1 month final)"
49
+ },
50
+ {
51
+ "control_id": "A.8.2",
52
+ "control_name": "Privileged access rights",
53
+ "regulation": "DORA",
54
+ "articles": ["9"],
55
+ "coverage": "partial",
56
+ "notes": "Art 9(4)(c) requires access rights management"
57
+ },
58
+ {
59
+ "control_id": "A.8.5",
60
+ "control_name": "Secure authentication",
61
+ "regulation": "DORA",
62
+ "articles": ["9"],
63
+ "coverage": "partial",
64
+ "notes": "Art 9(4)(c) covers authentication mechanisms"
65
+ },
66
+ {
67
+ "control_id": "A.8.8",
68
+ "control_name": "Management of technical vulnerabilities",
69
+ "regulation": "DORA",
70
+ "articles": ["9", "24", "25", "26", "27"],
71
+ "coverage": "full",
72
+ "notes": "Art 9 vulnerability management, Chapter IV digital operational resilience testing"
73
+ },
74
+ {
75
+ "control_id": "A.8.16",
76
+ "control_name": "Monitoring activities",
77
+ "regulation": "DORA",
78
+ "articles": ["9", "10"],
79
+ "coverage": "full",
80
+ "notes": "Art 9-10 require continuous monitoring of ICT systems"
81
+ },
82
+ {
83
+ "control_id": "A.8.24",
84
+ "control_name": "Use of cryptography",
85
+ "regulation": "DORA",
86
+ "articles": ["9"],
87
+ "coverage": "partial",
88
+ "notes": "Art 9(4)(d) covers data protection including cryptographic measures"
89
+ },
90
+ {
91
+ "control_id": "A.8.25",
92
+ "control_name": "Secure development life cycle",
93
+ "regulation": "DORA",
94
+ "articles": ["8"],
95
+ "coverage": "full",
96
+ "notes": "Art 8 covers identification of ICT assets including custom-developed systems"
97
+ },
98
+ {
99
+ "control_id": "A.8.29",
100
+ "control_name": "Security testing in development and acceptance",
101
+ "regulation": "DORA",
102
+ "articles": ["24", "25", "26", "27"],
103
+ "coverage": "full",
104
+ "notes": "Chapter IV requires comprehensive digital operational resilience testing including TLPT"
105
+ }
106
+ ]
package/data/seed/mappings/iso27001-gdpr.json ADDED
@@ -0,0 +1,114 @@
1
+ [
2
+ {
3
+ "control_id": "A.5.1",
4
+ "control_name": "Policies for information security",
5
+ "regulation": "GDPR",
6
+ "articles": ["24", "32"],
7
+ "coverage": "partial",
8
+ "notes": "GDPR requires appropriate technical and organisational measures (Art 32) and controller responsibility (Art 24)"
9
+ },
10
+ {
11
+ "control_id": "A.5.2",
12
+ "control_name": "Information security roles and responsibilities",
13
+ "regulation": "GDPR",
14
+ "articles": ["24", "37", "38", "39"],
15
+ "coverage": "partial",
16
+ "notes": "Controller accountability (Art 24), DPO designation and tasks (Art 37-39)"
17
+ },
18
+ {
19
+ "control_id": "A.5.10",
20
+ "control_name": "Acceptable use of information and other associated assets",
21
+ "regulation": "GDPR",
22
+ "articles": ["5", "6"],
23
+ "coverage": "full",
24
+ "notes": "Purpose limitation and lawfulness principles (Art 5, 6)"
25
+ },
26
+ {
27
+ "control_id": "A.5.31",
28
+ "control_name": "Legal, statutory, regulatory and contractual requirements",
29
+ "regulation": "GDPR",
30
+ "articles": ["1", "2", "3"],
31
+ "coverage": "full",
32
+ "notes": "GDPR scope and applicability (Art 1-3)"
33
+ },
34
+ {
35
+ "control_id": "A.5.33",
36
+ "control_name": "Protection of records",
37
+ "regulation": "GDPR",
38
+ "articles": ["5", "30"],
39
+ "coverage": "full",
40
+ "notes": "Storage limitation principle (Art 5) and records of processing (Art 30)"
41
+ },
42
+ {
43
+ "control_id": "A.5.34",
44
+ "control_name": "Privacy and protection of PII",
45
+ "regulation": "GDPR",
46
+ "articles": ["1", "5", "6", "7", "9", "12", "13", "14", "15", "16", "17", "18", "19", "20", "21", "22"],
47
+ "coverage": "full",
48
+ "notes": "Core GDPR requirements for personal data protection"
49
+ },
50
+ {
51
+ "control_id": "A.6.8",
52
+ "control_name": "Information security event reporting",
53
+ "regulation": "GDPR",
54
+ "articles": ["33", "34"],
55
+ "coverage": "full",
56
+ "notes": "Personal data breach notification within 72 hours (Art 33) and communication to data subjects (Art 34)"
57
+ },
58
+ {
59
+ "control_id": "A.7.10",
60
+ "control_name": "Storage media",
61
+ "regulation": "GDPR",
62
+ "articles": ["5", "32"],
63
+ "coverage": "partial",
64
+ "notes": "Storage limitation (Art 5) and security measures (Art 32)"
65
+ },
66
+ {
67
+ "control_id": "A.8.3",
68
+ "control_name": "Information access restriction",
69
+ "regulation": "GDPR",
70
+ "articles": ["25", "32"],
71
+ "coverage": "partial",
72
+ "notes": "Data protection by design and by default (Art 25), security measures (Art 32)"
73
+ },
74
+ {
75
+ "control_id": "A.8.10",
76
+ "control_name": "Information deletion",
77
+ "regulation": "GDPR",
78
+ "articles": ["17"],
79
+ "coverage": "full",
80
+ "notes": "Right to erasure ('right to be forgotten') - Art 17"
81
+ },
82
+ {
83
+ "control_id": "A.8.11",
84
+ "control_name": "Data masking",
85
+ "regulation": "GDPR",
86
+ "articles": ["4", "25", "32"],
87
+ "coverage": "full",
88
+ "notes": "Pseudonymisation defined (Art 4) and required as security measure (Art 25, 32)"
89
+ },
90
+ {
91
+ "control_id": "A.8.12",
92
+ "control_name": "Data leakage prevention",
93
+ "regulation": "GDPR",
94
+ "articles": ["32", "33"],
95
+ "coverage": "partial",
96
+ "notes": "Security of processing (Art 32) and breach notification requirements (Art 33)"
97
+ },
98
+ {
99
+ "control_id": "A.8.24",
100
+ "control_name": "Use of cryptography",
101
+ "regulation": "GDPR",
102
+ "articles": ["32", "34"],
103
+ "coverage": "partial",
104
+ "notes": "Encryption mentioned as appropriate measure (Art 32), affects breach notification requirements (Art 34)"
105
+ },
106
+ {
107
+ "control_id": "A.8.28",
108
+ "control_name": "Secure coding",
109
+ "regulation": "GDPR",
110
+ "articles": ["25"],
111
+ "coverage": "partial",
112
+ "notes": "Data protection by design and by default (Art 25)"
113
+ }
114
+ ]
package/data/seed/mappings/iso27001-nis2.json ADDED
@@ -0,0 +1,98 @@
1
+ [
2
+ {
3
+ "control_id": "A.5.1",
4
+ "control_name": "Policies for information security",
5
+ "regulation": "NIS2",
6
+ "articles": ["21"],
7
+ "coverage": "full",
8
+ "notes": "Art 21(2)(a) explicitly requires policies on risks and information system security"
9
+ },
10
+ {
11
+ "control_id": "A.5.2",
12
+ "control_name": "Information security roles and responsibilities",
13
+ "regulation": "NIS2",
14
+ "articles": ["20", "21"],
15
+ "coverage": "full",
16
+ "notes": "Art 20 requires management body accountability, Art 21 requires governance framework"
17
+ },
18
+ {
19
+ "control_id": "A.5.23",
20
+ "control_name": "Information security for use of cloud services",
21
+ "regulation": "NIS2",
22
+ "articles": ["21"],
23
+ "coverage": "partial",
24
+ "notes": "Art 21(2)(d) covers supply chain security including cloud services"
25
+ },
26
+ {
27
+ "control_id": "A.5.29",
28
+ "control_name": "Information security during disruption",
29
+ "regulation": "NIS2",
30
+ "articles": ["21"],
31
+ "coverage": "full",
32
+ "notes": "Art 21(2)(c) requires business continuity and crisis management"
33
+ },
34
+ {
35
+ "control_id": "A.5.30",
36
+ "control_name": "ICT readiness for business continuity",
37
+ "regulation": "NIS2",
38
+ "articles": ["21"],
39
+ "coverage": "full",
40
+ "notes": "Art 21(2)(c) explicitly covers backup management, disaster recovery, crisis management"
41
+ },
42
+ {
43
+ "control_id": "A.6.8",
44
+ "control_name": "Information security event reporting",
45
+ "regulation": "NIS2",
46
+ "articles": ["23", "24"],
47
+ "coverage": "full",
48
+ "notes": "Art 23 requires incident notification: early warning (24h), notification (72h), final report (1 month)"
49
+ },
50
+ {
51
+ "control_id": "A.8.2",
52
+ "control_name": "Privileged access rights",
53
+ "regulation": "NIS2",
54
+ "articles": ["21"],
55
+ "coverage": "partial",
56
+ "notes": "Art 21(2)(i) requires access control policies"
57
+ },
58
+ {
59
+ "control_id": "A.8.5",
60
+ "control_name": "Secure authentication",
61
+ "regulation": "NIS2",
62
+ "articles": ["21"],
63
+ "coverage": "full",
64
+ "notes": "Art 21(2)(j) explicitly requires multi-factor or continuous authentication"
65
+ },
66
+ {
67
+ "control_id": "A.8.8",
68
+ "control_name": "Management of technical vulnerabilities",
69
+ "regulation": "NIS2",
70
+ "articles": ["21"],
71
+ "coverage": "full",
72
+ "notes": "Art 21(2)(e) requires vulnerability handling and disclosure"
73
+ },
74
+ {
75
+ "control_id": "A.8.16",
76
+ "control_name": "Monitoring activities",
77
+ "regulation": "NIS2",
78
+ "articles": ["21"],
79
+ "coverage": "partial",
80
+ "notes": "Art 21(2) covers security monitoring as part of risk management measures"
81
+ },
82
+ {
83
+ "control_id": "A.8.24",
84
+ "control_name": "Use of cryptography",
85
+ "regulation": "NIS2",
86
+ "articles": ["21"],
87
+ "coverage": "full",
88
+ "notes": "Art 21(2)(h) explicitly requires cryptography and encryption policies"
89
+ },
90
+ {
91
+ "control_id": "A.8.25",
92
+ "control_name": "Secure development life cycle",
93
+ "regulation": "NIS2",
94
+ "articles": ["21"],
95
+ "coverage": "partial",
96
+ "notes": "Art 21(2)(e) covers security in acquisition and development"
97
+ }
98
+ ]