diff --git a/backend-compliance/compliance/services/control_generator.py b/backend-compliance/compliance/services/control_generator.py index e7ea3b9..8058e29 100644 --- a/backend-compliance/compliance/services/control_generator.py +++ b/backend-compliance/compliance/services/control_generator.py @@ -66,19 +66,101 @@ ALL_COLLECTIONS = [ REGULATION_LICENSE_MAP: dict[str, dict] = { # RULE 1: FREE USE — Laws, Public Domain + # EU Regulations "eu_2016_679": {"license": "EU_LAW", "rule": 1, "name": "DSGVO"}, - "eu_2024_1689": {"license": "EU_LAW", "rule": 1, "name": "AI Act"}, + "eu_2024_1689": {"license": "EU_LAW", "rule": 1, "name": "AI Act (KI-Verordnung)"}, "eu_2022_2555": {"license": "EU_LAW", "rule": 1, "name": "NIS2"}, - "eu_2024_2847": {"license": "EU_LAW", "rule": 1, "name": "CRA"}, + "eu_2024_2847": {"license": "EU_LAW", "rule": 1, "name": "Cyber Resilience Act (CRA)"}, "eu_2023_1230": {"license": "EU_LAW", "rule": 1, "name": "Maschinenverordnung"}, + "eu_2022_2065": {"license": "EU_LAW", "rule": 1, "name": "Digital Services Act (DSA)"}, + "eu_2022_1925": {"license": "EU_LAW", "rule": 1, "name": "Digital Markets Act (DMA)"}, + "eu_2022_868": {"license": "EU_LAW", "rule": 1, "name": "Data Governance Act (DGA)"}, + "eu_2019_770": {"license": "EU_LAW", "rule": 1, "name": "Digitale-Inhalte-Richtlinie"}, + "eu_2021_914": {"license": "EU_LAW", "rule": 1, "name": "Standardvertragsklauseln (SCC)"}, + "eu_2002_58": {"license": "EU_LAW", "rule": 1, "name": "ePrivacy-Richtlinie"}, + "eu_2000_31": {"license": "EU_LAW", "rule": 1, "name": "E-Commerce-Richtlinie"}, + "eu_2023_1803": {"license": "EU_LAW", "rule": 1, "name": "IFRS-Uebernahmeverordnung"}, + "eucsa": {"license": "EU_LAW", "rule": 1, "name": "EU Cybersecurity Act"}, + "dataact": {"license": "EU_LAW", "rule": 1, "name": "Data Act"}, + "dora": {"license": "EU_LAW", "rule": 1, "name": "Digital Operational Resilience Act"}, + "ehds": {"license": "EU_LAW", "rule": 1, "name": "European Health Data Space"}, + "gpsr": {"license": "EU_LAW", "rule": 1, "name": "Allgemeine Produktsicherheitsverordnung"}, + "mica": {"license": "EU_LAW", "rule": 1, "name": "Markets in Crypto-Assets"}, + "psd2": {"license": "EU_LAW", "rule": 1, "name": "Zahlungsdiensterichtlinie 2"}, + "dpf": {"license": "EU_LAW", "rule": 1, "name": "EU-US Data Privacy Framework"}, + "dsm": {"license": "EU_LAW", "rule": 1, "name": "DSM-Urheberrechtsrichtlinie"}, + "amlr": {"license": "EU_LAW", "rule": 1, "name": "AML-Verordnung"}, + "eu_blue_guide_2022": {"license": "EU_PUBLIC", "rule": 1, "name": "Blue Guide 2022"}, + # NIST (Public Domain — all variants) "nist_sp_800_53": {"license": "NIST_PUBLIC_DOMAIN", "rule": 1, "name": "NIST SP 800-53"}, + "nist_sp800_53r5": {"license": "NIST_PUBLIC_DOMAIN", "rule": 1, "name": "NIST SP 800-53 Rev.5"}, "nist_sp_800_63b": {"license": "NIST_PUBLIC_DOMAIN", "rule": 1, "name": "NIST SP 800-63B"}, + "nist_sp800_63_3": {"license": "NIST_PUBLIC_DOMAIN", "rule": 1, "name": "NIST SP 800-63-3"}, "nist_csf_2_0": {"license": "NIST_PUBLIC_DOMAIN", "rule": 1, "name": "NIST CSF 2.0"}, "nist_sp_800_218": {"license": "NIST_PUBLIC_DOMAIN", "rule": 1, "name": "NIST SSDF"}, + "nist_sp800_207": {"license": "NIST_PUBLIC_DOMAIN", "rule": 1, "name": "NIST SP 800-207 Zero Trust"}, + "nist_ai_rmf": {"license": "NIST_PUBLIC_DOMAIN", "rule": 1, "name": "NIST AI Risk Management Framework"}, + "nistir_8259a": {"license": "NIST_PUBLIC_DOMAIN", "rule": 1, "name": "NISTIR 8259A IoT Security"}, "cisa_secure_by_design": {"license": "US_GOV_PUBLIC", "rule": 1, "name": "CISA Secure by Design"}, + # German Laws "bdsg": {"license": "DE_LAW", "rule": 1, "name": "BDSG"}, + "bdsg_2018_komplett": {"license": "DE_LAW", "rule": 1, "name": "BDSG 2018"}, "ttdsg": {"license": "DE_LAW", "rule": 1, "name": "TTDSG"}, + "tdddg_25": {"license": "DE_LAW", "rule": 1, "name": "TDDDG"}, "tkg": {"license": "DE_LAW", "rule": 1, "name": "TKG"}, + "de_tkg": {"license": "DE_LAW", "rule": 1, "name": "TKG"}, + "bgb_komplett": {"license": "DE_LAW", "rule": 1, "name": "BGB"}, + "hgb": {"license": "DE_LAW", "rule": 1, "name": "HGB"}, + "hgb_komplett": {"license": "DE_LAW", "rule": 1, "name": "HGB"}, + "urhg_komplett": {"license": "DE_LAW", "rule": 1, "name": "UrhG"}, + "uwg": {"license": "DE_LAW", "rule": 1, "name": "UWG"}, + "tmg_komplett": {"license": "DE_LAW", "rule": 1, "name": "TMG"}, + "gewo": {"license": "DE_LAW", "rule": 1, "name": "GewO"}, + "ao": {"license": "DE_LAW", "rule": 1, "name": "Abgabenordnung"}, + "ao_komplett": {"license": "DE_LAW", "rule": 1, "name": "Abgabenordnung"}, + "battdg": {"license": "DE_LAW", "rule": 1, "name": "Batteriegesetz"}, + # Austrian Laws + "at_dsg": {"license": "AT_LAW", "rule": 1, "name": "AT DSG"}, + "at_abgb": {"license": "AT_LAW", "rule": 1, "name": "AT ABGB"}, + "at_abgb_agb": {"license": "AT_LAW", "rule": 1, "name": "AT ABGB AGB-Recht"}, + "at_bao": {"license": "AT_LAW", "rule": 1, "name": "AT BAO"}, + "at_bao_ret": {"license": "AT_LAW", "rule": 1, "name": "AT BAO Retention"}, + "at_ecg": {"license": "AT_LAW", "rule": 1, "name": "AT E-Commerce-Gesetz"}, + "at_kschg": {"license": "AT_LAW", "rule": 1, "name": "AT Konsumentenschutzgesetz"}, + "at_medieng": {"license": "AT_LAW", "rule": 1, "name": "AT Mediengesetz"}, + "at_tkg": {"license": "AT_LAW", "rule": 1, "name": "AT TKG"}, + "at_ugb": {"license": "AT_LAW", "rule": 1, "name": "AT UGB"}, + "at_ugb_ret": {"license": "AT_LAW", "rule": 1, "name": "AT UGB Retention"}, + "at_uwg": {"license": "AT_LAW", "rule": 1, "name": "AT UWG"}, + # Other EU Member State Laws + "fr_loi_informatique": {"license": "FR_LAW", "rule": 1, "name": "FR Loi Informatique"}, + "es_lopdgdd": {"license": "ES_LAW", "rule": 1, "name": "ES LOPDGDD"}, + "nl_uavg": {"license": "NL_LAW", "rule": 1, "name": "NL UAVG"}, + "it_codice_privacy": {"license": "IT_LAW", "rule": 1, "name": "IT Codice Privacy"}, + "hu_info_tv": {"license": "HU_LAW", "rule": 1, "name": "HU Információs törvény"}, + # EDPB Guidelines (EU Public Authority) + "edpb_01_2020": {"license": "EU_PUBLIC", "rule": 1, "name": "EDPB 01/2020 Ergaenzende Massnahmen"}, + "edpb_02_2023": {"license": "EU_PUBLIC", "rule": 1, "name": "EDPB 02/2023 Technischer Anwendungsbereich"}, + "edpb_05_2020": {"license": "EU_PUBLIC", "rule": 1, "name": "EDPB 05/2020 Einwilligung"}, + "edpb_09_2022": {"license": "EU_PUBLIC", "rule": 1, "name": "EDPB 09/2022 Datenschutzverletzungen"}, + "edpb_bcr_01_2022": {"license": "EU_PUBLIC", "rule": 1, "name": "EDPB BCR Leitlinien"}, + "edpb_breach_09_2022": {"license": "EU_PUBLIC", "rule": 1, "name": "EDPB Breach Notification"}, + "edpb_connected_vehicles_01_2020": {"license": "EU_PUBLIC", "rule": 1, "name": "EDPB Connected Vehicles"}, + "edpb_dpbd_04_2019": {"license": "EU_PUBLIC", "rule": 1, "name": "EDPB Data Protection by Design"}, + "edpb_eprivacy_02_2023": {"license": "EU_PUBLIC", "rule": 1, "name": "EDPB ePrivacy"}, + "edpb_facial_recognition_05_2022": {"license": "EU_PUBLIC", "rule": 1, "name": "EDPB Facial Recognition"}, + "edpb_fines_04_2022": {"license": "EU_PUBLIC", "rule": 1, "name": "EDPB Fines Calculation"}, + "edpb_legitimate_interest": {"license": "EU_PUBLIC", "rule": 1, "name": "EDPB Legitimate Interest"}, + "edpb_legitimate_interest_01_2024": {"license": "EU_PUBLIC","rule": 1, "name": "EDPB Legitimate Interest 2024"}, + "edpb_social_media_08_2020": {"license": "EU_PUBLIC", "rule": 1, "name": "EDPB Social Media"}, + "edpb_transfers_01_2020":{"license": "EU_PUBLIC", "rule": 1, "name": "EDPB Transfers 01/2020"}, + "edpb_transfers_07_2020":{"license": "EU_PUBLIC", "rule": 1, "name": "EDPB Transfers 07/2020"}, + "edpb_video_03_2019": {"license": "EU_PUBLIC", "rule": 1, "name": "EDPB Video Surveillance"}, + "edps_dpia_list": {"license": "EU_PUBLIC", "rule": 1, "name": "EDPS DPIA Liste"}, + # WP29 (pre-EDPB) Guidelines + "wp244_profiling": {"license": "EU_PUBLIC", "rule": 1, "name": "WP29 Profiling"}, + "wp251_profiling": {"license": "EU_PUBLIC", "rule": 1, "name": "WP29 Data Portability"}, + "wp260_transparency": {"license": "EU_PUBLIC", "rule": 1, "name": "WP29 Transparency"}, # RULE 2: CITATION REQUIRED — CC-BY, CC-BY-SA "owasp_asvs": {"license": "CC-BY-SA-4.0", "rule": 2, "name": "OWASP ASVS", @@ -87,6 +169,12 @@ REGULATION_LICENSE_MAP: dict[str, dict] = { "attribution": "OWASP Foundation, CC BY-SA 4.0"}, "owasp_top10": {"license": "CC-BY-SA-4.0", "rule": 2, "name": "OWASP Top 10", "attribution": "OWASP Foundation, CC BY-SA 4.0"}, + "owasp_top10_2021": {"license": "CC-BY-SA-4.0", "rule": 2, "name": "OWASP Top 10 2021", + "attribution": "OWASP Foundation, CC BY-SA 4.0"}, + "owasp_api_top10_2023": {"license": "CC-BY-SA-4.0", "rule": 2, "name": "OWASP API Top 10 2023", + "attribution": "OWASP Foundation, CC BY-SA 4.0"}, + "owasp_samm": {"license": "CC-BY-SA-4.0", "rule": 2, "name": "OWASP SAMM", + "attribution": "OWASP Foundation, CC BY-SA 4.0"}, "oecd_ai_principles": {"license": "OECD_PUBLIC", "rule": 2, "name": "OECD AI Principles", "attribution": "OECD"},