{ "schema_version": "obligation_join_keys_v1", "contract": "obligation_id ist der stabile Join-Key. Legal Knowledge Graph haengt citation_spans an obligation_id; Compliance Execution Graph mappt control_mapping.source_norm -> obligation_id. Interim-Bruecke = citation_units. obligation_id NIE neu vergeben (re-link).", "count": 66, "obligation_ids": [ { "obligation_id": "sbom_creation", "regulation": "CRA", "family": "sbom", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I Part II (1)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "sbom_dependency_coverage", "regulation": "CRA", "family": "sbom", "tier": "LEGAL_MINIMUM", "citation_units": [ "Art. 3(36) i.V.m. Annex I Part II (1)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "sbom_format_standard", "regulation": "CRA", "family": "sbom", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I Part II (1)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "sbom_maintenance_update", "regulation": "CRA", "family": "sbom", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I Part II (1)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "sbom_completeness_verification", "regulation": "CRA", "family": "sbom", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "sbom_tooling_automation", "regulation": "CRA", "family": "sbom", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "IMPLEMENTATION" }, { "obligation_id": "sbom_access_provision", "regulation": "CRA", "family": "sbom", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "sbom_authority_provision", "regulation": "CRA", "family": "sbom", "tier": "LEGAL_MINIMUM", "citation_units": [ "Art. 31 / Annex I Part II (1)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "sbom_confidentiality", "regulation": "CRA", "family": "sbom", "tier": "LEGAL_MINIMUM", "citation_units": [ "Art. 31(4)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "sbom_supply_chain_contracts", "regulation": "CRA", "family": "sbom", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "sbom_technical_documentation", "regulation": "CRA", "family": "sbom", "tier": "LEGAL_MINIMUM", "citation_units": [ "Art. 31 i.V.m. Annex VII" ], "source_role": "EVIDENCE" }, { "obligation_id": "vuln_identification_inventory", "regulation": "CRA", "family": "vuln", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I Part II (1)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "vuln_assessment_prioritization", "regulation": "CRA", "family": "vuln", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I Part II (1)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "vuln_remediation_patching", "regulation": "CRA", "family": "vuln", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I Part II (2) & (8)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "vuln_handling_process", "regulation": "CRA", "family": "vuln", "tier": "LEGAL_MINIMUM", "citation_units": [ "Article 13(8) & Annex VII" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "coordinated_vulnerability_disclosure", "regulation": "CRA", "family": "vuln", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I Part II (5)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "exploited_vuln_reporting_authorities", "regulation": "CRA", "family": "vuln", "tier": "LEGAL_MINIMUM", "citation_units": [ "Article 14 & Article 16" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "vuln_info_dissemination_users", "regulation": "CRA", "family": "vuln", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I Part II (4) & (6)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "user_authentication_required", "regulation": "CRA", "family": "authentication", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I (2)(d)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "authentication_policy_documented", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "auth_exceptions_documented", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "mfa_required", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "step_up_authentication", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "privileged_op_reauth", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "strong_crypto_authentication", "regulation": "CRA", "family": "authentication", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I (2)(e)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "credential_lifecycle_management", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "credential_confidentiality_protection", "regulation": "CRA", "family": "authentication", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I (2)(e)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "password_policy", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "no_default_credentials", "regulation": "CRA", "family": "authentication", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I (2)(a)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "account_lockout_failed_attempts", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "server_side_validation", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "session_binding_management", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "reauth_after_inactivity", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "token_validation_lifecycle", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "mutual_authentication", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "revocation_check", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "encrypted_auth_channel", "regulation": "CRA", "family": "authentication", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I (2)(e)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "tls_certificate_auth", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "service_to_service_auth", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "auth_key_management", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "biometric_authentication", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "federated_auth_assertions", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "separate_authn_authz", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "remote_access_authentication", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "supplier_access_auth", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "personal_admin_accounts", "regulation": "CRA", "family": "authentication", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "firmware_software_authentication", "regulation": "CRA", "family": "authentication", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I (2)(c)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "event_logging_security_events", "regulation": "CRA", "family": "logging", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I Part I (2)(k)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "access_control_event_logging", "regulation": "CRA", "family": "logging", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I Part I (2)(k)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "audit_trail_admin_actions", "regulation": "CRA", "family": "logging", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I Part I (2)(k)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "log_integrity_immutability", "regulation": "CRA", "family": "logging", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I Part I (2)(k)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "log_access_control_protection", "regulation": "CRA", "family": "logging", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I Part I (2)(k)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "log_retention_archival", "regulation": "CRA", "family": "logging", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "centralized_log_management", "regulation": "CRA", "family": "logging", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "log_monitoring_alerting", "regulation": "CRA", "family": "logging", "tier": "LEGAL_MINIMUM", "citation_units": [ "Annex I Part I (2)(k)" ], "source_role": "LEGAL_BASIS" }, { "obligation_id": "log_data_minimization_privacy", "regulation": "CRA", "family": "logging", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "log_format_standardization", "regulation": "CRA", "family": "logging", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "log_timestamp_synchronization", "regulation": "CRA", "family": "logging", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "logging_availability_resilience", "regulation": "CRA", "family": "logging", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "logging_thread_safety_correctness", "regulation": "CRA", "family": "logging", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "IMPLEMENTATION" }, { "obligation_id": "logging_library_supply_chain", "regulation": "CRA", "family": "logging", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "logging_config_management", "regulation": "CRA", "family": "logging", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "logging_governance_roles", "regulation": "CRA", "family": "logging", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "incident_response_logging", "regulation": "CRA", "family": "logging", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "log_transmission_security", "regulation": "CRA", "family": "logging", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" }, { "obligation_id": "network_traffic_logging", "regulation": "CRA", "family": "logging", "tier": "BEST_PRACTICE", "citation_units": [], "source_role": "GUIDANCE" } ] }