eu-regulations

[ { "regulation": "DORA", "article": "6", "requirement_summary": "ICT risk management framework", "evidence_type": "document", "artifact_name": "ICT Risk Management Framework", "artifact_example": "ICT_Risk_Management_Framework.pdf", "description": "Documented, comprehensive framework for managing ICT risks, approved by management body", "retention_period": "Duration of operations + 5 years", "auditor_questions": [ "Show me your documented ICT risk management framework with management board approval", "How do you define and measure ICT risk tolerance?", "What is your ICT reference architecture and how does it support business objectives?", "Show me evidence of annual framework reviews" ], "maturity_levels": { "basic": "Documented ICT risk policy exists", "intermediate": "Framework integrated with overall risk management, regular reviews performed", "advanced": "Continuous improvement based on testing/monitoring, executive KPIs tracked" }, "cross_references": ["NIS2:21", "GDPR:32"] }, { "regulation": "DORA", "article": "6", "requirement_summary": "Digital operational resilience strategy", "evidence_type": "document", "artifact_name": "Digital Operational Resilience Strategy", "artifact_example": "Digital_Resilience_Strategy_2025.pdf", "description": "Strategic document linking ICT risk management to business objectives with KPIs and metrics", "retention_period": "Duration of operations + 5 years", "auditor_questions": [ "Show me your digital operational resilience strategy", "What are your key performance indicators for ICT security?", "How does your strategy address detection, prevention, and protection from ICT incidents?", "What is your current digital operational resilience status based on incident metrics?" ], "maturity_levels": { "basic": "Strategy document exists with basic KPIs", "intermediate": "KPIs actively tracked, strategy reviewed annually and updated based on incidents", "advanced": "Real-time KPI dashboards, predictive risk analytics, board-level reporting" }, "cross_references": [] }, { "regulation": "DORA", "article": "11", "requirement_summary": "ICT business continuity policy and testing", "evidence_type": "test_result", "artifact_name": "BCP Test Report", "artifact_example": "BCP_Test_Report_2025-01-15.pdf", "description": "Annual testing results for ICT business continuity plans including identified gaps and remediation", "retention_period": "5 years", "auditor_questions": [ "When was your last BCP test? Show me the results", "What scenarios did you test (cyber-attack, infrastructure failure, switchover)?", "What gaps or weaknesses were identified?", "Show me evidence that identified gaps were remediated", "How do you test switchovers between primary and redundant infrastructure?" ], "maturity_levels": { "basic": "Annual BCP tests conducted, basic documentation", "intermediate": "Tests include cyber-attack scenarios, switchover tests, detailed gap analysis", "advanced": "Continuous testing, automated switchover validation, lessons learned fed back to framework" }, "cross_references": ["NIS2:21c"] }, { "regulation": "DORA", "article": "17", "requirement_summary": "ICT incident management process", "evidence_type": "log", "artifact_name": "ICT Incident Log", "artifact_example": "ICT_Incident_Log_2025.csv", "description": "Complete log of all ICT-related incidents with classification, root cause analysis, and resolution", "retention_period": "7 years", "auditor_questions": [ "Show me your ICT incident log for the past 12 months", "How do you classify incidents by severity and priority?", "For this major incident, show me the root cause analysis", "How do you ensure incidents don't recur? Show me corrective measures implemented" ], "maturity_levels": { "basic": "Incidents logged with basic classification", "intermediate": "Root cause analysis performed, corrective measures tracked, senior management informed of major incidents", "advanced": "Predictive analytics to identify incident patterns, automated early warning indicators, continuous process improvement" }, "cross_references": ["NIS2:23", "GDPR:33"] }, { "regulation": "DORA", "article": "19", "requirement_summary": "Major ICT incident reporting to authorities", "evidence_type": "document", "artifact_name": "Authority Incident Notification", "artifact_example": "Authority_Notification_INC-2025-001.pdf", "description": "Initial notification, intermediate reports, and final report submitted to competent authority within required timelines", "retention_period": "7 years", "auditor_questions": [ "Show me all major incident reports submitted to authorities in the past year", "For this incident, when did you become aware vs when did you submit the initial notification?", "Did you meet the required reporting timelines?", "Show me evidence that clients were informed of incidents affecting their financial interests" ], "maturity_levels": { "basic": "Major incidents reported to authorities within required timelines", "intermediate": "Standardized reporting process, automated timeline tracking, client communication protocols", "advanced": "Proactive near-miss reporting, cross-border impact assessment, automated authority notification integration" }, "cross_references": ["NIS2:23"] }, { "regulation": "DORA", "article": "24", "requirement_summary": "Digital operational resilience testing programme", "evidence_type": "test_result", "artifact_name": "Digital Resilience Test Results", "artifact_example": "Resilience_Test_Q1_2025.pdf", "description": "Annual testing results for all ICT systems supporting critical/important functions with remediation tracking", "retention_period": "5 years", "auditor_questions": [ "Show me your digital operational resilience testing programme", "What methodology do you use for testing (vulnerability assessments, penetration tests, scenario tests)?", "How do you prioritize and remediate findings?", "Show me evidence that all critical systems were tested in the past year", "How do you ensure independence of testers?" ], "maturity_levels": { "basic": "Annual testing performed on critical systems", "intermediate": "Risk-based testing programme, independent testers, remediation validation", "advanced": "Continuous testing, threat-led penetration testing (TLPT), automated remediation tracking" }, "cross_references": [] }, { "regulation": "DORA", "article": "28", "requirement_summary": "ICT third-party service provider register", "evidence_type": "document", "artifact_name": "Third-Party ICT Services Register", "artifact_example": "Third_Party_Register_2025.xlsx", "description": "Complete register of all ICT third-party arrangements distinguishing critical/important functions", "retention_period": "Duration of contract + 7 years", "auditor_questions": [ "Show me your complete ICT third-party register", "Which services support critical or important functions?", "For this critical provider, show me the due diligence performed before contracting", "Show me your exit strategy for this critical provider", "When did you last audit this provider? Show me the audit report" ], "maturity_levels": { "basic": "Register exists with critical/important function designation", "intermediate": "Due diligence documented, audit schedules defined, exit strategies in place", "advanced": "Continuous monitoring of provider risk, concentration risk analysis, automated contract compliance tracking" }, "cross_references": [] }, { "regulation": "DORA", "article": "28", "requirement_summary": "ICT third-party exit strategies", "evidence_type": "document", "artifact_name": "Provider Exit Strategy", "artifact_example": "Exit_Strategy_AWS_CloudServices.pdf", "description": "Documented exit plan for critical/important ICT services including transition procedures and testing results", "retention_period": "Duration of contract + 5 years", "auditor_questions": [ "Show me the exit strategy for this critical provider", "Have you tested the exit strategy? Show me test results", "How would you transition data and services to an alternative provider?", "What is your contingency plan if the provider fails unexpectedly?" ], "maturity_levels": { "basic": "Exit strategy documented for critical providers", "intermediate": "Exit strategies tested periodically, alternative providers identified", "advanced": "Automated data portability, multi-cloud architecture enabling rapid switchover" }, "cross_references": [] }, { "regulation": "GDPR", "article": "32", "requirement_summary": "Security of processing - technical and organizational measures", "evidence_type": "document", "artifact_name": "Security Measures Documentation", "artifact_example": "GDPR_Security_Measures_2025.pdf", "description": "Documentation of all technical and organizational measures to ensure security appropriate to the risk", "retention_period": "Duration of processing + 3 years", "auditor_questions": [ "Show me your documented security measures for processing personal data", "How did you assess the appropriate level of security for this processing activity?", "Show me evidence of pseudonymization and encryption where used", "How do you regularly test and evaluate the effectiveness of these measures?" ], "maturity_levels": { "basic": "Basic security measures documented (encryption, access controls)", "intermediate": "Risk-based security measures, regular effectiveness testing", "advanced": "Continuous security monitoring, automated threat detection, security certifications (ISO 27001)" }, "cross_references": ["DORA:6", "DORA:9", "NIS2:21"] }, { "regulation": "GDPR", "article": "32", "requirement_summary": "Security testing and evaluation", "evidence_type": "test_result", "artifact_name": "Security Testing Results", "artifact_example": "Penetration_Test_Report_2025-01.pdf", "description": "Regular testing results evaluating effectiveness of technical and organizational security measures", "retention_period": "3 years", "auditor_questions": [ "Show me your most recent security testing results", "What testing methodologies do you use (penetration testing, vulnerability scanning)?", "How frequently do you test security measures?", "Show me evidence that identified vulnerabilities were remediated" ], "maturity_levels": { "basic": "Annual security testing performed", "intermediate": "Quarterly testing, automated vulnerability scanning, remediation tracking", "advanced": "Continuous security testing, bug bounty programs, red team exercises" }, "cross_references": ["DORA:24"] }, { "regulation": "GDPR", "article": "15", "requirement_summary": "Data subject access requests - technical implementation", "evidence_type": "log", "artifact_name": "DSAR Processing Log", "artifact_example": "DSAR_Log_2025.csv", "description": "Log of all data subject access requests with processing timelines and outcomes", "retention_period": "3 years", "auditor_questions": [ "Show me your log of data subject access requests for the past year", "What is your average response time? How many requests exceeded the 1-month deadline?", "For this request, show me the data extraction process used", "How do you verify the identity of requestors?" ], "maturity_levels": { "basic": "Manual DSAR processing, basic logging", "intermediate": "Semi-automated data extraction, identity verification process, timeline tracking", "advanced": "Fully automated DSAR portal, real-time data extraction, integration with all data systems" }, "cross_references": [] }, { "regulation": "GDPR", "article": "33", "requirement_summary": "Personal data breach notification to supervisory authority", "evidence_type": "document", "artifact_name": "Breach Notification to Authority", "artifact_example": "DPA_Breach_Notification_2025-001.pdf", "description": "Breach notification submitted to supervisory authority within 72 hours with all required information", "retention_period": "7 years", "auditor_questions": [ "Show me all personal data breach notifications in the past year", "For this breach, when did you become aware vs when did you notify the DPA?", "Did you meet the 72-hour deadline? If not, what were the reasons for delay?", "Show me your documented breach assessment for why notification was/wasn't required" ], "maturity_levels": { "basic": "Breach notification process in place, timeline tracking", "intermediate": "Automated breach detection, risk assessment templates, authority notification templates", "advanced": "Real-time breach detection, automated risk scoring, integrated notification workflows" }, "cross_references": ["DORA:19", "NIS2:23"] }, { "regulation": "GDPR", "article": "25", "requirement_summary": "Data protection by design and by default", "evidence_type": "document", "artifact_name": "Privacy by Design Assessment", "artifact_example": "Privacy_Impact_Assessment_CustomerPortal.pdf", "description": "Evidence of privacy-by-design principles applied to systems and processes, including default privacy settings", "retention_period": "Duration of system operation", "auditor_questions": [ "Show me how you implemented data protection by design in this new system", "What privacy-enhancing technologies did you consider (pseudonymization, encryption)?", "How do you ensure data minimization in your processing?", "Show me evidence that privacy settings are set to most protective by default" ], "maturity_levels": { "basic": "Privacy considerations documented in system design", "intermediate": "Privacy impact assessments mandatory for new systems, default privacy settings enforced", "advanced": "Privacy engineering embedded in SDLC, automated privacy controls, privacy certifications" }, "cross_references": [] }, { "regulation": "NIS2", "article": "21", "requirement_summary": "Cybersecurity risk management measures", "evidence_type": "document", "artifact_name": "Cybersecurity Measures Documentation", "artifact_example": "NIS2_Cybersecurity_Measures_2025.pdf", "description": "Documentation of all 10 mandatory cybersecurity measures including policies, procedures, and controls", "retention_period": "Duration of operations + 5 years", "auditor_questions": [ "Show me your documented cybersecurity risk management measures", "How do you implement multi-factor authentication across your systems?", "Show me your supply chain security assessment process", "How do you ensure basic cyber hygiene and conduct cybersecurity training?" ], "maturity_levels": { "basic": "All 10 mandatory measures documented", "intermediate": "Measures regularly reviewed and updated, effectiveness assessed", "advanced": "Continuous improvement based on threat intelligence, automated control monitoring" }, "cross_references": ["DORA:6", "GDPR:32"] }, { "regulation": "NIS2", "article": "23", "requirement_summary": "Significant incident early warning (24 hours)", "evidence_type": "document", "artifact_name": "CSIRT Early Warning Notification", "artifact_example": "CSIRT_Early_Warning_INC-2025-001.pdf", "description": "Early warning submitted to CSIRT within 24 hours of becoming aware of significant incident", "retention_period": "7 years", "auditor_questions": [ "Show me all early warnings submitted to CSIRT in the past year", "For this incident, when did you become aware vs when did you submit the early warning?", "Did you meet the 24-hour deadline?", "How do you determine if an incident is 'significant' requiring notification?" ], "maturity_levels": { "basic": "Early warning process in place, timeline tracking", "intermediate": "Automated incident significance assessment, CSIRT notification templates", "advanced": "Real-time incident detection with automated CSIRT notifications, integrated workflows" }, "cross_references": ["DORA:19"] } ]