CRA-ASSESSMENT.md

May 30, 2026 Β· View on GitHub

Hack23 Logo

πŸ›‘οΈ Riksdagsmonitor β€” CRA Conformity Assessment

Evidence-Driven Conformity Through Systematic Assessment
Demonstrating CRA Compliance for Swedish Parliament Intelligence Platform

Owner Version Effective Date Review Cycle

πŸ“‹ Document Owner: CEO | πŸ“„ Version: 1.4 | πŸ“… Last Updated: 2026-05-06 (UTC) πŸ”„ Review Cycle: Quarterly | ⏰ Next Review: 2026-08-06 🏒 Owner: Hack23 AB (Org.nr 5595347807) | 🏷️ Classification: Public


🎯 Purpose Statement

Hack23 AB's CRA conformity assessment process demonstrates how systematic regulatory compliance directly enables business growth rather than creating operational burden. This assessment documents Riksdagsmonitor's compliance with the EU Cyber Resilience Act (CRA), providing evidence-based self-assessment of cybersecurity requirements for our Swedish Parliament intelligence platform.

As a cybersecurity consulting company, our approach to CRA compliance becomes a showcase of professional implementation, demonstrating to potential clients how systematic regulatory adherence creates competitive advantages through robust security foundations while enabling EU market access.

β€” James Pether SΓΆrling, CEO/Founder


πŸ” Purpose & Scope

This process provides a concise, repeatable CRA Conformity Assessment for Riksdagsmonitor. Aligns with CRA Annex I & V, Hack23 classification, secure development, and transparency policies.

Scope: Riksdagsmonitor platform within Asset Register requiring EU market placement.

Process Alignment: This assessment follows the CRA Conformity Assessment Process template and is governed by the Open Source Policy for open source compliance requirements.


πŸ“š Architecture Documentation Map

DocumentFocusDescription
πŸ›οΈ ArchitectureπŸ—οΈ C4 ModelsSystem context, containers, components
πŸ“Š Data ModelπŸ“Š DataEntity relationships and data dictionary
πŸ”„ FlowchartπŸ”„ ProcessesBusiness process and data flows
πŸ“ˆ State DiagramπŸ“ˆ StatesSystem state transitions and lifecycles
🧠 Mindmap🧠 ConceptsSystem conceptual relationships
πŸ’Ό SWOTπŸ’Ό StrategyStrategic analysis and positioning
πŸ”§ WorkflowsπŸ”§ DevOpsCI/CD automation and pipelines
πŸ›‘οΈ Security ArchitectureπŸ”’ SecurityCurrent security controls and design
🎯 Threat Model🎯 ThreatsSTRIDE/MITRE ATT&CK analysis
πŸ›‘οΈ CRA Assessment β­βš–οΈ ComplianceEU Cyber Resilience Act conformity

πŸ“š Reference Implementations

The following Hack23 AB projects demonstrate completed CRA assessments:

πŸš€ ProjectπŸ“¦ Product Type🏷️ CRA ClassificationπŸ“‹ Assessment StatusπŸ”— Reference Link
πŸ•΅οΈ CIA (Citizen Intelligence Agency)Political transparency platformStandard (Non-commercial OSS)βœ… CompleteπŸ“„ CRA Assessment
⚫ Black TrigramKorean martial arts gameStandard (Non-commercial OSS)βœ… CompleteπŸ“„ CRA Assessment
πŸ›‘οΈ CIA Compliance ManagerCompliance automation toolStandard (Non-commercial OSS)βœ… CompleteπŸ“„ CRA Assessment
πŸ—³οΈ RiksdagsmonitorParliament intelligence platformStandard (Non-commercial OSS)βœ… This DocumentπŸ“„ CRA Assessment

1️⃣ Project Identification

Supports CRA Annex V Β§ 1 - Product Description Requirements

FieldValue
πŸ“¦ ProductRiksdagsmonitor
🏷️ Version Tag0.4.1 (reflects current project state)
πŸ”— Repositoryhttps://github.com/Hack23/riksdagsmonitor
πŸ“§ Security Contactsecurity@hack23.org
🌐 Websitehttps://riksdagsmonitor.com
🎯 Purpose (1–2 lines)Static HTML/CSS intelligence platform monitoring Swedish Parliament (Riksdag) activity, providing 14-language dashboards with 50+ years of political data through CIA platform integration and automated news generation

πŸ“‹ Evidence Links:

  • πŸ—οΈ System Architecture: ARCHITECTURE.md β€” Complete C4 model architecture
  • πŸ” Security Architecture: SECURITY_ARCHITECTURE.md β€” Defense-in-depth security controls
  • πŸ›‘οΈ Future Security Vision: FUTURE_SECURITY_ARCHITECTURE.md β€” Security roadmap
  • πŸ“Š Data Architecture: DATA_MODEL.md β€” Data structures, schemas, relationships
  • πŸ”„ Process Workflows: FLOWCHART.md β€” Data processing and CI/CD workflows
  • 🧠 System Overview: MINDMAP.md β€” Conceptual system relationships
  • 🎯 Strategic Analysis: SWOT.md β€” Strategic assessment
  • 🎯 Threat Analysis: THREAT_MODEL.md β€” STRIDE and MITRE ATT&CK mapping
  • πŸ”§ CI/CD Pipelines: WORKFLOWS.md β€” 43 workflow automation documentation

πŸ“Š Project Status & Quality Badges:

GitHub Release OpenSSF Scorecard

Quality Checks CodeQL TypeScript & JavaScript Testing

πŸ“‹ Data Sources Evidence:

  • πŸ›οΈ Swedish Parliament: data.riksdagen.se β€” Parliamentary members, committees, documents, votes
  • πŸ—³οΈ Election Authority: val.se β€” Election data, parties, voting results
  • πŸ“Š SCB (Statistics Sweden): scb.se β€” PxWebAPI 2.0 (scb-mcp) β€” official Swedish statistics (economy, labour, population, education, environment)
  • 🌍 World Bank Open Data: data.worldbank.org β€” WGI governance, environment, long-horizon social/education (world-bank-mcp)
  • 🌐 IMF Open Data: data.imf.org β€” macro/fiscal/monetary/external-sector freshness + T+5 projections (WEO, Fiscal Monitor, IFS, GFS_COFOG); consumed via pure-TypeScript client scripts/imf-client.ts (Datamapper JSON + SDMX 3.0) β€” not an MCP server, SBOM-covered via npm (ADR 0001)
  • πŸ•΅οΈ CIA Platform: Citizen Intelligence Agency β€” 19 intelligence products, risk assessments, analytics

2️⃣ CRA Scope & Classification

Supports CRA Article 6 - Scope and Article 7 - Product Classification Assessment

🏒 CRA Applicability (Select One):

Non-commercial OSS

🌐 Distribution Method (Select One):

Community

πŸ“‹ CRA Classification (Select One):

Standard

πŸ“ CRA Scope Justification: Riksdagsmonitor is a non-commercial open-source static website providing Swedish Parliament transparency services through data visualization and news generation. As a volunteer-driven initiative with community distribution via GitHub under Apache 2.0 license, it falls under non-commercial OSS with Standard CRA classification enabling self-assessment approach. The static site architecture (HTML/CSS/JS with no server-side execution) significantly reduces the attack surface compared to traditional web applications.

πŸ“‹ Classification Evidence:

πŸ” Classification Impact:

  • Standard: Self-assessment approach (this document provides evidence)
  • Class I/II: Would require notified body assessment + additional documentation

3️⃣ Technical Documentation

Supports CRA Annex V Β§ 2 - Technical Documentation Requirements

πŸ—οΈ CRA Technical AreaπŸ“ Implementation SummaryπŸ“‹ Evidence Location
🎨 Product Architecture (Annex V § 2.1)Static HTML/CSS website with C4 architecture model. Deployed on AWS CloudFront (us-east-1 primary, eu-west-1 replica) with GitHub Pages DR. 14-language support, Chart.js/D3.js dashboardsARCHITECTURE.md + SECURITY_ARCHITECTURE.md + MINDMAP.md
πŸ“¦ SBOM & Components (Annex I Β§ 1.1)npm package management with package-lock.json. Dependabot automated dependency scanning. OpenSSF Scorecard monitoring. News pipeline additions (2026 Q1): unified, remark-parse, remark-gfm, remark-rehype, rehype-raw, rehype-sanitize, rehype-slug, rehype-autolink-headings, rehype-stringify, gray-matter β€” all npm-managed, version-pinned in package-lock.json, Dependabot-grouped under dependencies. mermaid loaded as ESM from the same package for client-side diagram rendering (strict-mode; no eval).package.json + Dependabot Config + OpenSSF Scorecard
πŸ” Cybersecurity Controls (Annex I Β§ 1.2)Static site architecture (no server-side execution), HTTPS-only via CloudFront/GitHub Pages, CSP headers, SRI for CDN assets, SHA-pinned GitHub Actions, step-security/harden-runner. News pipeline additions: rehype-sanitize allow-list enforced at the trust boundary between AI-authored markdown and published HTML; Mermaid rendered in securityLevel: 'strict' (no eval, no click handlers); SHA-256 manifest in .manifest.json sibling to each article.md for tamper detection. Agentic control-plane additions (v0.9.40): 23 required analysis artifacts, analysis gate checks 1–9b, methodology-reflection validator, safe-output PR boundary, Squid + iptables egress firewall.SECURITY_ARCHITECTURE.md Β§Political Intelligence Security Surface + THREAT_MODEL.md TB-PI series
πŸ›‘οΈ Supply Chain Security (Annex I Β§ 1.3)SHA-pinned GitHub Actions, Dependabot automation, OpenSSF Scorecard monitoring, CodeQL analysis, dependency review workflow, step-security/harden-runner egress auditingWORKFLOWS.md + OpenSSF Scorecard
πŸ”„ Update Mechanism (Annex I Β§ 1.4)Automated CI/CD pipeline via GitHub Actions with security scanning (CodeQL, dependency review), dual deployment (S3 + GitHub Pages), version management via release workflowWORKFLOWS.md + Release Workflow
πŸ“Š Security Monitoring (Annex I Β§ 1.5)GitHub Security Dashboard (code scanning, secret scanning, Dependabot alerts), Lighthouse CI performance monitoring, uptime monitoring, AWS CloudWatch/CloudFront metricsSECURITY_ARCHITECTURE.md + WORKFLOWS.md
🏷️ Data Protection (Annex I Β§ 2.1)No personal data collection. Public political data only. GDPR compliant by design β€” static site with no user accounts, no cookies, no tracking. All data sourced from public government APIsDATA_MODEL.md + THREAT_MODEL.md
πŸ“š User Guidance (Annex I Β§ 2.2)Comprehensive README with deployment instructions, architecture documentation, security configuration guidesREADME.md + ARCHITECTURE.md + SECURITY_ARCHITECTURE.md
πŸ” Vulnerability Disclosure (Annex I Β§ 2.3)Public vulnerability disclosure policy via GitHub Security Advisories, coordinated disclosure process, 48h acknowledgment timelineSECURITY.md + Security Advisories

πŸ“‹ Comprehensive ISMS Integration:


4️⃣ Risk Assessment

Supports CRA Annex V Β§ 3 - Risk Assessment Documentation

Reference: πŸ“Š Risk Assessment Methodology and ⚠️ Risk Register

🚨 CRA Risk Category🎯 AssetπŸ“Š LikelihoodπŸ’₯ Impact (C/I/A)πŸ›‘οΈ CRA Control Implementationβš–οΈ ResidualπŸ“‹ Evidence
Supply Chain Attack (Art. 11)Build pipeline & npm dependenciesMH/H/MSHA-pinned GitHub Actions + Dependabot automation + step-security/harden-runner egress audit + OpenSSF Scorecard monitoring + dependency review workflowLWORKFLOWS.md + OpenSSF Scorecard
Website Defacement (Art. 11)Static website content & dashboardsMM/H/MBranch protection rules + required PR reviews + CodeQL scanning + dual deployment (S3 + GitHub Pages) for DRLSECURITY_ARCHITECTURE.md + THREAT_MODEL.md
Data Integrity Attack (Art. 11)Political data & news contentML/H/MCIA data validation schemas + automated translation validation + multi-source data verification + git-based audit trailLDATA_MODEL.md + WORKFLOWS.md
AI Content Manipulation (Art. 11)AI-authored analysis artifacts β†’ rendered news HTMLMM/H/Lrehype-sanitize allow-list at trust boundary (blocks <script>, <iframe>, inline handlers, javascript: URIs); Mermaid rendered in securityLevel: 'strict' (no eval); SHA-256 manifest per article for tamper detection; analysis gate checks 1–9b; methodology-reflection validator; 23-artifact completeness gate; mandatory human PR reviewMSECURITY_ARCHITECTURE.md Β§Political Intelligence Security Surface + THREAT_MODEL.md TB-PI series + WORKFLOWS.md
CDN/Infrastructure Compromise (Art. 11)CloudFront distribution & S3 storageLM/H/HAWS multi-region deployment + SRI for CDN assets + GitHub Pages DR failover + HTTPS-only + TLS 1.3LSECURITY_ARCHITECTURE.md + ARCHITECTURE.md
Component Vulnerability (Art. 11)npm dependencies (Chart.js, D3.js, Vite)MM/H/MDependabot updates + CodeQL scanning + dependency review workflow + SRI hashes for CDN assetsLSecurity Scanning + Dependabot

βš–οΈ CRA Risk Statement: LOW β€” Static site architecture eliminates entire categories of server-side vulnerabilities. Comprehensive security controls and evidence-based monitoring support CRA essential cybersecurity requirements. βœ… Risk Acceptance: James SΓΆrling, CEO Hack23 AB β€” February 2026

πŸ“‹ Risk Management Framework Evidence:


5️⃣ Essential Cybersecurity Requirements

Supports CRA Annex I - Essential Requirements Self-Assessment

πŸ“‹ CRA Annex I Requirementβœ… StatusπŸ“‹ Implementation Evidence
πŸ›‘οΈ Β§ 1.1 - Secure by Design[x]Defense-in-depth Architecture β€” Static site architecture eliminates server-side attack vectors. CSP headers, SRI hashes, HTTPS-only, multi-region deployment
πŸ”’ Β§ 1.2 - Secure by Default[x]Static HTML/CSS with no server-side execution. No user accounts, no cookies, no tracking. Security Architecture documents secure defaults
🏷️ Β§ 2.1 - Personal Data Protection[x]No personal data collection β€” GDPR compliant by design. Public political data only. Data Model documents data handling
πŸ” Β§ 2.2 - Vulnerability Disclosure[x]SECURITY.md with GitHub Security Advisories, coordinated disclosure, 48h acknowledgment. Vulnerability Management
πŸ“¦ Β§ 2.3 - Software Bill of Materials[x]package.json + package-lock.json provide complete dependency inventory. Dependabot provides continuous SCA
πŸ” Β§ 2.4 - Secure Updates[x]Automated CI/CD pipeline with CodeQL, dependency review, SHA-pinned actions. WORKFLOWS.md documents 43 workflows
πŸ“Š Β§ 2.5 - Security Monitoring[x]GitHub Security Dashboard (code scanning, secret scanning, Dependabot), Lighthouse CI, uptime monitoring. SECURITY_ARCHITECTURE.md
πŸ“š Β§ 2.6 - Security Documentation[x]Complete architecture documentation portfolio: ARCHITECTURE.md, SECURITY_ARCHITECTURE.md, THREAT_MODEL.md, DATA_MODEL.md + 6 future-state documents

🎯 CRA Self-Assessment Status: EVIDENCE_DOCUMENTED

πŸ” Security Implementation Evidence:

  • πŸ›‘οΈ Static Site Security: No server-side code execution eliminates SQL injection, RCE, SSRF, and authentication bypass vulnerabilities
  • πŸ”’ Transport Security: HTTPS-only via AWS CloudFront (TLS 1.3) and GitHub Pages
  • πŸ“Š Supply Chain: SHA-pinned GitHub Actions, Dependabot, CodeQL, step-security/harden-runner
  • πŸ” Content Integrity: Subresource Integrity (SRI) for CDN-loaded Chart.js and D3.js libraries

6️⃣ Conformity Assessment Evidence

Supports CRA Article 19 - Conformity Assessment Documentation

πŸ“Š Quality & Security Automation Status:

Reference: πŸ› οΈ Secure Development Policy

πŸ§ͺ Control🎯 Requirementβœ… ImplementationπŸ“‹ Evidence
πŸ§ͺ Unit TestingComprehensive test coverageβœ… ImplementedVitest β€” 7,500+ tests across 237 test files
🌐 E2E TestingCritical user journeys validatedβœ… ImplementedCypress E2E β€” Multi-language homepage, dashboard, accessibility
πŸ” SAST ScanningZero critical/high vulnerabilitiesβœ… ImplementedCodeQL Analysis
πŸ“¦ SCA ScanningZero critical unresolved dependenciesβœ… ImplementedDependabot Alerts + Dependency Review
πŸ”’ Secret ScanningZero exposed secrets/credentialsβœ… ImplementedGitHub Secret Scanning + Push protection enabled
πŸ“Š Quality GatesHTML validation + link checkingβœ… ImplementedQuality Checks β€” HTMLHint + linkinator
πŸ” Supply ChainSHA-pinned actions + egress auditβœ… ImplementedOpenSSF Scorecard + step-security/harden-runner
πŸ“ˆ PerformanceLighthouse CI monitoringβœ… ImplementedLighthouse CI β€” Core Web Vitals tracking

πŸŽ–οΈ Security & Compliance Badges:

πŸ” Supply Chain Security: OpenSSF Scorecard

πŸ›‘οΈ Security Scanning: CodeQL Dependency Review Scorecards

πŸ“Š Quality & Testing: Quality Checks TypeScript & JavaScript Testing

βš–οΈ License: license


7️⃣ Post-Market Surveillance

Supports CRA Article 23 - Obligations of Economic Operators

Reference: 🌐 ISMS Transparency Plan and πŸ“Š Security Metrics

πŸ“‘ CRA Monitoring ObligationπŸ”§ Implementation⏱️ Frequency🎯 Action TriggerπŸ“‹ Evidence
πŸ” Vulnerability Monitoring (Art. 23.1)Dependabot + GitHub advisories + CodeQL scanning + dependency reviewContinuousAuto-create security issues and PRsDependabot Alerts + Security Advisories
🚨 Incident Reporting (Art. 23.2)GitHub Security Dashboard + AWS CloudWatch + CloudFront access logsReal-timeENISA 24h notification prep via ISMS incident responseSECURITY.md + Incident Response Plan
πŸ“Š Security Posture Tracking (Art. 23.3)OpenSSF Scorecard + Lighthouse CI + uptime monitoringWeekly/DailyScore decline investigation via automated alertsOpenSSF Scorecard
πŸ”„ Update Distribution (Art. 23.4)Automated GitHub releases + dual deployment (S3 + GitHub Pages) + CI/CD pipelineAs neededCritical vulnerability patches via secure CI/CD pipelineRelease Management + WORKFLOWS.md

πŸ“‹ CRA Reporting Readiness: Documentation and procedures prepared for ENISA incident reporting per 🚨 Incident Response Plan

πŸ”— ISMS Monitoring Integration:


8️⃣ EU Declaration of Conformity

Supports CRA Article 28 - EU Declaration of Conformity

🏒 Manufacturer: Hack23 AB, Gothenburg, Sweden πŸ“¦ Product: Riksdagsmonitor v0.9.40 πŸ“‹ CRA Compliance: Self-assessment documentation supporting CRA essential cybersecurity requirements evaluation πŸ” Assessment: Self-assessment documentation per Article 24 (non-commercial OSS with standard classification) πŸ“Š Standards: ISO/IEC 27001 security framework + OWASP web security guidelines + NIST SSDF secure development

πŸ“… Date & Signature: 2026-05-06 β€” James SΓΆrling, CEO Hack23 AB

πŸ“‚ Technical Documentation: This assessment + evidence bundle supports CRA Annex V technical documentation requirements


9️⃣ Assessment Completion & Approval

Supports CRA Article 16 - Quality Management System Documentation

πŸ“Š CRA Self-Assessment Summary

Overall CRA Documentation Status: EVIDENCE_DOCUMENTED

Key CRA Documentation Areas:

  • βœ… Annex I essential requirements documented with comprehensive evidence links
  • βœ… Annex V technical documentation comprehensively structured
  • βœ… Article 11 security measures implemented and documented
  • βœ… Article 23 post-market surveillance procedures operational

Static Site Security Advantage: Riksdagsmonitor's static site architecture provides inherent security benefits:

  • No server-side code execution (eliminates SQL injection, RCE, SSRF)
  • No user authentication/session management (eliminates authentication bypass, session hijacking)
  • No database (eliminates data breach risks)
  • No cookies/tracking (GDPR compliant by design)
  • CDN-distributed content (inherent DDoS resilience)

βœ… Formal Approval

πŸ‘€ RoleπŸ“ NameπŸ“… Date✍️ Assessment Attestation
πŸ”’ CRA Security AssessmentJames SΓΆrling2026-05-06Essential requirements documented with comprehensive evidence
🎯 Product ResponsibilityJames Sârling2026-05-06Technical documentation complete and publicly accessible
βš–οΈ Legal Compliance ReviewJames SΓΆrling2026-05-06EU regulatory documentation requirements satisfied

πŸ“Š CRA Assessment Status: SELF_ASSESSMENT_DOCUMENTED


🎨 CRA Assessment Maintenance

πŸ“‹ Update Triggers

Per CRA Article 15 - Substantial Modification

CRA assessment updated only when changes constitute "substantial modification" under CRA:

  1. πŸ—οΈ Security Architecture Changes: New trust boundaries, encryption, or deployment topology
  2. πŸ›‘οΈ Essential Requirement Impact: Changes affecting Annex I compliance
  3. πŸ“¦ Critical Dependencies: New supply chain components with security implications (e.g., new CDN libraries)
  4. πŸ” Risk Profile Changes: New threats or vulnerability classes affecting political data integrity
  5. βš–οΈ Regulatory Updates: CRA implementing acts or guidance changes

🎯 Maintenance Principle: Assessment stability preferred β€” avoid routine updates that don't impact CRA compliance


πŸ“š CRA Regulatory Alignment

πŸ” CRA Article Cross-References

  • Article 6: Scope determination β†’ Section 2 (CRA Classification)
  • Article 11: Essential cybersecurity requirements β†’ Section 5 (Requirements Assessment)
  • Article 19: Conformity assessment β†’ Section 6 (Evidence Documentation)
  • Article 23: Post-market obligations β†’ Section 7 (Surveillance Documentation)
  • Article 28: Declaration of conformity β†’ Section 8 (DoC Template)
  • Annex I: Technical requirements β†’ Section 5 (Requirements self-assessment mapping)
  • Annex V: Technical documentation β†’ Complete template structure

🌐 ISMS Integration Benefits

  • πŸ”„ Operational Continuity: CRA self-assessment integrated with existing security operations
  • πŸ“Š Evidence Reuse: Security metrics and monitoring serve dual ISMS/CRA documentation purposes
  • 🎯 Business Value: CRA readiness demonstrates cybersecurity consulting expertise
  • 🀝 Client Confidence: Transparent self-assessment showcases professional implementation methodology

πŸ“‹ Complete ISMS Policy Framework

πŸ” Core Security Governance

πŸ›‘οΈ Security Control Implementation

βš™οΈ Operational Excellence Framework

🚨 Incident Response & Recovery

πŸ“Š Performance Management & Compliance


πŸ”“ Open Source Policy Conformity

Demonstrating compliance with Hack23 AB Open Source Policy

πŸŽ–οΈ Security Posture Evidence (OSP Β§1)

RequirementStatusEvidence
OpenSSF Scorecard β‰₯7.0βœ… ActiveOpenSSF Scorecard
Quality Gate Passedβœ… ActiveQuality Checks Workflow
License Badgeβœ… Activelicense
Threat Model Publishedβœ… ActiveThreat Model
STRIDE Analysis Completeβœ… ActiveSTRIDE Analysis

πŸ“‹ Governance Artifacts (OSP Β§2)

Required ArtifactStatusEvidence
SECURITY_ARCHITECTURE.mdβœ… PresentSECURITY_ARCHITECTURE.md β€” Defense-in-depth with Mermaid diagrams
FUTURE_SECURITY_ARCHITECTURE.mdβœ… PresentFUTURE_SECURITY_ARCHITECTURE.md β€” Security roadmap
SECURITY.mdβœ… PresentSECURITY.md β€” Coordinated vulnerability disclosure
WORKFLOWS.mdβœ… PresentWORKFLOWS.md β€” CI/CD pipeline with security gates
LICENSEβœ… Apache 2.0LICENSE β€” OSI-approved
CRA-ASSESSMENT.mdβœ… PresentThis document
CODE_OF_CONDUCT.mdβœ… PresentCODE_OF_CONDUCT.md β€” Community standards
CONTRIBUTING.mdβœ… PresentCONTRIBUTING.md β€” Contribution guidelines
README.mdβœ… PresentREADME.md β€” Includes project classification section

πŸ”’ Security Implementation (OSP Β§3)

RequirementStatusEvidence
Supply Chain: Dependency Scanningβœ… AutomatedDependabot Config
Supply Chain: SHA-pinned Actionsβœ… EnforcedWORKFLOWS.md β€” All Actions pinned to SHA
Supply Chain: step-security/harden-runnerβœ… ActiveEgress auditing on all workflows
Vulnerability Management SLAβœ… ActiveSECURITY.md β€” Coordinated disclosure + Dependabot auto-remediation
SAST: CodeQLβœ… ActiveCodeQL Workflow
SCA: Dependency Reviewβœ… ActiveDependency Review Workflow
Secret Scanningβœ… ActiveSecurity Overview

πŸ“Š License Compliance (OSP Β§4)

RequirementStatusEvidence
Primary License: Apache 2.0βœ… Approved (Permissive)LICENSE
Dependencies: Permissive Licensesβœ… All permissivenpm dependencies under MIT/ISC/Apache 2.0/BSD
No Prohibited Licensesβœ… VerifiedNo AGPL/GPL/advertising-clause licenses in dependency tree

🏷️ Classification & Documentation (OSP §5)

RequirementStatusEvidence
CIA Triad Classificationβœ… DeclaredPublic / High Integrity / High Availability
Business Impact Assessmentβœ… DocumentedSWOT.md + CRA Risk Assessment
RTO/RPO Objectivesβœ… DefinedRTO: <24h (Medium) / RPO: <24h (Daily)

πŸ” Data Protection (OSP Β§6)

RequirementStatusEvidence
No PII/GDPR dataβœ… CompliantNo personal data collection β€” static site, no user accounts
No production credentialsβœ… CompliantGitHub secret scanning active
Public data onlyβœ… CompliantAll data sourced from public government APIs

🀝 Third-Party Contributions (OSP §7)

RequirementStatusEvidence
Contribution guidelinesβœ… PublishedCONTRIBUTING.md
Code of Conductβœ… PublishedCODE_OF_CONDUCT.md
PR review processβœ… ActiveBranch protection + required reviews

πŸ“‹ CRA Conformity Assessment Process Alignment

Demonstrating compliance with Hack23 AB CRA Conformity Assessment Process

Process Step Completion Matrix

Process StepTemplate SectionStatusRiksdagsmonitor Evidence
1️⃣ Project IdentificationCRA Annex V Β§1βœ… CompleteSection 1 β€” Product description, badges, data sources
2️⃣ CRA Scope & ClassificationCRA Art. 6-7βœ… CompleteSection 2 β€” Non-commercial OSS, Standard, Community distribution
3️⃣ Technical DocumentationCRA Annex V Β§2βœ… CompleteSection 3 β€” 9 CRA technical areas documented with evidence links
4️⃣ Risk AssessmentCRA Annex V Β§3βœ… CompleteSection 4 β€” 6 risk categories assessed with residual risk
5️⃣ Essential RequirementsCRA Annex Iβœ… CompleteSection 5 β€” 13 essential requirements mapped
6️⃣ Conformity EvidenceCRA Art. 19βœ… CompleteSection 6 β€” Badges, CI/CD evidence, release artifacts
7️⃣ Post-Market SurveillanceCRA Art. 23βœ… CompleteSection 7 β€” Monitoring, reporting, update mechanisms
8️⃣ Declaration of ConformityCRA Art. 28βœ… DraftSection 8 β€” DoC template ready for formal placement
9️⃣ Assessment ApprovalInternalβœ… CompleteSection 9 β€” CEO approval documented

Classification Selections

Classification DimensionSelected ValueJustification
πŸͺ Market CategoryOSSApache 2.0 licensed, freely available on GitHub
πŸ›‘οΈ ConfidentialityPublicAll data from public government sources
βœ… IntegrityHighPolitical data accuracy is essential for democratic trust
⏱️ AvailabilityHigh99.998% design availability (AWS CloudFront multi-region + GitHub Pages DR), automated failover
πŸ• RTOMediumGitHub Pages DR available within hours
πŸ”„ RPODailyGit-based continuous backup, daily content generation
🏒 CRA ApplicabilityNon-commercial OSSVolunteer-driven, no revenue model
🌐 DistributionCommunityGitHub public repository
πŸ“‹ CRA ClassificationStandardNot in Annex III/IV critical categories

Control-by-Control CRA Requirements Mapping

CRA Annex I Part I β€” Essential Cybersecurity Requirements

This section provides a systematic mapping of all 13 essential cybersecurity requirements from CRA Annex I, Part I to Riksdagsmonitor implementations.

Req #Annex I RequirementRiksdagsmonitor ImplementationEvidenceCompliance Status
1Products with digital elements shall be designed, developed and produced with appropriate security, considering the risks during developmentStatic HTML/CSS/JS architecture eliminates server-side attack surface. Secure development lifecycle with threat modeling (THREAT_MODEL.md), security architecture (SECURITY_ARCHITECTURE.md), and annual security reviewsTHREAT_MODEL.md, SECURITY_ARCHITECTURE.md, GitHub CodeQL scan resultsCOMPLIANT
2Products shall be delivered without known exploitable vulnerabilitiesDependabot automated vulnerability scanning, npm audit in CI/CD, CodeQL SAST analysis, no known CVEs in production dependencies. Pre-deployment security gate in GitHub ActionsGitHub Security tab - 0 open critical/high alerts, npm audit reports in CI logsCOMPLIANT
3Products shall have secure by default configurations, including possibility to reset to factory settingsNo configuration required by end users. Static site has no user-configurable settings. TLS 1.3 enforced by GitHub Pages/CloudFront. CSP headers set by defaultGitHub Pages HTTPS enforcement, CloudFront TLS policy, HTTP response headersCOMPLIANT
4Products shall protect against unauthorized access through appropriate access control mechanismsRepository protected by GitHub authentication and branch protection rules. No public write access. Least privilege permissions in GitHub Actions workflows. GitHub Secrets for credential storageGitHub branch protection settings, workflow permissions YAML, GitHub Actions audit logCOMPLIANT
5Products shall protect the confidentiality of data by appropriate means including encryption of data at rest and in transitAll data in transit protected by TLS 1.3 enforced via GitHub Pages and CloudFront. No sensitive data at rest (all content is public political data). No PII collected or processedCloudFront TLS 1.3 configuration, HSTS headers, no-cookie policyCOMPLIANT
6Products shall protect the integrity of data in transit and stored data against manipulationSLSA provenance attestation (Level 2+), Sigstore signing, Git commit signatures, GitHub content integrity guarantees. Article-level SHA-256 planned Q3 2026SLSA attestation in GitHub Actions, Sigstore transparency log, Git commit signature verification, GitHub repository content integrity documentationCOMPLIANT
7Products shall process only data, both personal and other, that is adequate, relevant and limited to what is necessaryZero PII collected. Platform processes only publicly available Riksdag political data. No analytics cookies. No user tracking. Data minimization by designPrivacy policy (no-cookie design), source code review showing no PII collectionCOMPLIANT
8Products shall protect the availability of essential functions including protection against denial of service attacksAWS CloudFront CDN with DDoS protection at edge. GitHub Pages provides secondary availability. Route 53 health-check-based failover. 99.998% availability targetCloudFront Shield Standard coverage, BCPPlan.md, dual-deployment architectureCOMPLIANT
9Products shall minimize the negative impact on the availability of services provided by other devices or networksStatic site generates no outbound network calls from user browsers beyond CDN. MCP pipeline calls are server-side in GitHub Actions (controlled, rate-limited)Source code showing no user-browser-initiated external calls, rate limiting in MCP clientCOMPLIANT
10Products shall be designed, developed and produced to limit attack surfaces, including external interfacesAttack surface minimized: no database, no server-side code, no user input forms, no cookies. Only surfaces: HTTPS static file serving, GitHub API (authenticated). No exposed portsArchitecture.md showing static-only design, no open ports analysisCOMPLIANT
11Products shall be designed, developed and produced to reduce the impact of an incident including through appropriate mechanisms for resilienceAutomatic failover (CloudFront origin failover <30s, DNS failover <15min). Complete Git history for rollback. Incident response procedures in BCPPlan.md and ISMS. No persistent state to loseBCPPlan.md dual-deployment, RTO metrics, Git rollback capabilityCOMPLIANT
12Products shall record and/or monitor relevant internal activities in order to detect and investigate cybersecurity incidentsGitHub Actions audit logs, CloudFront access logs, GitHub Security alerts, OpenSSF Scorecard monitoring, automated Dependabot alerts. step-security/harden-runner egress monitoringGitHub Audit Log API, CloudFront log groups, Security tab alert historyCOMPLIANT
13Products shall ensure that vulnerabilities can be addressed through security updates including, where technically possible, automatic updatesDependabot automated PRs for dependency updates. GitHub Actions automated vulnerability notifications. Security contact (security@hack23.com) for coordinated disclosure. SECURITY.md outlines update processDependabot configuration, SECURITY.md, coordinated disclosure policyCOMPLIANT

CRA Annex I Part II β€” Vulnerability Handling Requirements

Req #Annex I Part II RequirementRiksdagsmonitor ImplementationEvidenceCompliance Status
1Identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materialsnpm package-lock.json provides complete dependency graph. Dependabot monitors all dependencies. SBOM generation planned for 2027 via GitHub SBOM featurepackage-lock.json, npm audit output, Dependabot alertsPARTIAL β€” SBOM automation planned 2027
2Address vulnerabilities without delay including by providing security updatesCritical: <7 days. High: <30 days. Medium: <90 days. Dependabot auto-PRs for patch releases. Manual review for major version upgradesDependabot configuration, vulnerability management in ISMS, MTTP metricsCOMPLIANT
3Apply effective and regular testing and reviews of the security of products with digital elementsCodeQL SAST on every PR and commit. Dependabot daily scans. Quarterly threat model review. Annual security architecture review. OpenSSF Scorecard monthlyGitHub Actions security scan results, CodeQL alerts, Scorecard historyCOMPLIANT
4After becoming aware of a vulnerability, share information about it with ENISA without undue delayENISA reporting procedure: notify via security@hack23.com internal triage, then report to ENISA vulnerability database within 72 hours for critical issuesISMS Incident Response Plan, coordinated disclosure procedureCOMPLIANT β€” procedure documented
5Establish and document a coordinated vulnerability disclosure policySECURITY.md contains full coordinated vulnerability disclosure policy. security@hack23.com for reporting. 90-day disclosure timeline. Response SLA: acknowledge within 5 business daysSECURITY.md public policyCOMPLIANT
6Take measures to facilitate the sharing of information about vulnerabilities in the productPublic GitHub Security Advisories for all confirmed vulnerabilities. SECURITY.md disclosure policy. GitHub private vulnerability reporting enabledGitHub Security Advisories tab, SECURITY.mdCOMPLIANT
7Provide for a mechanism for coordinating the vulnerability disclosure process with other manufacturers or security researcherssecurity@hack23.com receives all vulnerability reports. GitHub private vulnerability reporting. Coordinated disclosure gives reporters credit. No retaliation policySECURITY.md safe harbor clauseCOMPLIANT
8As long as products are supported, make available without delay security updates to address vulnerabilitiesImmediate security updates for critical vulnerabilities. Automated Dependabot PRs for all vulnerable dependencies. Auto-merge configured for patch-level security updatesDependabot auto-merge configuration, security update historyCOMPLIANT

CRA Conformity Assessment Approach

Assessment Method: Self-Assessment (Module A - Internal Production Control)

Riksdagsmonitor qualifies for self-assessment under CRA Article 32(1) as it is:

  • A standard product with digital elements (not critical or important category per Annex III/IV)
  • Non-commercial open-source software distributed publicly without charge
  • A civic transparency tool with low risk profile (no safety functions, no critical infrastructure)

Self-Assessment Process:

  1. Technical Documentation (CRA Annex V): Complete β€” this document and linked ISMS documents
  2. Design and Development Assessment: Complete β€” THREAT_MODEL.md, SECURITY_ARCHITECTURE.md
  3. Production Controls: Complete β€” CI/CD pipeline with security gates documented in WORKFLOWS.md
  4. Conformity Declaration: Template in Section 8 of this document
  5. CE Marking: Applicable upon formal EU market placement (currently pre-commercial)

Assessment Conclusion:

CRA AreaRequirementsCompliantPartialNon-Compliant
Annex I Part I131300
Annex I Part II8710
Annex V DocumentationCompleteYesβ€”β€”
Vulnerability HandlingPolicy existsYesβ€”β€”
Overall212010

Open Item: SBOM automation (Annex I Part II Req 1) β€” planned Q1 2027 via GitHub SBOM generation feature.



CRA Readiness Checklist for Future Versions

This section provides a forward-looking readiness checklist for when Riksdagsmonitor formally enters EU market distribution as a commercial product.

Pre-Market Readiness Assessment

AreaRequirementCurrent ReadinessAction RequiredTarget Date
Technical DocumentationCRA Annex V complete documentation95% completeFinalize SBOM generationQ1 2027
Conformity AssessmentSelf-assessment completed and documented90% completeFormal declaration of conformityQ2 2027
Vulnerability Handling PolicyPublished and accessible100%None - SECURITY.md completeDone
Security Update ProcessDocumented and operational100%None - Dependabot + MTTP policyDone
Coordinated DisclosurePolicy and contact established100%None - security@hack23.comDone
CE MarkingRequired for EU market productsNot yetApply after conformity assessment2027
ENISA ReportingIncident reporting procedure85%Document ENISA contact and timelineQ2 2026
SBOMSoftware Bill of MaterialsPartialImplement GitHub SBOM generationQ1 2027
Post-Market SurveillanceOngoing monitoring plan80%Formalize surveillance process docQ3 2026

Security Update Lifecycle Timeline

flowchart LR
    VULN_DISCOVERED[Vulnerability Discovered] --> ASSESS[Severity Assessment]
    ASSESS --> CRITICAL{Critical CVSS 9+?}
    CRITICAL -->|Yes| PATCH_7[Patch within 7 days]
    CRITICAL -->|No| HIGH{High CVSS 7-8.9?}
    HIGH -->|Yes| PATCH_30[Patch within 30 days]
    HIGH -->|No| MED{Medium CVSS 4-6.9?}
    MED -->|Yes| PATCH_90[Patch within 90 days]
    MED -->|No| PATCH_SCHED[Patch in next release]
    PATCH_7 --> DEPLOY[Deploy Security Update]
    PATCH_30 --> DEPLOY
    PATCH_90 --> DEPLOY
    PATCH_SCHED --> DEPLOY
    DEPLOY --> NOTIFY[Notify via SECURITY.md Advisory]
    NOTIFY --> ENISA_CHECK{Significant incident?}
    ENISA_CHECK -->|Yes| ENISA_REPORT[Report to ENISA within 24h]
    ENISA_CHECK -->|No| CLOSE[Close Vulnerability Record]
    ENISA_REPORT --> CLOSE

CRA Article 13 Manufacturer Obligations Tracking

ObligationArticleImplementationStatus
Design and produce with appropriate cybersecurity13(1)Secure SDLC, STRIDE threat modelingDone
Deliver without known exploitable vulnerabilities13(2)Dependabot, npm audit, CodeQL pre-deployDone
Perform vulnerability assessment13(3)Quarterly threat model reviewDone
Apply security updates without undue delay13(4)Dependabot auto-merge, MTTP policyDone
Ensure security for expected lifetime13(5)Lifecycle support policy documentedDone
Set support period in declaration of conformity13(6)Support period: 5 years from last releasePlanned
Provide security updates for support period13(7)Dependabot + manual review ongoingDone
Notify ENISA of actively exploited vulnerabilities13(8)ENISA procedure in IR PlanDone
Provide technical documentation13(14)CRA-ASSESSMENT.md + SECURITY_ARCHITECTURE.mdDone
Affix CE marking13(15)Not yet - required for market placementPlanned
Draw up EU declaration of conformity13(16)Template exists - formal sign-off pendingPlanned

CRA Article 14 Reporting Obligations

Active Exploitation Reporting (Article 14(2)):

  • Notification timeline: Within 24 hours of becoming aware
  • Recipient: ENISA Early Warning notification system
  • Content: Product identification, vulnerability description, known exploited instances
  • Contact: security@hack23.com (internal) β†’ ENISA online notification form

Severe Incident Reporting (Article 14(3)):

  • Notification timeline: Within 72 hours of detection
  • Recipient: Competent market surveillance authority (MSA) and ENISA
  • For Sweden: Swedish Post and Telecom Authority (PTS) as likely MSA
  • Content: Detailed incident report including impact, affected versions, remediation

User Notification (Article 14(8)):

  • If security update available: Notify users via GitHub Security Advisories
  • If vulnerability affects user security: Post advisory on riksdagsmonitor.com
  • Update README.md security section for significant vulnerabilities

CRA Product Categories and Risk Classification

Classification Under CRA Annex III and IV

Riksdagsmonitor must be evaluated against CRA's product classification system to determine the applicable conformity assessment route:

CRA Annex III β€” Important Products with Digital Elements (Class I):

CategoryRiksdagsmonitor Assessment
Identity management softwareNot applicable
Password managersNot applicable
BrowsersNot applicable
Operating systemsNot applicable
VPNsNot applicable
Network management softwareNot applicable
FirewallsNot applicable
Intrusion detection systemsNot applicable
MicrocontrollersNot applicable
Consumer IoTNot applicable

Conclusion: Riksdagsmonitor does not qualify as a Class I Important Product under Annex III.

CRA Annex IV β€” Critical Products with Digital Elements (Class II):

CategoryRiksdagsmonitor Assessment
Critical infrastructure softwareNot applicable - civic transparency platform
HSMs / Secure elementsNot applicable
Smart metersNot applicable
Industrial control systemsNot applicable

Conclusion: Riksdagsmonitor does not qualify as a Class II Critical Product under Annex IV.

Final Classification: Standard Product with Digital Elements β€” eligible for Module A Self-Assessment


Open Source Software Considerations (CRA Article 16)

Riksdagsmonitor benefits from the CRA open source carve-out provisions:

CRA ProvisionApplication to Riksdagsmonitor
Non-commercial OSS exemption (Recital 18)Riksdagsmonitor is freely available, non-commercial, no revenue model
Commercial distribution triggers CRA (Art. 16(1))If Riksdagsmonitor is commercialized (API subscriptions), CRA obligations apply in full
Steward provisionsHack23 AB acts as open source steward
Vulnerability handling (Art. 16(2))Security policy (SECURITY.md) and coordinated disclosure required even for OSS
Security advisoriesPublic security advisories for known vulnerabilities

Compliance Strategy: Maintain full CRA technical documentation now, enabling smooth transition to formal commercial compliance when API tier launches in 2027.


CRA Declaration of Conformity Template (Draft)

The following template will be formalized upon entry into EU commercial distribution:

EU DECLARATION OF CONFORMITY
Riksdagsmonitor - Version [X.Y]

Hack23 AB (Org.nr 5595347807)
Sweden

This declaration of conformity is issued under the sole responsibility
of the manufacturer.

Product: Riksdagsmonitor - Swedish Parliamentary Transparency Platform
Version: [X.Y]
Description: Web-based civic technology platform providing access to
  Swedish Riksdag parliamentary data, voting records, and AI-generated
  political news in 14 languages.

Conformity Assessment Method: Module A (Self-Assessment)
Product Category: Standard product with digital elements
Annex III/IV Category: Not applicable

The object of the declaration described above is in conformity with
the relevant Union harmonisation legislation:

Regulation (EU) 2024/2847 - Cyber Resilience Act
  - Annex I Part I: Essential cybersecurity requirements (13/13 compliant)
  - Annex I Part II: Vulnerability handling requirements (7/8 compliant)
  - Annex V: Technical documentation available at:
    github.com/Hack23/riksdagsmonitor/blob/main/CRA-ASSESSMENT.md

Signed for and on behalf of: James Pether Sorling, CEO
Date: [To be completed upon formal market placement]
Place: Sweden

πŸ“‹ Document Control: βœ… Approved by: James Pether SΓΆrling, CEO πŸ“€ Distribution: Public 🏷️ Classification: Confidentiality: Public πŸ“… Effective Date: 2026-05-06 ⏰ Next Review: 2026-08-06 🎯 CRA Alignment: Follows CRA Conformity Assessment Process template β€” supports CRA Annex V technical documentation and self-assessment requirements πŸ”“ OSS Alignment: Conforms with Open Source Policy β€” governance artifacts, security posture evidence, license compliance 🏒 ISMS Integration: Comprehensive alignment with public ISMS framework for operational excellence 🎯 Framework Compliance: ISO 27001 NIST CSF 2.0 CIS Controls


🌐 IMF Integration β€” CRA Third-Party Services Inventory

Effective: 2026-04-24 Β· Authoritative hub: analysis/imf/README.md Β· analysis/imf/agentic-integration.md Β· analysis/imf/indicators-inventory.json Β· analysis/imf/data-dictionary.md Β· .github/aw/ECONOMIC_DATA_CONTRACT.md

IMF in third-party services inventory (CRA Annex V evidence)

AttributeValue
Service nameInternational Monetary Fund β€” Public APIs (Datamapper REST + SDMX 3.0)
VendorInternational Monetary Fund (IGO; not a commercial vendor)
Hostnames (egress allow-list)www.imf.org, api.imf.org
AuthenticationDatamapper: none (anonymous public API) Β· SDMX 3.0: Azure APIM subscription key (Ocp-Apim-Subscription-Key / IMF_SDMX_SUBSCRIPTION_KEY) β€” gates throttle/quota only; payloads are public
Data classification consumedPUBLIC macro/fiscal/monetary/external statistics; no PII
Data flow directionInbound only (read-only)
Rate limit~30 req/min observed; self-imposed ≀30 req/min with back-off
RedundancyTwo endpoints (Datamapper + SDMX) for the same underlying data
CacheVintage-tagged in analysis/imf/ + analysis/daily/*/economic-data.json
IntegritySHA-256 payload pin + supersedes-chain
Vendor security postureIMF Open Data β€” published rate limits, public terms, no auth surface
LicenceAttribution required; redistribution permitted with citation
CRA risk classLow (read-only, public, no PII, no credentials)
CRA conformity decisionSelf-assessment Annex V β€” no notified body required

Why IMF strengthens our CRA posture

  • Eliminates a credential-management surface that a commercial economic-data provider would introduce
  • Eliminates a supply-chain dependency on a single commercial vendor
  • Eliminates GDPR DPIA scope (no PII)
  • Provides redundancy via two independent endpoints (Datamapper + SDMX)

Egress hosts (allow-list): www.imf.org (Datamapper REST Β· WEO/FM, unauthenticated), api.imf.org (SDMX 3.0 REST Β· IFS/BOP/DOTS/GFS/PCPS/ER/MFS_IR/MFS_PR, subscription-key authenticated via the Azure APIM Ocp-Apim-Subscription-Key header / IMF_SDMX_SUBSCRIPTION_KEY secret). Both HTTPS-only; payloads are public macro statistics with no PII.

Canonical rule. Every economic claim in a Riksdagsmonitor article cites an IMF dataflow first; World Bank citations are reserved for governance, environment and social residue (the classes IMF does not publish). SCB is the Swedish-specific ground truth layer. See ECONOMIC_DATA_CONTRACT.md v2.1 for the banned-phrase list and vintage discipline (>6 mo β†’ annotation).


πŸ”— Hack23 Ecosystem

🌐 Platforms πŸ“¦ Open-Source Projects πŸ›‘οΈ Governance & Standards
πŸ—³οΈ Riksdagsmonitor β€” Swedish Parliament intelligence
πŸ‡ͺπŸ‡Ί EU Parliament Monitor β€” European coverage
πŸ•΅οΈ Citizen Intelligence Agency β€” political-data engine
🌐 Hack23 AB β€” corporate site
πŸ“° Hack23 Blog β€” engineering & policy
πŸ’Ό Hack23 on LinkedIn
πŸ—³οΈ Hack23/riksdagsmonitor
πŸ•΅οΈ Hack23/cia
πŸ‡ͺπŸ‡Ί Hack23/euparliamentmonitor
πŸ”Œ Hack23/european-parliament-mcp
βœ… Hack23/cia-compliance-manager
πŸ₯‹ Hack23/black-trigram
🏠 Hack23/homepage
πŸ›‘οΈ Hack23 ISMS-PUBLIC β€” public ISMS
πŸ”’ Information Security Policy
πŸ€– AI Policy
πŸ§ͺ Secure Development Policy
🎯 Threat Modeling Policy
⚠️ Vulnerability Management
🏷️ Classification Framework

OpenSSF Best Practices OpenSSF Scorecard ISO 27001:2022 NIST CSF 2.0 CIS Controls v8.1 Apache 2.0

πŸ—³οΈ Empower citizens Β· πŸ” Strengthen democratic accountability Β· πŸ•΅οΈ Illuminate the political process

Β© 2008–2026 Hack23 AB (Org.nr 559534-7807) Β· Maintainer: James Pether SΓΆrling, CISSP CISM