Abstract
This paper explores the concept of complying with relevant legal requirements when developing software systems. Specifically, it focuses on data protection law, cybersecurity regulation, and Artificial Intelligence (AI) regulation requirements in the software system development processes. The paper analyses the impact of three key regulatory frameworks in the European Union: the General Data Protection Regulation (GDPR), the Network and Information Security (NIS) 2 Directive, and the proposed Artificial Intelligence Act (AIA). The article examines the interplay and potential conflicts between different requirements in these rule sets. Towards the end of the paper, some suggestions are made for achieving alignment with these regulations in software systems, enabling concurrent compliance with the GDPR, the NIS 2 Directive, and the AIA, in situations where all the regulations enter into effect simultaneously.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Chung, L., Nixon, B.A., Yu, E., Mylopoulos, J.: Non-Functional Requirements in Software Engineering. Springer, New York (2012). https://doi.org/10.1007/978-1-4615-5269-7
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending regulation (EU) NO 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) [2022] OJ L 333/80. See NIS 2 Article 41(1) for the date of entry into force of the directive
Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain union legislative acts COM/2022/206 final. Recital 51
European Commission, Regulatory Framework Proposal on Artificial Intelligence. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai. Accessed 22 Nov 2023
Nweke, L.O., Wolthusen, S.: Legal issues related to cyber threat information sharing among private entities for critical infrastructure protection. In: 2020 12th International Conference on Cyber Conflict (CyCon), vol. 1300. IEEE (2020). https://doi.org/10.23919/CyCon49761.2020.9131721
Borden, R., et al.: Threat information sharing under GDPR. https://www.americanbar.org/groups/science_technology/publications/scitech_lawyer/2019/spring/threat-information-sharing-under-gdpr/. Accessed 22 Nov 2023
Case C-154/21 Österreichische Post ECLI:EU:C:2023:3 (Grand Chamber)
Markopoulou, D., et al.: The new EU cybersecurity framework: the NIS Directive, ENISA’s role and the General Data Protection Regulation. Comput. Law Secur. Rev. 35(6), 105336 (2019). https://doi.org/10.1016/j.clsr.2019.06.007
Sarker, I.H., et al.: AI-driven cybersecurity: an overview, security intelligence modeling and research directions. SN Comput. Sci. 2, 173 (2021). https://doi.org/10.1007/s42979-021-00557-0
Horák, M., et al.: GDPR compliance in cybersecurity software: a case study of DPIA in information sharing platform. In: Proceedings of the 14th International Conference on Availability, Reliability and Security (2019). https://doi.org/10.1145/3339252.3340516
Perera, H., et al.: Towards integrating human values into software: mapping principles and rights of GDPR to values. In: 2019 IEEE 27th International Requirements Engineering Conference (RE). IEEE (2019). https://doi.org/10.1109/RE.2019.00053
Aberkane, A.-J., Poels, G., Broucke, S.V.: Exploring automated GDPR-compliance in requirements engineering: a systematic mapping study. IEEE Access 9, 66542–66559 (2021). https://doi.org/10.1109/ACCESS.2021.3076921
Conger, S., Landry, B.J.L.: The intersection of privacy and security (2009). All Sprouts Content. 243
Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending regulation (EU) 2018/1724 (Data Governance Act) [2022] OJ L 152/1
Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) OJ L 265/1
Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) [2022] OJ L 277/1
Datatilsynet, Vedtak om pålegg-PostNord AS, 20/02144-16. Information Commissioner’s Office (ICO), Security requirements. Danish Data Protection Authority, passende tekniske og organisatoriske foranstaltninger
Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (2003/361/EC) [2003] OJ L 124/36
Iskhakov, A.Y., Khazanova, Y.Y., Mamchenko, M.V., Meshcheryakov, R.V., Iskhakova, A.O., Khripunov, S.P.: Adaptive authentication system based on unsupervised learning for web-oriented platforms. In: Shakya, S., Papakostas, G., Kamel, K.A. (eds.) ICMCSI 2023. LNDECT, vol. 166, pp. 507–522. Springer, Singapore (2023). https://doi.org/10.1007/978-981-99-0835-6_36
Valkenburg, G.: Privacy versus security: problems and possibilities for the trade-off model. In: Gutwirth, S., Leenes, R., de Hert, P. (eds.) Reforming European Data Protection Law, vol. 20, pp. 253–269. Springer, Dordrecht (2015). https://doi.org/10.1007/978-94-017-9385-8_10
EFTA, Directive (EU) 2022/2555. https://www.efta.int/eea-lex/32022L2555. Accessed 22 Nov 2023
ISO, ISO/IEC 27001 and related standards. https://www.iso.org/isoiec-27001-information-security.html. Accessed 22 Nov 2023
van Dijk, N., Gellert, R., Rommetveit, K.: A risk to a right? Beyond data protection risk assessments. Comput. Law Secur. Rev. 32(2), 286–306 (2016). https://doi.org/10.1016/j.clsr.2015.12.017
European Council, Digital Single Market. https://www.consilium.europa.eu/en/policies/digital-single-market/. Accessed 24 Nov 2023
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 IFIP International Federation for Information Processing
About this paper
Cite this paper
Juliussen, B.A., Rui, J.P., Johansen, D. (2024). Developing with Compliance in Mind: Addressing Data Protection Law, Cybersecurity Regulation, and AI Regulation During Software Development. In: Bieker, F., de Conca, S., Gruschka, N., Jensen, M., Schiering, I. (eds) Privacy and Identity Management. Sharing in a Digital World. Privacy and Identity 2023. IFIP Advances in Information and Communication Technology, vol 695. Springer, Cham. https://doi.org/10.1007/978-3-031-57978-3_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-57978-3_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57977-6
Online ISBN: 978-3-031-57978-3
eBook Packages: Computer ScienceComputer Science (R0)