Skip to main content
SpringerLink
Log in

Developing with Compliance in Mind: Addressing Data Protection Law, Cybersecurity Regulation, and AI Regulation During Software Development

  • Conference paper
  • First Online:
Privacy and Identity Management. Sharing in a Digital World (Privacy and Identity 2023)

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 695))

Included in the following conference series:

  • 28 Accesses

Abstract

This paper explores the concept of complying with relevant legal requirements when developing software systems. Specifically, it focuses on data protection law, cybersecurity regulation, and Artificial Intelligence (AI) regulation requirements in the software system development processes. The paper analyses the impact of three key regulatory frameworks in the European Union: the General Data Protection Regulation (GDPR), the Network and Information Security (NIS) 2 Directive, and the proposed Artificial Intelligence Act (AIA). The article examines the interplay and potential conflicts between different requirements in these rule sets. Towards the end of the paper, some suggestions are made for achieving alignment with these regulations in software systems, enabling concurrent compliance with the GDPR, the NIS 2 Directive, and the AIA, in situations where all the regulations enter into effect simultaneously.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 99.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Chung, L., Nixon, B.A., Yu, E., Mylopoulos, J.: Non-Functional Requirements in Software Engineering. Springer, New York (2012). https://doi.org/10.1007/978-1-4615-5269-7

    Book  Google Scholar 

  2. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1

    Google Scholar 

  3. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending regulation (EU) NO 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) [2022] OJ L 333/80. See NIS 2 Article 41(1) for the date of entry into force of the directive

    Google Scholar 

  4. Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain union legislative acts COM/2022/206 final. Recital 51

    Google Scholar 

  5. European Commission, Regulatory Framework Proposal on Artificial Intelligence. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai. Accessed 22 Nov 2023

  6. Nweke, L.O., Wolthusen, S.: Legal issues related to cyber threat information sharing among private entities for critical infrastructure protection. In: 2020 12th International Conference on Cyber Conflict (CyCon), vol. 1300. IEEE (2020). https://doi.org/10.23919/CyCon49761.2020.9131721

  7. Borden, R., et al.: Threat information sharing under GDPR. https://www.americanbar.org/groups/science_technology/publications/scitech_lawyer/2019/spring/threat-information-sharing-under-gdpr/. Accessed 22 Nov 2023

  8. Case C-154/21 Österreichische Post ECLI:EU:C:2023:3 (Grand Chamber)

    Google Scholar 

  9. Markopoulou, D., et al.: The new EU cybersecurity framework: the NIS Directive, ENISA’s role and the General Data Protection Regulation. Comput. Law Secur. Rev. 35(6), 105336 (2019). https://doi.org/10.1016/j.clsr.2019.06.007

    Article  Google Scholar 

  10. Sarker, I.H., et al.: AI-driven cybersecurity: an overview, security intelligence modeling and research directions. SN Comput. Sci. 2, 173 (2021). https://doi.org/10.1007/s42979-021-00557-0

    Article  Google Scholar 

  11. Horák, M., et al.: GDPR compliance in cybersecurity software: a case study of DPIA in information sharing platform. In: Proceedings of the 14th International Conference on Availability, Reliability and Security (2019). https://doi.org/10.1145/3339252.3340516

  12. Perera, H., et al.: Towards integrating human values into software: mapping principles and rights of GDPR to values. In: 2019 IEEE 27th International Requirements Engineering Conference (RE). IEEE (2019). https://doi.org/10.1109/RE.2019.00053

  13. Aberkane, A.-J., Poels, G., Broucke, S.V.: Exploring automated GDPR-compliance in requirements engineering: a systematic mapping study. IEEE Access 9, 66542–66559 (2021). https://doi.org/10.1109/ACCESS.2021.3076921

    Article  Google Scholar 

  14. Conger, S., Landry, B.J.L.: The intersection of privacy and security (2009). All Sprouts Content. 243

    Google Scholar 

  15. Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending regulation (EU) 2018/1724 (Data Governance Act) [2022] OJ L 152/1

    Google Scholar 

  16. Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) OJ L 265/1

    Google Scholar 

  17. Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) [2022] OJ L 277/1

    Google Scholar 

  18. Datatilsynet, Vedtak om pålegg-PostNord AS, 20/02144-16. Information Commissioner’s Office (ICO), Security requirements. Danish Data Protection Authority, passende tekniske og organisatoriske foranstaltninger

    Google Scholar 

  19. Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (2003/361/EC) [2003] OJ L 124/36

    Google Scholar 

  20. Iskhakov, A.Y., Khazanova, Y.Y., Mamchenko, M.V., Meshcheryakov, R.V., Iskhakova, A.O., Khripunov, S.P.: Adaptive authentication system based on unsupervised learning for web-oriented platforms. In: Shakya, S., Papakostas, G., Kamel, K.A. (eds.) ICMCSI 2023. LNDECT, vol. 166, pp. 507–522. Springer, Singapore (2023). https://doi.org/10.1007/978-981-99-0835-6_36

    Chapter  Google Scholar 

  21. Valkenburg, G.: Privacy versus security: problems and possibilities for the trade-off model. In: Gutwirth, S., Leenes, R., de Hert, P. (eds.) Reforming European Data Protection Law, vol. 20, pp. 253–269. Springer, Dordrecht (2015). https://doi.org/10.1007/978-94-017-9385-8_10

    Chapter  Google Scholar 

  22. EFTA, Directive (EU) 2022/2555. https://www.efta.int/eea-lex/32022L2555. Accessed 22 Nov 2023

  23. ISO, ISO/IEC 27001 and related standards. https://www.iso.org/isoiec-27001-information-security.html. Accessed 22 Nov 2023

  24. van Dijk, N., Gellert, R., Rommetveit, K.: A risk to a right? Beyond data protection risk assessments. Comput. Law Secur. Rev. 32(2), 286–306 (2016). https://doi.org/10.1016/j.clsr.2015.12.017

    Article  Google Scholar 

  25. European Council, Digital Single Market. https://www.consilium.europa.eu/en/policies/digital-single-market/. Accessed 24 Nov 2023

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, UiT The Arctic University of Norway, Tromsø, Norway

    Bjørn Aslak Juliussen & Dag Johansen

  2. Faculty of Law, University of Bergen, Bergen, Norway

    Jon Petter Rui

  3. Faculty of Law, UiT The Arctic University of Norway, Tromsø, Norway

    Jon Petter Rui

Authors
  1. Bjørn Aslak Juliussen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jon Petter Rui
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dag Johansen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bjørn Aslak Juliussen .

Editor information

Editors and Affiliations

  1. ULD, Germany, Kiel, Germany

    Felix Bieker

  2. Vrije Universiteit Amsterdam, Amsterdam, The Netherlands

    Silvia de Conca

  3. University of Oslo, Oslo, Norway

    Nils Gruschka

  4. Karlstad University, Karlstad, Sweden

    Meiko Jensen

  5. Ostfalia University of Applied Sciences, Wolfenbüttel, Niedersachsen, Germany

    Ina Schiering

Rights and permissions

Reprints and permissions

Copyright information

© 2024 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Juliussen, B.A., Rui, J.P., Johansen, D. (2024). Developing with Compliance in Mind: Addressing Data Protection Law, Cybersecurity Regulation, and AI Regulation During Software Development. In: Bieker, F., de Conca, S., Gruschka, N., Jensen, M., Schiering, I. (eds) Privacy and Identity Management. Sharing in a Digital World. Privacy and Identity 2023. IFIP Advances in Information and Communication Technology, vol 695. Springer, Cham. https://doi.org/10.1007/978-3-031-57978-3_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-57978-3_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-57977-6

  • Online ISBN: 978-3-031-57978-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation