Context: The European Union has recently introduced a suite of foundational digital regulations—the Cyber Resilience Act, the Artificial Intelligence Act, the Radio Equipment Directive, the NIS 2 Directive, and the Cybersecurity Act—that directly affect the engineering of software-intensive systems. While these instruments aim to enhance trust and security, their overlapping scopes generate a complex compliance landscape that software development must address at the design, implementation, and deployment stages. Objectives: This paper examines the cross-regulatory impact of such EU cybersecurity legislation from a software engineering perspective, aiming to provide a set of guidelines and recommendations for implementing a compliance-by-design approach. Method: We analyze and compare the five legal instruments, focusing on how their obligations intersect with each other. We then translate their regulatory requirements into actionable artifacts, ranging from architectural constraints and security controls to organisational processes, using a legal engineering approach. Finally, we propose a compliance-by-design lifecycle pattern that integrates regulatory alignment into requirements engineering, system design, and testing. Results: To demonstrate applicability, we evaluate three representative use cases: an AI-enabled power plant, an autonomous drone delivery platform, and an AI-powered clinical decision support system. These examples demonstrate that multiple regulatory regimes often govern software-based systems. We conclude with practical recommendations for suppliers, deployers, and policymakers towards an integrated compliance framework to promote compliance-aware software engineering. Conclusion: Our findings indicate that the European digital landscape is shifting compliance from a post-hoc audit exercise to a design-time engineering principle. Embedding compliance early into the software development lifecycle not only supports regulatory alignment but also improves system resilience and trustworthiness.
Uncovering challenges of cybersecurity cross-regulation in EU legislation
Canavese, Daniele
Primo
;
2026
Abstract
Context: The European Union has recently introduced a suite of foundational digital regulations—the Cyber Resilience Act, the Artificial Intelligence Act, the Radio Equipment Directive, the NIS 2 Directive, and the Cybersecurity Act—that directly affect the engineering of software-intensive systems. While these instruments aim to enhance trust and security, their overlapping scopes generate a complex compliance landscape that software development must address at the design, implementation, and deployment stages. Objectives: This paper examines the cross-regulatory impact of such EU cybersecurity legislation from a software engineering perspective, aiming to provide a set of guidelines and recommendations for implementing a compliance-by-design approach. Method: We analyze and compare the five legal instruments, focusing on how their obligations intersect with each other. We then translate their regulatory requirements into actionable artifacts, ranging from architectural constraints and security controls to organisational processes, using a legal engineering approach. Finally, we propose a compliance-by-design lifecycle pattern that integrates regulatory alignment into requirements engineering, system design, and testing. Results: To demonstrate applicability, we evaluate three representative use cases: an AI-enabled power plant, an autonomous drone delivery platform, and an AI-powered clinical decision support system. These examples demonstrate that multiple regulatory regimes often govern software-based systems. We conclude with practical recommendations for suppliers, deployers, and policymakers towards an integrated compliance framework to promote compliance-aware software engineering. Conclusion: Our findings indicate that the European digital landscape is shifting compliance from a post-hoc audit exercise to a design-time engineering principle. Embedding compliance early into the software development lifecycle not only supports regulatory alignment but also improves system resilience and trustworthiness.| File | Dimensione | Formato | |
|---|---|---|---|
|
ist - final.pdf
accesso aperto
Descrizione: versione editoriale
Tipologia:
Versione Editoriale (PDF)
Licenza:
Creative commons
Dimensione
1.17 MB
Formato
Adobe PDF
|
1.17 MB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
