regulatory requirements

Interpreting and operationalizing legal and standards obligations for data and systems—such as GDPR, HIPAA, CCPA, and relevant ISO/NIST frameworks—by implementing data protection measures, documentation (DPIAs), audit trails, consent management, and compliance monitoring.

regulatoryrequirements

12-Month Skill Trend

Momentum and market value over time
Trending
Score
+20 in 12 mo
96
12 mo agoNow
Career
Value
+$12K in 12 mo
$42K/year
12 mo agoNow

Recommended Survey Paper

Quick overview of the field
View more

Must-Read Papers

Most classic and influential ideas
View more

This study addresses the compliance challenges faced by data practitioners in machine learning systems under regulations such as the GDPR and the AI Act, particularly concerning data quality. Through semi-structured interviews with practitioners in the European Union, combined with thematic analysis of regulatory texts and engineering workflows, the research systematically uncovers a structural disconnect between regulation-driven data quality requirements and ML engineering practices. It identifies five core challenges: misalignment between legal principles and engineering implementation, fragmented data pipelines, lack of purpose-built compliance tools, ambiguous accountability, and reactive responses to audits. Building on these findings, the work proposes directions for designing compliance-oriented tooling, establishing effective governance mechanisms, and fostering cultural transformation to bridge the gap between regulatory mandates and practical ML development.

AI Actdata qualityGDPR

Lawful and Accountable Personal Data Processing with GDPR-based Access and Usage Control in Distributed Systems

Mar 10, 2025
LT
L. Thomas van Binsbergen
🏛️ University of Amsterdam | Leibniz Institute | TNO

This paper addresses the challenges of GDPR compliance, ambiguous accountability, and high manual auditing costs in cross-organizational distributed data processing. Methodologically, it introduces the first automated compliance framework integrating legal expert judgment with formal reasoning: (i) a purpose-limitation–driven GDPR ontology and semantic model; (ii) a novel deep extension of eFLINT and XACML to support legally precise policy modeling and verifiable enforcement; and (iii) an automated normative reasoning engine that generates auditable legality justifications. Contributions include: transparent and accountable data access control; empirical validation across multiple distributed data space prototypes demonstrating completeness of legal argumentation, accuracy of policy enforcement, and seamless system integrability; and significant reduction in organizational compliance overhead and legal risk.

Automated normative reasoning for GDPR compliance in data processing.Formal ontology and semantics for lawful and accountable data handling.Integration of GDPR-based access and usage control in distributed systems.

A Mapping Analysis of Requirements Between the CRA and the GDPR

Mar 03, 2025
JR
Jukka Ruohonen
🏛️ University of Southern Denmark | University of Turku

This paper addresses the regulatory misalignment between the EU’s Cyber Resilience Act (CRA) and the General Data Protection Regulation (GDPR). Using comparative legal analysis, requirements mapping modeling, and normative semantic parsing, it systematically establishes the first structured mapping of their security requirements. The study identifies six shared security requirements—spanning confidentiality, integrity, and availability—and originality distills seven novel core security obligations introduced by the CRA, clarifying how they extend and reconfigure existing compliance frameworks. By bridging a critical gap in requirements engineering driven by regulatory evolution, the work delivers a traceable, actionable cross-regulatory requirements alignment framework. This framework provides theoretical foundations and practical guidance for legally compliant security design across the full lifecycle of secure products.

Analyzes overlaps between CRA and GDPR requirements.Explores impact of new laws on existing legal requirements.Identifies seven new essential CRA cybersecurity requirements.

This work addresses the limitations of existing data governance tools, which struggle to dynamically adapt to emerging regulations such as India’s Digital Personal Data Protection (DPDP) Act and often lack transparency and explainability, leading to inadequate compliance. To bridge this gap, the paper introduces the first goal-driven agent framework specifically designed for data compliance. The framework integrates a KYU Agent and a Compliance Agent that jointly leverage semantic understanding, user trust modeling, and data sensitivity reasoning, embedding regulatory logic directly into the system to ensure auditable and interpretable decisions. It incorporates anonymization strategies—including masking, pseudonymization, and generalization—and demonstrates significant improvements in DPDP compliance across ten domains, including healthcare, education, and e-commerce, enabling transparent, efficient, and cross-domain adaptive data governance.

compliancedata governanceDPDP Act

This paper identifies systemic privacy risks in decentralized digital contact-tracing systems—exemplified by Germany’s Corona-Warn-App (CWA)—under the GDPR. Using the Standard Data Protection Model (SDM), it conducts the first structured Data Protection Impact Assessment (DPIA) to rigorously evaluate compliance of decentralized architectures. The analysis reveals that current implementations fail to achieve genuine anonymization, enabling re-identification of users; rely on invalid legal bases, as informed consent does not satisfy GDPR requirements for lawful processing; and harbor persistent high-risk vulnerabilities previously undetected or unremediated. Beyond application-specific flaws, the study uncovers cross-app privacy spillovers and fundamental rights infringements. It proposes a privacy-by-design framework centered on data minimization, strengthened anonymization techniques, and alternative lawful bases—offering both a reusable methodological paradigm and empirically grounded guidance for privacy-respectful public health technologies. (149 words)

Analyzing privacy risks in decentralized contact tracing appsAssessing GDPR compliance of German Corona-Warn-AppIdentifying unresolved data protection weaknesses in CWA

Latest Papers

What's happening recently
View more

Examining Software Developers' Needs for Privacy Enforcing Techniques: A survey

Dec 15, 2025
IT
Ioanna Theophilou
🏛️ University of Cyprus

Developers face significant practical challenges in implementing data privacy regulations (e.g., GDPR, CPRA) and lack adequate automated tooling to support compliance. Method: We conducted a mixed-methods study with 68 software developers—including structured surveys, in-depth interviews, and statistical modeling—to systematically identify their core requirements for privacy-compliance tools and the factors influencing those needs. Contribution/Results: We find that developers strongly prefer integrated, context-aware tooling; moreover, those with greater privacy experience place higher emphasis on tool reliability and legal alignment. Our analysis reveals a statistically significant positive association between developers’ privacy expertise and their demand for sophisticated, regulation-aware tool features. This study is the first empirical investigation centered explicitly on developers’ privacy-compliance enablement needs, thereby filling a critical gap in the literature. The findings provide foundational, evidence-based guidance for designing next-generation, generative-AI–powered privacy compliance automation tools.

Aims to guide automation tools like Generative AI for seamless compliance integrationExplores factors influencing practitioners' requirements for privacy enforcementIdentifies developers' unmet needs for privacy law compliance tools

This study addresses the compliance challenges faced by AI agents operating within the European Union’s complex, multi-regulatory environment, particularly those arising from behavior drift and insufficient transparency across multi-agent linkages. It presents the first systematic integration of key regulatory and policy instruments—including the Artificial Intelligence Act, the Cyber Resilience Act (CRA), Standardization Request M/613, and the GPAI Code of Conduct—into a unified compliance framework tailored for AI agents. By employing regulatory mapping, a behavioral taxonomy, and data flow tracing, the work establishes correspondences between nine deployment scenarios and relevant legal triggers, and proposes a twelve-step implementation pathway. The research underscores that high-risk AI agents exhibiting untraceable behavior drift cannot satisfy the core requirements of the AI Act, necessitating providers to comprehensively audit their agents’ external behaviors, data flows, interconnected systems, and impacted entities.

AI agentsbehavioral driftEU AI Act

This work addresses the error-prone and labor-intensive process of manually translating regulatory texts such as the GDPR and the EU AI Act into actionable software requirements. The authors propose Reg2Req, the first end-to-end automated pipeline that leverages natural language processing to identify regulatory provisions, generate system-agnostic software requirements accompanied by plain-language explanations, and establish traceability links. The approach supports requirement classification, use case seed generation, and cross-reference analysis, achieving macro-averaged F1 scores of 0.82 on the GDPR and 0.78 on the EU AI Act. A user study demonstrates that the generated plain-language explanations significantly enhance users’ comprehension and confidence in taking compliance actions (p < 0.001), with all participants expressing willingness to adopt the output as a starting point for compliance efforts.

AI regulationlegal text processingregulatory compliance

Parajudica: An RDF-Based Reasoner and Metamodel for Multi-Framework Context-Dependent Data Compliance Assessments

Dec 05, 2025
LM
Luc Moreau
🏛️ University of Sussex | Immuta Research | Brussels Privacy Hub | Vrije Universiteit Brussel

Policy-Based Access Control (PBAC) faces significant challenges in unified modeling and dynamic compliance assessment across multiple regulatory frameworks (e.g., GDPR, HIPAA, CCPA). Method: This paper proposes a semantic rule framework grounded in RDF/SPARQL, featuring an extensible compliance metamodel and domain ontology to enable structured representation of cross-regulatory provisions, context-aware policy reasoning, and automated compliance alignment. It integrates Semantic Web technologies—including RDF knowledge representation, SPARQL querying, and SWRL rule-based inference—with a lightweight reasoning engine to support formal policy specification, real-time enforcement, continuous monitoring, sensitive data discovery, and quantitative risk assessment. Contribution/Results: Experimental evaluation demonstrates that the framework substantially improves accuracy, interpretability, and maintainability of compliance assessments in multi-framework coordination scenarios, while enabling scalable, semantically rigorous, and operationally actionable governance.

Enables comparative analysis of legal and industry compliance standardsEvaluates context-dependent data compliance across multiple frameworksProvides an open, modular RDF/SPARQL-based rule system for PBAC

This study addresses the widespread lack of compliance disclosures regarding data privacy regulations—such as GDPR and CCPA—in AI datasets hosted on the Hugging Face platform, which poses significant regulatory risks. For the first time, the paper introduces “compliance readiness” as a core dimension of dataset quality and systematically evaluates transparency in data provenance, processing workflows, and handling of sensitive information. Through an analysis of 11,682 public datasets—combining automated text mining of dataset cards with manual sampling and review—the research reveals that the vast majority fail to clearly document their creation processes or data sources, and only a small fraction explicitly identify sensitive fields such as personally identifiable information (PII). These findings highlight critical gaps in current practices and provide an empirical foundation for developing standardized tools and benchmarks for assessing dataset compliance.

AI supply chaindata privacydataset transparency

Hot Scholars

SS

Sarah Scheffler

Carnegie Mellon University: Engineering and Public Policy, and Software and Societal Systems
Cryptographyprivacytransparencypolicy
JA

Jyh-An Lee

The Chinese University of Hong Kong Faculty of Law
intellectual propertyinformation lawInternet law
TD

Théo Durandard

University of Illinois Urbana-Champaign
Microeconomic TheoryMathematical EconomicsDynamic Games