Towards Viewpoint-centric Artifact-based Regulatory Requirements Engineering for Compliance by Design

This paper reports on the synthesis and seeks feedback for the future evaluation of an Artefact Model for Regulatory Requirements Engineering (AM4RRE), aiming to bridge the gap between organizational regulatory processes and ad-hoc software development practices to achieve systematic, integrated compliance by design.

The Gist

Imagine you are building a massive, complex skyscraper. In the world of software, this skyscraper is a digital system (like a banking app or a social media platform).

Now, imagine that before you lay a single brick, you have to follow a thick, confusing, and constantly changing rulebook written by the government. These rules are about privacy, security, and fairness. If you get even one detail wrong, the whole building could be condemned, and you could face heavy fines.

This is the challenge Oleksandr Kosenkov is tackling in his paper. He is trying to figure out how to build software that is "compliant by design"—meaning it follows the law from the very first sketch, rather than trying to patch it up later.

Here is the story of his research, explained simply:

1. The Problem: Two Different Languages

Currently, building compliant software is a mess. It's like trying to build a house where the Architect speaks "Engineering" and the City Planner speaks "Law." They rarely talk to each other directly.

• The Architects (Software Engineers): They are used to moving fast, changing plans on the fly (Agile), and building things that work. They often treat legal rules as an afterthought, trying to fit them in at the end.
• The City Planners (Legal Experts): They speak in abstract, complex terms. They don't know how software works. They often sit in a separate office, writing rules that the engineers find impossible to understand.

The Result: The engineers build a great building, but it violates the city code. The legal team says, "You didn't follow the rules!" The engineers say, "We didn't know how to translate your rules into bricks!"

2. The Five Big Hurdles

Kosenkov identified five specific reasons why this is so hard:

1. The Moving Target: Laws change, and software changes. Keeping them perfectly in sync is like trying to dance with someone who keeps changing the music.
2. The "Afterthought" Trap: Companies usually think about the law only after they've already started designing the software. It's like realizing you need a fire escape after the building is already finished.
3. The Ripple Effect: Changing a rule often breaks other parts of the software. Fixing one thing creates a new problem elsewhere.
4. Two Worlds: Laws talk about "problems" (what shouldn't happen) and "solutions" (what must be built). Engineers and lawyers often look at these from different angles, causing confusion.
5. The Translation Gap: It's very hard to translate "Legal Speak" into "Code Speak" without losing meaning.

3. The Solution: The "Universal Blueprint" (AM4RRE)

Instead of forcing everyone to follow a rigid checklist of steps (like "Step 1: Talk to lawyer, Step 2: Write code"), Kosenkov proposes a Blueprint-Based Approach.

Think of it like a Lego set with a master instruction manual.

• The Old Way: "First, build a wall. Then, paint it." (This fails if the wall needs to be a window).
• The New Way (AM4RRE): "Here is the blueprint. It shows exactly what pieces (artifacts) the Lawyer needs to define, what pieces the Architect needs to build, and how those pieces must snap together."

This model, called AM4RRE, creates a shared language. It doesn't tell you how to do your job; it tells you what information you need to produce so that the other person can do theirs.

4. How It Works: The "Tailoring" Process

You can't use the same blueprint for a house, a hospital, and a space station. You have to tailor the blueprint. Kosenkov suggests three ways to customize this model:

• T1: The Regulation Filter (The "What"): You take the specific law (e.g., GDPR) and highlight the specific rules that matter for this project. It's like circling the specific paragraphs in the rulebook that apply to your building.
• T2: The Connection Glue (The "How"): You draw lines connecting the legal circles to the engineering circles. For example, if the law says "We must know the user's age," the blueprint shows exactly where that "age" data goes in the software database. This prevents the engineers from accidentally creating two different "age" fields that don't match.
• T3: The Goal Selector (The "Why"): You pick the most important goals for your company (e.g., "Avoid fines" vs. "Build fast") and focus the blueprint on those.

5. The Future: Testing the Blueprint

Kosenkov is now at the final stage of his PhD. He has built this "Universal Blueprint," but he needs to test it in the real world.

He is planning to run an experiment where he puts a team of real lawyers and engineers in a room. He will give them a fake project and ask them to use his blueprint to design a compliant system.

• The Goal: To see if this "shared language" actually helps them build a better, legally safe product faster than they could before.
• The Challenge: Getting busy professionals to participate is hard because legal topics are sensitive. So, he is testing different ways to run the experiment, like using checklists or templates to make it easier for them.

The Bottom Line

This paper is about bridging the gap. Kosenkov is building a translator and a shared map that allows lawyers and software engineers to finally speak the same language. Instead of fighting over rules at the end of the project, they can use this model to build the rules into the software from day one, ensuring the final product is safe, legal, and built to last.

Technical Summary

Here is a detailed technical summary of the paper "Towards Viewpoint-centric Artifact-based Regulatory Requirements Engineering for Compliance by Design."

1. Problem Statement

The paper addresses the growing challenge of achieving regulatory compliance in software engineering (SE) due to the increasing volume, complexity, and scope of regulations (e.g., GDPR, Cyber Resilience Act).

• The Gap: While research has proposed many Regulatory Requirements Engineering (RE) methods, industry practice remains fragmented. Organizations often treat regulatory RE as an ad-hoc, standalone process rather than integrating it systematically into the Software Development Life Cycle (SDLC).
• Key Challenges:
  • Viewpoint Disconnect: There is a significant gap between legal viewpoints (interpreting abstract regulations) and engineering viewpoints (implementing concrete system specifications).
  • Process Mismatch: Traditional process-based RE struggles with the dynamic, iterative nature of agile development and the need for verifiable consistency, completeness, and correctness.
  • Knowledge Intensity: Regulatory RE requires deep domain knowledge (legal, IT, privacy) that is difficult to explicate and transfer between roles.
  • Artificial Separation: Regulatory requirements are often treated as "afterthoughts," leading to iterations that require revising non-regulatory requirements and system architectures.

2. Methodology

The author employs a Design Science Research approach, combining empirical studies with the synthesis of a conceptual model. The research is guided by three Research Questions (RQs) and executed through a series of studies:

• Systematic Mapping & Literature Reviews (RQ1):
  • Conducted a systematic mapping study to identify challenges in regulatory RE.
  • Performed systematic literature reviews on "Privacy by Design" and RE methods to synthesize characteristics and goals.
• Empirical Studies (RQ2):
  • Executed five empirical studies (interviews, focus groups, case studies) involving legal experts, software engineers, and practitioners.
  • Analyzed current practices in GDPR compliance, the European Accessibility Act, and Privacy by Design implementations to understand the "state of practice."
• Model Synthesis & Validation (RQ3):
  • Developed a conceptual model (AM4RRE) based on findings.
  • Conducted "walkthrough" validations with legal experts and practitioners to test the instantiation of legal concepts and their allocation to engineering artifacts.
• Tooling: The author utilized tools like Grammarly and ChatGPT for language refinement but maintained full responsibility for the content.

3. Key Contributions

The primary contribution is the Artefact Model for Regulatory Requirements Engineering (AM4RRE), a viewpoint-centric, artifact-based framework designed to integrate regulatory compliance into the SDLC.

A. The AM4RRE Framework

Unlike activity-based approaches (focusing on how to do things), AM4RRE focuses on what to specify (artifacts) to ensure coordination between viewpoints. It consists of five core components:

1. Role Model (C1): Defines responsibilities for Legal Experts, Domain Experts, Requirements Engineers, and Software Architects.
2. Goal Model (C2): Specifies the objectives for each role (e.g., legal compliance, system flexibility).
3. Project Context Model (C3): Captures challenges and prioritization.
4. Milestone Model (C4): Establishes the sequence of artifact specification.
5. Content Model (C5): The core pivot. It defines the specific content of four viewpoints:
   • Legal Specification
   • Software Context Specification
   • Requirements Specification
   • System Specification
   • Mechanism: Content items are composed of concepts (e.g., "legal subject," "age") which are linked across viewpoints to ensure traceability.

B. Tailoring Mechanisms

To make the model applicable to specific contexts, the paper proposes three tailoring strategies:

• T1: Regulation-specific Tailoring: Annotating regulation text to identify legal concepts and attributes, creating an organization-wide interpretation.
• T2: Content-specific Tailoring: Mapping legal concepts to engineering specifications (e.g., linking "legal subject" to "stakeholder" in the context spec) to avoid duplication and ensure semantic consistency.
• T3: Goal-driven Tailoring: Selecting specific content items based on organizational goals (e.g., prioritizing "sanction" tracking if managing non-compliance is a key goal).

4. Key Results & Findings

• Viewpoint Coordination is Critical: Successful compliance requires bridging the gap between legal interpretation and engineering implementation. The study found that legal experts often view abstractness as a feature, not a bug, requiring a knowledge-intensive interpretation process to concretize norms.
• Artifact-Based Approach is Superior: Process-based approaches fail to capture the necessary consistency in dynamic agile environments. An artifact-based approach allows for better management of the "what" (content) rather than just the "how" (activities).
• Validation of Concepts:
  • Legal experts validated the proposed legal viewpoint specification.
  • Practitioners confirmed that the approach of allocating legal concept instances across requirements and system levels is applicable for capturing domain knowledge.
  • Traceability and Transparency were identified as the most critical method characteristics for Privacy by Design.
• Current State of Practice: Most organizations still use isolated, waterfall-like compliance processes or ad-hoc methods, struggling to integrate with scaled agile frameworks.

5. Significance and Future Work

• Significance: The paper provides a theoretical and practical foundation for "Compliance by Design." By shifting from activity-centric to artifact-centric RE, it offers a systematic way to handle the complexity of multi-viewpoint coordination, ensuring that legal requirements are traceable, consistent, and correctly implemented in software architecture.
• Future Work:
  • Operationalization: Developing checklists and templates to make AM4RRE usable in practice.
  • Validation: Planning a final validation study involving experienced privacy engineers. This will likely take the form of a walkthrough experiment or a role-playing experiment where participants use the templates to specify requirements for an exemplary case.
  • Community Feedback: The author seeks feedback on the synthesis of the final model and the proposed validation strategies to refine the doctoral study's conclusion.

In summary, this paper proposes a structured, artifact-driven solution to the chaotic integration of legal regulations into software development, aiming to transform compliance from a burdensome, ad-hoc activity into a seamless, design-integrated engineering practice.