Search papers, labs, and topics across Lattice.
This paper introduces an automated pipeline, Reg2Req, that translates complex regulatory texts like the GDPR and EU AI Act into actionable software requirements, significantly reducing the manual effort and potential for errors in compliance processes. The pipeline identifies requirement-bearing clauses and generates system-agnostic requirements with clear, traceable explanations, achieving high macro-averaged F1 scores of 0.82 and 0.78 for the GDPR and EU AI Act, respectively. User studies demonstrate that the tool enhances practitioners' understanding and confidence in implementing these requirements, indicating its practical value in regulatory compliance.
Automated translation of legal regulations into actionable software requirements could revolutionize compliance processes, making them more efficient and reliable.
Ensuring software compliance with regulations such as the General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (EU AI Act) poses a significant challenge, as requirements engineers must translate complex legal text into actionable software requirements - a process that remains largely manual and error-prone in practice. We present an automated regulation-to-requirements pipeline that identifies requirement-bearing clauses in regulatory documents and derives system-agnostic software requirements, accompanied by plain-language explanations, traceable to their legal sources. We evaluate the pipeline on the full clause sets of the GDPR (398 clauses) and the EU AI Act (574 clauses). For requirement-bearing clause identification, the approach achieves macro-averaged F1 scores of 0.82 and 0.78, respectively, outperforming a SetFit-based baseline. Human evaluation shows high completeness (4.60 and 4.45) and correctness (3.74 and 3.54) of derived requirements, while explanation clarity scores are near-ceiling (4.92 and 4.94) on a 1-5 scale. We implement the approach in Reg2Req, a publicly released tool that further supports requirement classification, use case seeding, cross-reference analysis, definition indexing, and a traceability matrix to operationalize regulatory compliance in practice. A user study with 25 practitioners shows that the plain-language explanations significantly improve comprehension of derived requirements and confidence in acting on them (p < 0.001), and that all participants would use Reg2Req as a starting point for deriving software requirements from a regulation.