Architecture-based regulatory compliance argumentation

We model regulation such that architecture-based compliance arguments can be made.We evaluate the approach on the migration of a telemedicine platform to the cloud.The approach has the potential to simplify compliance argumentation. Standards and regulations are difficult to understand and map to software, which makes compliance with them challenging to argue for software products and development process. This is problematic since lack of compliance may lead to issues with security, safety, and even to economic sanctions. An increasing number of applications (for example in healthcare) are expected to have to live up to regulatory requirements in the future, which will lead to more software development projects having to deal with such requirements. We present an approach that models regulations such that compliance arguments can be made in a principled way based on architectural requirements and architectural decisions. In particular, we discuss how one can form architectural requirements which are linked to regulatory texts. We then argue for completeness and correctness of this bi-directional link. We evaluate the approach on the migration of the telemedicine platform Net4Care to the cloud, where certain regulations (for example privacy) should be concerned. The approach has the potential to support simpler compliance argumentation with the eventual promise of safer and more secure applications.