Published: Jul 14, 2025
The following paper has been accepted at the 12th International Workshop on Evolving Security & Privacy Requirements Engineering (ESPRE 2025):
- Title: A First Appraisal of NIS2 and CRA Compliance Leveraging Open Source Tools
- Author: Giovanni Corti, Gianluca Sassetti, Amir Sharif, Serena Elisa Ponta, Matteo Rizzi, Pietro De Matteis, Luca Piras, Roberto Carbone, Silvio Ranise
- Abstract: The increased sophistication and complexity of modern software development pose a significant challenge to software supply chain risk management. Modern software is characterized by intricate dependency trees and an increased scale. As a result, the software supply chain attack surface has also increased, and with it, the number of reported disruptions. These attacks aim at destabilizing entire supply chains by compromising individual components in open source software, thereby triggering cascading disruptions. In response, several governance and regulatory efforts for ensuring software supply chain security have been made. At the European Union level, the recent introduction of Network and Information Security Directive 2 (NIS2) and Cyber Resilience Act (CRA) aims to establish robust cybersecurity requirements for organizations and products, including the secure development and importing of software products in the European market. However, translating verbatim requirements into actionable technical implementations for secure software development is a complex and time-consuming challenge for practitioners. This paper addresses this gap by leveraging the functionality of a selected number of open source tools to partially automate and simplify compliance with a number of requirements extracted from NIS2 and CRA. We identify key software supply chain security requirements in the two legislations and map them to relevant open source tools capable of partially automating compliance tasks. Additionally, we propose an easily replicable, automated pipeline also implementable as GitHub workflows, which simplifies practitioners' and organizations' NIS2 and CRA compliance efforts.
About the workshop
- Name: 12th International Workshop on Evolving Security & Privacy Requirements Engineering (ESPRE 2025)
- Date: from September 01, 2023 to September 05, 2023
- Location: Valencia, Spain
- Website: https://cybersecurity.bournemouth.ac.uk/espre2025/
