{"id":"https://openalex.org/W7089189876","doi":"https://doi.org/10.1109/rew66121.2025.00040","title":"A First Appraisal of NIS2 and CRA Compliance Leveraging Open Source Tools","display_name":"A First Appraisal of NIS2 and CRA Compliance Leveraging Open Source Tools","publication_year":2025,"publication_date":"2025-09-01","ids":{"openalex":"https://openalex.org/W7089189876","doi":"https://doi.org/10.1109/rew66121.2025.00040"},"language":"en","primary_location":{"id":"doi:10.1109/rew66121.2025.00040","is_oa":false,"landing_page_url":"https://doi.org/10.1109/rew66121.2025.00040","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE 33rd International Requirements Engineering Conference Workshops (REW)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Giovanni Corti","orcid":null},"institutions":[{"id":"https://openalex.org/I2277624104","display_name":"Fondazione Bruno Kessler","ror":"https://ror.org/01j33xk10","country_code":"IT","type":"facility","lineage":["https://openalex.org/I2277624104"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Giovanni Corti","raw_affiliation_strings":["Fondazione Bruno Kessler,Center for Cybersecurity,Trento,Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Fondazione Bruno Kessler,Center for Cybersecurity,Trento,Italy","institution_ids":["https://openalex.org/I2277624104"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Gianluca Sassetti","orcid":null},"institutions":[{"id":"https://openalex.org/I83816512","display_name":"University of Genoa","ror":"https://ror.org/0107c5v14","country_code":"IT","type":"education","lineage":["https://openalex.org/I83816512"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Gianluca Sassetti","raw_affiliation_strings":["University of Genoa,DIBRIS,Genoa,Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Genoa,DIBRIS,Genoa,Italy","institution_ids":["https://openalex.org/I83816512"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Amir Sharif","orcid":null},"institutions":[{"id":"https://openalex.org/I2277624104","display_name":"Fondazione Bruno Kessler","ror":"https://ror.org/01j33xk10","country_code":"IT","type":"facility","lineage":["https://openalex.org/I2277624104"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Amir Sharif","raw_affiliation_strings":["Fondazione Bruno Kessler,Center for Cybersecurity,Trento,Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Fondazione Bruno Kessler,Center for Cybersecurity,Trento,Italy","institution_ids":["https://openalex.org/I2277624104"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Serena Elisa Ponta","orcid":null},"institutions":[{"id":"https://openalex.org/I4210133614","display_name":"Systems, Applications & Products in Data Processing (United Kingdom)","ror":"https://ror.org/04k7gd586","country_code":"GB","type":"company","lineage":["https://openalex.org/I4210132444","https://openalex.org/I4210133614"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Serena Elisa Ponta","raw_affiliation_strings":["SAP,SAP Labs,Mougins,France"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"SAP,SAP Labs,Mougins,France","institution_ids":["https://openalex.org/I4210133614"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Matteo Rizzi","orcid":null},"institutions":[{"id":"https://openalex.org/I2277624104","display_name":"Fondazione Bruno Kessler","ror":"https://ror.org/01j33xk10","country_code":"IT","type":"facility","lineage":["https://openalex.org/I2277624104"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Matteo Rizzi","raw_affiliation_strings":["Fondazione Bruno Kessler,Center for Cybersecurity,Trento,Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Fondazione Bruno Kessler,Center for Cybersecurity,Trento,Italy","institution_ids":["https://openalex.org/I2277624104"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Pietro De Matteis","orcid":null},"institutions":[{"id":"https://openalex.org/I4210096856","display_name":"Innovation Engineering (Italy)","ror":"https://ror.org/00sxjp357","country_code":"IT","type":"company","lineage":["https://openalex.org/I4210096856"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Pietro De Matteis","raw_affiliation_strings":["FBK Dedagroup SpA,Co-Innovation Lab,Trento,Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"FBK Dedagroup SpA,Co-Innovation Lab,Trento,Italy","institution_ids":["https://openalex.org/I4210096856"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Luca Piras","orcid":null},"institutions":[{"id":"https://openalex.org/I2277624104","display_name":"Fondazione Bruno Kessler","ror":"https://ror.org/01j33xk10","country_code":"IT","type":"facility","lineage":["https://openalex.org/I2277624104"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Luca Piras","raw_affiliation_strings":["Fondazione Bruno Kessler,Center for Cybersecurity,Trento,Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Fondazione Bruno Kessler,Center for Cybersecurity,Trento,Italy","institution_ids":["https://openalex.org/I2277624104"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Roberto Carbone","orcid":null},"institutions":[{"id":"https://openalex.org/I2277624104","display_name":"Fondazione Bruno Kessler","ror":"https://ror.org/01j33xk10","country_code":"IT","type":"facility","lineage":["https://openalex.org/I2277624104"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Roberto Carbone","raw_affiliation_strings":["Fondazione Bruno Kessler,Center for Cybersecurity,Trento,Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Fondazione Bruno Kessler,Center for Cybersecurity,Trento,Italy","institution_ids":["https://openalex.org/I2277624104"]}]},{"author_position":"last","author":{"id":null,"display_name":"Silvio Ranise","orcid":null},"institutions":[{"id":"https://openalex.org/I193223587","display_name":"University of Trento","ror":"https://ror.org/05trd4x28","country_code":"IT","type":"education","lineage":["https://openalex.org/I193223587"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Silvio Ranise","raw_affiliation_strings":["University of Trento,Center for Cybersecurity,FBK Department of Mathematics,Trento,Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Trento,Center for Cybersecurity,FBK Department of Mathematics,Trento,Italy","institution_ids":["https://openalex.org/I193223587"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":9,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.61343881,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"269","last_page":"274"},"is_retracted":false,"is_paratext":false,"is_xpac":true,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.5716000199317932,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.5716000199317932,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.026900000870227814,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11614","display_name":"Cloud Data Security Solutions","score":0.019300000742077827,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/supply-chain","display_name":"Supply chain","score":0.5625},{"id":"https://openalex.org/keywords/resilience","display_name":"Resilience (materials science)","score":0.5030999779701233},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.4724999964237213},{"id":"https://openalex.org/keywords/software-development","display_name":"Software development","score":0.42879998683929443},{"id":"https://openalex.org/keywords/directive","display_name":"Directive","score":0.4066999852657318},{"id":"https://openalex.org/keywords/dependency","display_name":"Dependency (UML)","score":0.38589999079704285},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.361299991607666},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.35910001397132874},{"id":"https://openalex.org/keywords/european-union","display_name":"European union","score":0.3416999876499176},{"id":"https://openalex.org/keywords/vulnerability-management","display_name":"Vulnerability management","score":0.33649998903274536}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5846999883651733},{"id":"https://openalex.org/C108713360","wikidata":"https://www.wikidata.org/wiki/Q1824206","display_name":"Supply chain","level":2,"score":0.5625},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5543000102043152},{"id":"https://openalex.org/C2779585090","wikidata":"https://www.wikidata.org/wiki/Q3457762","display_name":"Resilience (materials science)","level":2,"score":0.5030999779701233},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.4869999885559082},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.4724999964237213},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.42879998683929443},{"id":"https://openalex.org/C2779547435","wikidata":"https://www.wikidata.org/wiki/Q1121492","display_name":"Directive","level":2,"score":0.4066999852657318},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.38690000772476196},{"id":"https://openalex.org/C19768560","wikidata":"https://www.wikidata.org/wiki/Q320727","display_name":"Dependency (UML)","level":2,"score":0.38589999079704285},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.361299991607666},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.35910001397132874},{"id":"https://openalex.org/C195094911","wikidata":"https://www.wikidata.org/wiki/Q14167904","display_name":"Process management","level":1,"score":0.35429999232292175},{"id":"https://openalex.org/C2910001868","wikidata":"https://www.wikidata.org/wiki/Q458","display_name":"European union","level":2,"score":0.3416999876499176},{"id":"https://openalex.org/C172776598","wikidata":"https://www.wikidata.org/wiki/Q7943570","display_name":"Vulnerability management","level":4,"score":0.33649998903274536},{"id":"https://openalex.org/C149091818","wikidata":"https://www.wikidata.org/wiki/Q2429814","display_name":"Software system","level":3,"score":0.326200008392334},{"id":"https://openalex.org/C39389867","wikidata":"https://www.wikidata.org/wiki/Q380767","display_name":"Corporate governance","level":2,"score":0.3158000111579895},{"id":"https://openalex.org/C43521106","wikidata":"https://www.wikidata.org/wiki/Q2165493","display_name":"Pipeline (software)","level":2,"score":0.31439998745918274},{"id":"https://openalex.org/C85890633","wikidata":"https://www.wikidata.org/wiki/Q929673","display_name":"Capability Maturity Model","level":3,"score":0.3073999881744385},{"id":"https://openalex.org/C26713055","wikidata":"https://www.wikidata.org/wiki/Q245962","display_name":"Implementation","level":2,"score":0.3070000112056732},{"id":"https://openalex.org/C168725872","wikidata":"https://www.wikidata.org/wiki/Q991663","display_name":"Sophistication","level":2,"score":0.29980000853538513},{"id":"https://openalex.org/C123551368","wikidata":"https://www.wikidata.org/wiki/Q7122888","display_name":"Package development process","level":5,"score":0.28529998660087585},{"id":"https://openalex.org/C201995342","wikidata":"https://www.wikidata.org/wiki/Q682496","display_name":"Systems engineering","level":1,"score":0.2842000126838684},{"id":"https://openalex.org/C123247970","wikidata":"https://www.wikidata.org/wiki/Q5001932","display_name":"Business requirements","level":4,"score":0.26460000872612},{"id":"https://openalex.org/C117447612","wikidata":"https://www.wikidata.org/wiki/Q1412670","display_name":"Software quality","level":4,"score":0.2639999985694885},{"id":"https://openalex.org/C54534927","wikidata":"https://www.wikidata.org/wiki/Q4462275","display_name":"Software requirements","level":5,"score":0.2623000144958496},{"id":"https://openalex.org/C165609540","wikidata":"https://www.wikidata.org/wiki/Q1172486","display_name":"Data breach","level":2,"score":0.26190000772476196},{"id":"https://openalex.org/C182500959","wikidata":"https://www.wikidata.org/wiki/Q7551380","display_name":"Social software engineering","level":5,"score":0.2614000141620636},{"id":"https://openalex.org/C184356942","wikidata":"https://www.wikidata.org/wiki/Q830382","display_name":"Best practice","level":2,"score":0.2590000033378601},{"id":"https://openalex.org/C158154518","wikidata":"https://www.wikidata.org/wiki/Q7310970","display_name":"Relevance (law)","level":2,"score":0.2540999948978424},{"id":"https://openalex.org/C10511746","wikidata":"https://www.wikidata.org/wiki/Q899388","display_name":"Data security","level":3,"score":0.2538999915122986},{"id":"https://openalex.org/C174683762","wikidata":"https://www.wikidata.org/wiki/Q609588","display_name":"Component-based software engineering","level":4,"score":0.25200000405311584},{"id":"https://openalex.org/C148417208","wikidata":"https://www.wikidata.org/wiki/Q4825882","display_name":"Authentication (law)","level":2,"score":0.2515999972820282}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/rew66121.2025.00040","is_oa":false,"landing_page_url":"https://doi.org/10.1109/rew66121.2025.00040","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE 33rd International Requirements Engineering Conference Workshops (REW)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/17","score":0.40055572986602783,"display_name":"Partnerships for the goals"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"The":[0],"increased":[1,29],"sophistication":[2],"and":[3,27,43,75,97,103,116,122,146,171,182,196,226,229],"complexity":[4],"of":[5,48,95,124,160,164,177,205],"modern":[6],"software":[7,14,20,35,80,125,141,187],"development":[8,121,142],"pose":[9],"a":[10,32,144,161,175],"significant":[11],"challenge":[12,148],"to":[13,109,168,199],"supply":[15,36,57,81,188],"chain":[16,37,82,189],"risk":[17],"management.":[18],"Modern":[19],"is":[21,143],"characterized":[22],"by":[23,59,156],"intricate":[24],"dependency":[25],"trees":[26],"an":[28,213],"scale.":[30],"As":[31],"result,":[33],"the":[34,46,88,92,119,128,158,193],"attack":[38],"surface":[39],"has":[40],"also":[41,218],"increased,":[42],"with":[44,174],"it,":[45],"number":[47,163,176],"reported":[49],"disruptions.":[50,70],"These":[51],"attacks":[52],"aim":[53],"at":[54],"destabilizing":[55],"entire":[56],"chains":[58],"compromising":[60],"individual":[61],"components":[62],"in":[63,127,192],"open":[64,165,201],"source":[65,166,202],"software,":[66],"thereby":[67],"triggering":[68],"cascading":[69],"In":[71],"response,":[72],"several":[73],"governance":[74],"regulatory":[76],"efforts":[77],"for":[78,114,139,149],"ensuring":[79],"security":[83,190],"have":[84],"been":[85],"made.":[86],"At":[87],"European":[89,129],"Union":[90],"level,":[91],"recent":[93],"introduction":[94],"Network":[96],"Information":[98],"Security":[99],"Directive":[100],"2":[101],"(NIS2)":[102],"Cyber":[104],"Resilience":[105],"Act":[106],"(CRA)":[107],"aims":[108],"establish":[110],"robust":[111],"cybersecurity":[112],"requirements":[113,134,178,191],"organizations":[115],"products,":[117],"including":[118],"secure":[120,140],"importing":[123],"products":[126],"market.":[130],"However,":[131],"translating":[132],"verbatim":[133],"into":[135],"actionable":[136],"technical":[137],"implementations":[138],"complex":[145],"time-consuming":[147],"practitioners.":[150],"This":[151],"paper":[152],"addresses":[153],"this":[154],"gap":[155],"leveraging":[157],"functionality":[159],"selected":[162],"tools":[167,203],"partially":[169,206],"automate":[170],"simplify":[172],"compliance":[173,208,231],"extracted":[179],"from":[180],"NIS2":[181,228],"CRA.":[183],"We":[184],"identify":[185],"key":[186],"two":[194],"legislations":[195],"map":[197],"them":[198],"relevant":[200],"capable":[204],"automating":[207],"tasks.":[209],"Additionally,":[210],"we":[211],"propose":[212],"easily":[214],"replicable,":[215],"automated":[216],"pipeline":[217],"implementable":[219],"as":[220],"GitHub":[221],"workflows,":[222],"which":[223],"simplifies":[224],"practitioners\u2019":[225],"organizations\u2019":[227],"CRA":[230],"efforts.":[232]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-13T00:00:00"}
