Extracting Functional Requirements from Policies for Decentralized Identity Applications

Decentralized identity (DI) and Self-Sovereign Identity (SSI) systems emphasize enhanced privacy, user control, and interoperability, yet their adoption is tightly constrained by complex and evolving legal and policy frameworks. Regulations such as the General Data Protection Regulation (GDPR) and the eIDAS Regulation impose explicit obligations that directly influence how identity systems must be designed and operated.

This thesis investigates how functional requirements for DI/SSI applications can be systematically extracted, mapped, and updated based on applicable laws and policies. By analysing regulatory texts and policy instruments, the research aims to align existing functional requirements with legal mandates, identify gaps or conflicts, and support compliance-by-design in DI systems. The outcome contributes a structured approach for maintaining legally aligned functional requirements, enabling decentralized identity solutions that are both technically robust and regulatory compliant.

Sources to Consider:

[1] T. Breaux and A. Antón, "Analyzing Regulatory Rules for Privacy and Security Requirements," in IEEE Transactions on Software Engineering, vol. 34, no. 1, pp. 5-20, Jan.-Feb. 2008, doi: 10.1109/TSE.2007.70746.

[2] T. D. Breaux, M. W. Vail and A. I. Anton, "Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations," 14th IEEE International Requirements Engineering Conference (RE'06), Minneapolis/St. Paul, MN, USA, 2006, pp. 49-58, doi: 10.1109/RE.2006.68.

[3] P. N. Otto and A. I. Antón, “Managing Legal Texts in Requirements Engineering”, In: Lyytinen, K., Loucopoulos, P., Mylopoulos, J., Robinson, B. (eds) Design Requirements Engineering: A Ten-Year Perspective. Lecture Notes in Business Information Processing, vol 14, 2009. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-92966-6_2

• Requirements engineering