← All training courses

Compliance in Software Development

The EU Cyber Resilience Act (CRA), EU AI Act, NIS-2, and the German IT Security Act 2.0 place new legal obligations on manufacturers and operators of connected software. Our two- to three-day course equips participants with the practical tools to embed these requirements permanently in their development practice – with a focus on hands-on group code reviews of production-like code in Java and TypeScript.

The course is deliberately designed for two audiences: developers gain technical depth and hands-on exercises; governance and compliance stakeholders gain the structured overview needed to steer and demonstrate regulatory compliance within their organization. Together, both perspectives strengthen IT security awareness beyond individual departments – and lay the foundation for a lived security culture across the organization.

Target audience: Software developers, software architects, and IT specialists involved in the development or operation of connected systems, as well as IT managers and security officers who want to steer regulatory requirements in a structured way and embed a sound IT security awareness across their organization.

Duration: 2–3 days

Location: On-site or remote/online

Language: German (English on request)

Contact: training[at]datainmotion.com

Upcoming Dates

Two scheduled course dates are available in 2026. Places are limited — early registration is recommended.

Date Duration Format
25–26 August 2026 2 days Remote / On-site
9–10 November 2026 2 days Remote / On-site

We offer three delivery formats:

  • Remote/online — virtual, for distributed teams
  • On-premise — at your organisation’s premises
  • Jena — at our offices (max. 10 participants)

Minimum group size: 5 participants
Registration: training[at]datainmotion.com

Course content

Day 1 – Foundations, Governance and Secure Architecture

Day 1 lays the foundation: participants work through the regulatory framework, understand the relevant standards, and build – from governance structures to code level – the backbone of compliance-driven software development.

  • Regulatory framework: Cyber Resilience Act (EU CRA), AI Act (EU AI Act), Network and Information Security Directive (NIS-2), General Data Protection Regulation (GDPR), German IT Security Act (IT-SiG 2.0)
  • Standards: IT-Grundschutz (BSI), Technical Guidelines (BSI TR), Information Security Management (ISO/IEC 27001), Application Security Standard (OWASP ASVS)
  • Governance structures: responsibilities, reporting chains, risk management, and compliance obligations
  • Secure Software Development Lifecycle (SSDLC): Security by Design, threat modeling (STRIDE & LINDDUN)
  • IT security awareness: risk culture, incident reporting behavior, and Security-First mindset in everyday development
  • Architecture: Zero Trust, Defense in Depth, IAM (OIDC, OAuth2), cryptography per Cryptography Guidelines (BSI TR-02102)
  • Secure development: OWASP Top 10 with code examples (Java, TypeScript, Python, .NET)

Day 2 – Supply Chain, Operations and Current Risks

Day 2 secures the entire value chain: from software supply chain security and automated pipeline checks to secure operations – including the growing risks introduced by AI components in the product.

  • Supply chain security: SBOM (CycloneDX, SPDX), dependency scanning, SLSA, license compliance
  • Testing and verification: SAST (SpotBugs, SonarQube, Semgrep), DAST (OWASP ZAP), secret scanning
  • CI/CD security: quality gates, container scanning (Trivy, Grype), artifact signing
  • Deployment and vulnerability management: patch SLAs, coordinated disclosure, NIS-2 and CRA reporting obligations
  • AI in development and as a software product: AI Application Security (OWASP LLM Top 10), AI Act (EU AI Act), AI Management System (ISO/IEC 42001)

All modules are linked to current case studies and threat scenarios – and thus actively foster IT security awareness across all participants.