The Autonomous Compliance-to-Code (AC2C) Framework: A Generative AI-Powered Paradigm for Mapping IoT Data Flows to GDPR, HIPAA, and NIS2

Adetunji Oludele Adebayo1, Omowunmi Folashayo Makinde2, Olatunde Ayomide Olasehan3, Nathaniel Adeniyi Akande4, & Udoka Cynthia Duruemeruo5
1 Information Security Manager /Independent researcher, University of Bradford, UK
2IT Support Engineer I/Independent Researcher, University of the Cumberlands, US
3IT Engineer/Independent Researcher, Swansea University, UK
4Cybersecurity Analyst/Independent Researcher, University of Bradford, UK
5DevOps Engineer/Independent Researcher, University of Wolverhampton, UK
DOI – http://doi.org/10.37502/IJSMR.2025.81208

Abstract

The proliferation of Internet of Things (IoT) devices has transformed industries, including healthcare, by enabling real-time monitoring, optimization, and predictive maintenance. However, this advancement has introduced complex regulatory requirements, such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the Network and Information Systems Directive 2 (NIS2). Traditional governance, risk, and compliance (GRC) models have proven insufficient in addressing the dynamic nature of IoT deployments, leading to a compliance gap. This paper introduces the Autonomous Compliance-to-Code (AC2C) framework, a generative AI-powered paradigm for mapping IoT data flows to GDPR, HIPAA, and NIS2. The AC2C framework uses a multi-agent architecture to interpret regulatory requirements, map them to a dynamic technological environment, synthesize executable compliance logic, and perform continuous assurance. The framework’s efficacy is demonstrated through a case study involving a global smart healthcare provider subject to multiple jurisdictions. The framework’s agents, including the Regulatory Deconstruction Agent (RDA), IoT Data Flow Intelligence Agent (DFIA), Compliance Logic Synthesis Agent (CLSA), and Continuous Assurance & Reporting Agent (CARA), work together to bridge the “regulation-to-code” bottleneck and enable proactive compliance in IoT ecosystems. The AC2C framework represents an advancement in RegTech, offering organizations an automated solution to navigate IoT compliance.

Keywords: Compliance-to-Code, GDPR, HIPAA.

References

  • Alles, M., Brennan, G., & Kogan, A. (2018). Continuous monitoring of business process controls: A pilot implementation of a continuous auditing system at Siemens. https://www.emerald.com/insight/content/doi/10.1108/978-1-78743-413-420181010/full/html
  • Barron, R., Eren, M., & Serafimova, O. (2025). Bridging Legal Knowledge and AI: Retrieval-Augmented Generation with Vector Stores, Knowledge Graphs, and Hierarchical Non-negative Matrix Factorization. https://arxiv.org/abs/2502.20364
  • Chaganti, K. C. (2025). Advancing ai-driven threat detection in iot ecosystems: Addressing scalability, resource constraints, and real-time adaptability. Institute of Electrical and Electronics Engineers (IEEE). https://doi.org/10.36227/techrxiv.173738307.73168902/v1
  • Chiara, P. G. (2022). The IOT and the new EU Cybersecurity Regulatory Landscape. International Review of Law, Computers & Technology, 36(2), 118–137. https://doi.org/10.1080/13600869.2022.2060468
  • Chiara, P., 2022. The Network and Information Systems Directive 2 (NIS2): Enhanced cybersecurity obligations for EU entities. Journal of European Law and Policy, 15(3), pp. 45-62.
  • Coulter, R., & Pan, L. (2018). Intelligent agents defending for an IoT world: A review. Computers & Security. https://www.sciencedirect.com/science/article/pii/S0167404817302511
  • Echenim, K. U., & Joshi, K. P. (2023). IoT-Reg: A comprehensive knowledge graph for real-time IoT data privacy compliance. 2023 IEEE International Conference on Big Data (BigData), 2897–2906. https://doi.org/10.1109/bigdata59044.2023.10386545
  • Ettaloui, N., Arezki, S., & Gadi, T. (2023). An Overview of Blockchain-Based Electronic Health Records and Compliance with GDPR and HIPAA. Data and Metadata. https://www.semanticscholar.org/paper/292ed863c0463a9b230c966fd25f61b47f7d0717
  • Ghafari, F., Shourangiz, E., & Wang, C. (2024). Cost effectiveness of the industrial internet of things adoption in the U.S. manufacturing smes. Intelligent and Sustainable Manufacturing, 1(1), 10008–10008. https://doi.org/10.35534/ism.2024.10008
  • Ghafari, S., Smith, J. and Patel, R., 2024. Cost analysis of compliance in IoT-driven enterprises. International Journal of Cybersecurity Management, 8(1), pp. 12-25.
  • Halgamuge, M. N., & Niyato, D. (2025). Adaptive Edge Security Framework for dynamic IOT security policies in diverse environments. Computers & Security, 148, 104128. https://doi.org/10.1016/j.cose.2024.104128
  • Hornos, M. J., & Quinde, M. (2024). Development methodologies for IOT-based systems: Challenges and Research Directions. Journal of Reliable Intelligent Environments, 10(3), 215–244. https://doi.org/10.1007/s40860-024-00229-9
  • Junaid, S. B., Imam, A. A., Balogun, A. O., De Silva, L. C., Surakat, Y. A., Kumar, G., Abdulkarim, M., Shuaibu, A. N., Garba, A., Sahalu, Y., Mohammed, A., Mohammed, T. Y., Abdulkadir, B. A., Abba, A. A., Kakumi, N. A., & Mahamad, S. (2022). Recent advancements in emerging technologies for Healthcare Management Systems: A survey. Healthcare, 10(10), 1940. https://doi.org/10.3390/healthcare10101940
  • Kilaru, S., Zhang, L. and Chen, H., 2024. Continuous discovery in IoT: Leveraging network traffic and SBOMs for security. IEEE Internet of Things Journal, 11(5), pp. 890-902.
  • Kilaru, M., Maheswari, P., Boddepalli, E., Venkataramana, K., Patel, J. D., & Sharma, M. K. (2024). IoT Services and Intelligence: Empowering the Internet of Things with Real-Time Data Analytics and decision-making. 2024 International Conference on Trends in Quantum Computing and Emerging Business Technologies, 1–5. https://doi.org/10.1109/tqcebt59414.2024.10545282
  • Kulkarni, V., Sunkle, S., Kholkar, D., Roychoudhury, S., Kumar, R., & Raghunandan, M. (2021). Toward automated regulatory compliance. CSI Transactions on ICT, 9(2), 95–104. https://doi.org/10.1007/s40012-021-00329-4
  • Li, J., Maiti, A., & Fei, J. (2023). Features and scope of regulatory technologies: Challenges and opportunities with industrial internet of things. Future Internet, 15(8), 256. https://doi.org/10.3390/fi15080256
  • Li, S., Chen, J., Yao, R., Hu, X., Zhou, P., Qiu, W., Zhang, S., Dong, C., Li, Z., Xie, Q., & Yuan, Z. (2025). Compliance-to-Code: Enhancing Financial Compliance Checking via Code Generation. ArXiv. https://arxiv.org/abs/2505.19804
  • Meroni, G., Baresi, L., Montali, M., & Plebani, P. (2018). Multi-party business process compliance monitoring through IoT-enabled artifacts. Information Systems. https://www.sciencedirect.com/science/article/pii/S0306437917301242
  • National Institute of Standards and Technology. (n.d.). AI risk management framework. Retrieved July 4, 2025, from https://www.nist.gov/itl/ai-risk-management-framework 897–2906. https://doi.org/10.1109/bigdata59044.2023.10386545
  • Odeh, A., Abu Taleb, A., Alhajahjeh, T., Aparicio, F., Hamed, S., Al Daradkeh, N., & Ali Al-Jarallah, N. (2024). Data privacy and compliance in IoT. In Advances in Information Security, Privacy, and Ethics (pp. 128–144). IGI Global. https://doi.org/10.4018/979-8-3693-3451-5.ch006
  • Odeh, A., Farooqi, M. and Khan, S., 2024. Real-time compliance auditing in IoT: Challenges and solutions. Journal of Cybersecurity Research, 9(2), pp. 67-80.
  • Pasquier, T., Singh, J., Powles, J., Eyers, D., Seltzer, M., & Bacon, J. (2017). Data provenance to audit compliance with privacy policy in the Internet of Things. Personal and Ubiquitous Computing, 22(2), 333–344. https://doi.org/10.1007/s00779-017-1067-4
  • Sadri, M. (2024). HIPAA: A Demand to Modernize Health Legislation. The Undergraduate Law Review at UC San Diego. https://escholarship.org/uc/item/9gp2n52k
  • Said, A., Mahmoud, K. and El-Sayed, M., 2024. HIPAA and GDPR compliance in healthcare IoT: A comparative analysis. Health Informatics Journal, 30(1), pp. 56-72.
  • Said, A., Yahyaoui, A., & Abdellatif, T. (2024). HIPAA and GDPR compliance in IOT healthcare systems. Communications in Computer and Information Science, 198–209. https://doi.org/10.1007/978-3-031-55729-3_16
  • Sardana, A., Sethuraman, S., & Kalyanasundaram, P. D. (2024). Compliance-as-code 2.0: Orchestrating regulatory operations with agentic AI. Journal of Artificial Intelligence General Science (JAIGS) ISSN:3006-4023, 5(1), 546–563. https://doi.org/10.60087/jaigs.v5i1.366
  • Sardana, J. (2024). Automating Global Trade Compliance through Product Classification Systems. https://inlibrary.uz/index.php/tajmei/article/view/78575
  • Schip, M. van ‘t. (2024). The Regulation of Supply Chain Cybersecurity in the NIS2 Directive in the Context of the Internet of Things. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.4848048
  • Schmitz-Berndt, S., 2023. Timely incident response in multi-regulatory environments: Lessons from GDPR and NIS2. European Journal of Information Systems, 32(4), pp. 201-215.
  • Shahin, M., Hosseinzadeh, A., & Chen, F. F. (2025). A two-stage hybrid federated learning framework for privacy-preserving IoT anomaly detection and classification. IoT, 6(3), 48. https://doi.org/10.3390/iot6030048
  • Shen, T., Zhang, F., & Cheng, J. (2022). A comprehensive overview of knowledge graph completion. Knowl. Based Syst. https://linkinghub.elsevier.com/retrieve/pii/S095070512200805X
  • Voss, W. (2019). Cross-border data flows, the GDPR, and data governance. Wash. Int’l LJ. https://heinonline.org/hol-cgi-bin/get_pdf.cgi?handle=hein.journals/pacrimlp29&section=23
  • Schmitz-Berndt, S. (2023). Defining the reporting threshold for a cybersecurity incident under the NIS directive and the NIS 2 directive. Journal of Cybersecurity, 9(1). https://doi.org/10.1093/cybsec/tyad009
  • Singh, K., & Singh, B. (2024). Multimodal Data Retrieval Challenges and their Countermeasures Using Novel Integrated Data Mining and Fusion System (IDMFS). In Emerging Trends in IoT and Computing Technologies (pp. 286–292). CRC Press. https://doi.org/10.1201/9781003535423-48
  • Xu, L., Lu, L., Liu, M., Song, C., & Wu, L. (2024). Nanjing Yunjin intelligent question-answering system based on knowledge graphs and retrieval augmented generation technology. Heritage Science, 12(1). https://doi.org/10.1186/s40494-024-01231-3
  • Zaman, S. A. (2023, August). (PDF) internet of things (IOT) data protection and security concerns -Review. ResearchGate. 10.13140/RG.2.2.12361.52321