← Compliance Training

Compliance in Software Development — On-Site Training

Hands-on training for development teams — 3 days, condensable to 2. From first idea to end-of-life: how teams build software that meets today’s security and regulatory requirements — without losing development velocity.

New European regulations (Cyber Resilience Act, NIS-2, GDPR) hold manufacturers and development teams directly accountable, and attacks are increasingly targeting the software supply chain (Log4Shell, xz, SolarWinds). Most incidents are not caused by malicious intent, but by a lack of awareness — and that is exactly where this training begins.

Organisations certified to ISO 27001 or BSI IT-Grundschutz — or working towards certification — must demonstrate regular, documented awareness training. Industry-specific regulations such as DORA (financial sector) or MDR (medical devices) raise the bar further depending on your market. A hands-on training course like this covers exactly that requirement.

Target audience:

  • Software developers — who want to know what secure, compliant development looks like in practice
  • Architects & tech leads — who want to embed Security by Design and make sound architectural decisions
  • IT managers & team leads — who need to assess where their team and organisation stand against the new requirements

No prior security knowledge required. Particularly relevant for teams that build or operate software covered by the new EU regulations — product and SaaS vendors, suppliers to critical infrastructure and public authorities, or organisations responsible for their own software supply chain.

Duration: 3 days — modular, condensable to 2 days (aligned to your focus area)
Price: on request — depends on scope and content of the training
Group size: 10–15 participants
Format: At your premises or at our office in Jena
Language: German (English on request)
Contact: training[at]datainmotion.com

Booking

The training is individually tailored to your team — scope, focus areas, and dates are agreed together in a preliminary discussion. Get in touch for a no-obligation first conversation.

Registration: training[at]datainmotion.com

Course Content

We begin with the regulatory foundations — what applies, who is liable, what does “state of the art” mean? From there we follow the software lifecycle: planning & architecture → development → testing → build → release → operations → end-of-life. This way every role sees exactly where each requirement applies in their daily work.

Day Focus Topics
Day 1 Foundations & planning The regulatory landscape at a glance · Security by Design · Threat Modeling · secure architecture (Zero Trust, Least Privilege, IAM)
Day 2 Development & tooling Secure Coding (OWASP Top 10) · Secrets Management · Supply Chain Security & SBOM (software bill of materials) · automated security testing · CI/CD pipeline as a security layer (DevSecOps, Shift-Left)
Day 3 Release, operations & synthesis Signed releases & provenance · Vulnerability & patch management · Lessons from real incidents · AI in development & product · security controls in brief

Hands-On, Not Death by Slides

  • Real code & CI/CD examples: reviewing vulnerable code and pipeline configurations together — in Java and TypeScript
  • Multi-day detective exercise: finding, assessing, and prioritising vulnerabilities yourselves (finding → triage)
  • GDPR use case walkthrough: a realistic scenario followed end to end
  • Anatomy of an incident: real security breaches broken down to the technical level — what exactly happened, and why?

AI Focus

A dedicated block addresses the question every team is grappling with: AI-assisted development (coding assistants, “vibe coding”) and AI as a product feature. What new risks emerge, who is liable for AI-generated code, and how do you stay in control? Depth can be adjusted to match your team’s focus.

Benefits

For the organisation

  • Reduce risk & liability: requirements from CRA, NIS-2 and beyond become tangible — before they become an audit, liability, or reputation issue
  • Make “state of the art” demonstrable: solid arguments and processes instead of gut feeling
  • Baseline assessment: a clear picture of where your team stands today and what the next sensible steps are
  • Ship faster, not slower: security as an automated part of the pipeline rather than a brake at the end

For the team

  • Shared vocabulary and a common understanding across roles
  • Immediately applicable tools — concrete patterns, tools, and checklists instead of abstract rules
  • More confidence day to day: less “we didn’t think of that”, more assurance in architecture, dependency, and pipeline decisions
  • Security champion mindset embedded in the team

Your Trainer

Mark Hoffmann — compliance from practice, not from a textbook: over 20 years as a software developer, 15 of them as an architect.

  • TÜV-certified Data Protection Officer
  • iSAQB® Certified Professional for Software Architecture — Foundation Level
  • BSI IT-Grundschutz Practitioner

Advisory architect on several municipal projects (including smart city initiatives) and in large enterprises — this training grew out of that hands-on experience. Core expertise: distributed, modular, and dynamic system architectures.

Looking for Something Compact?

Our Online Compact Course (2 days, €870 per person) delivers the awareness foundation remotely, with a certificate of attendance — ideal as a recurring ISMS building block.

Get in touch: training[at]datainmotion.com