When best practices become law

Today it is considered unprofessional to ship software without automated tests and static analysis. Yet a generation ago, both were optional and the habits of a conscientious minority, not an industry baseline.

That trajectory is not unique to our field. In medicine and in construction, voluntary best practices hardened first into professional expectations and then into regulatory requirements: hand-washing and structural load calculations were once a matter of individual diligence. Today they are simply the law. Software engineering is now arriving at the same inflection point.

Three converging developments make this concrete. The EU Cyber Resilience Act turns secure-by-design, vulnerability handling, and software bills of materials into binding obligations, applying in full from late 2027. The EU AI Act reshapes how systems that incorporate AI must be built, documented, and assessed. And the BSI's Grundschutz++ recasts security requirements as machine-readable, automatable artifacts: compliance you can verify in a pipeline, much as you verify tests.

Drawing on decades of building the testing and analysis tools the ecosystem relies on, I show how regulation is now flowing back into everyday engineering practice. Beyond the current AI hype, this quiet structural shift toward regulated quality may reshape how we build software more durably than any framework trend. You will leave knowing what to put in place now, rather than when the deadlines bite.

This presentation currently exists only as an idea and has not yet been accepted by a conference.

About me

I am the creator and maintainer of PHPUnit, the de facto standard testing framework within the PHP ecosystem. Used by millions of developers, it is embedded in the build pipelines of start-ups, Fortune 500 companies, and public sector organisations alike. I serve on the board of the PHP Foundation and am a co-founder of thePHP.cc, where I advise organisations on testing strategy, software quality, and security.

I have over 25 years of experience building the testing and analysis tools on which the PHP ecosystem relies, work that began as a matter of individual diligence and has since become an industry baseline. Having watched automated testing and static analysis travel from optional habit to professional expectation, I am now following that same trajectory as regulation such as the Cyber Resilience Act, the AI Act, and Grundschutz++ turns secure-by-design and verifiable quality into binding obligations, and I help organisations put the necessary practices in place before the deadlines bite.

Upcoming events

Espelkamp

Head in the Cloud Summit

On , I will be in Espelkamp at the Head in the Cloud Summit. There I will give the presentation "Modern PHP Development".

Event Website
More events
Back to overview