Policy Significance Statement
This study provides policymakers with guidance on improving security and privacy through blockchain technology. This study uses the CLR and LDA topic modeling techniques to uncover themes across domains such as healthcare, education, supply chains, and IoT. The findings highlight thematic topics from the analysis of blockchain-related goals and challenges that policymakers can leverage to adopt best practices for effectively addressing information security and privacy. In addition, this study developed research questions to address regulatory frameworks for developing information security strategies.
1. Introduction
Blockchain has attracted significant attention for enhancing security and privacy in digital systems. However, the increasing convergence of advanced technologies and widespread data sharing has heightened risks of identity theft, financial loss, and breaches of confidentiality (Hughes et al., Reference Hughes, Dwivedi, Misra, Rana, Raghavan and Akella2019; Wylde et al., Reference Wylde, Rawindaran, Lawrence, Balasubramanian, Prakash, Jayal, Khan, Hewage and Platts2022). While blockchain integration can strengthen security through cryptographic verification and consensus mechanisms (Puthal et al., Reference Puthal, Malik, Mohanty, Kougianos and Yang2018), it also raises concerns regarding immutability and compliance with data protection frameworks such as the EU’s GDPR (Akanfe et al., Reference Akanfe, Lawong and Rao2024). Similarly, the borderless nature of blockchain networks challenges jurisdictional authority by complicating the application of national laws and regulations (Bincoletto, Reference Bincoletto2020). Consequently, these issues require systematic reevaluation in alignment with contemporary policy frameworks to ensure effective adaptation to the distinctive characteristics of blockchain technology.
The development of various methodologies, such as Zero-Knowledge Proofs (ZKPs), Multiparty Computations (MPCs), and Fully Homomorphic Encryption (FHE), advances security and privacy protection protocols on the blockchain (Waheed et al., Reference Waheed, He, Ikram, Usman, Hashmi and Usman2020; Ma et al., Reference Ma, Wang, Gai, Duan, Zhang and Luo2023; Wang et al., Reference Wang, Chaliasos, Qin, Zhou, Gao, Berrang, Livshits and Gervais2023). Concurrently, regulatory frameworks governing digital assets in the United States have evolved, including enforcement actions and rulemaking by the US Securities and Exchange Commission (SEC) and legislative initiatives such as the Financial Innovation and Technology for the 21st Century Act, which aim to clarify jurisdictional oversight between federal regulators of blockchain-based financial instruments (Library of Congress, 2025).On the other hand, the EU’s Markets in Crypto-Assets Regulation (MiCA) requires crypto-asset service providers to obtain authorization and comply with governance, operational resilience, and cybersecurity requirements, under the supervisory coordination of the European Securities and Markets Authority (ESMA) (Ferreira and Sandner, Reference Ferreira and Sandner2021). Despite these developments, significant security and privacy challenges remain. For instance, biometric data processing on immutable blockchain infrastructures raises significant GDPR compliance challenges, particularly regarding special-category data protections, purpose limitation, and the right to erasure (EDPB, 2025). Moreover, privacy-enhancing blockchain tools create tensions between anonymity and regulatory compliance (Buterin et al., Reference Buterin, Illum, Nadler, Schär and Soleimani2024). The growing research on security and privacy protocols for blockchain has led to a large number of publications. The development of advanced blockchain architecture that aligns with regulations requires an analysis of the current literature (Homoliak et al., Reference Homoliak, Venugopalan, Reijsbergen, Hum, Schumi and Szalachowski2020) to identify gaps and formulate research questions. Currently, systematic/bibliometric analyses are popular to identify challenges, opportunities, and potential solutions. However, biases arise when selecting articles from an extensive collection. To address this challenge, we adopt CLR (Antons et al., Reference Antons, Breidbach, Joshi and Salge2023) to uncover the hidden thematic structure of a large corpus of literature comprising 3904 articles. This analysis helps us identify trending topics and critical future research questions for privacy-preserving blockchain architecture and policies. Additionally, it helps to understand the complex interplay between blockchain technology, regulatory requirements, and the further development of informed policies. We found a lack of CLR methods in previous literature reviews on blockchain security and privacy topics, and its alignment with policy and regulatory frameworks, which was a key motivation for our research, as we saw the potential for CLR to enhance the quality and objectivity of such reviews. Hence, we formulated the following research question for this study:
RQ1: How can CLR be used to uncover key research trends and evolving topics in blockchain-based information security and privacy?
RQ2: How do the identified research trends and evolving topics align with existing regulatory and policy frameworks, and what techno-legal gaps emerge to guide future research?
This article is an extended and substantially revised version of our earlier conference publication (Shankar et al., Reference Shankar, Uddin, Mukta, Kumar, Islam and Najmul Islam2025). This journal version significantly extends the scope by providing an enhanced analysis of blockchain-based information security and privacy topics, aligning the discussion with relevant policy and regulatory frameworks, examining their implications, and identifying regulatory-aligned directions for future research.
This article is structured as follows: First, we discuss background on Blockchain-based information security, the CLR, and Previous Literature Works; then, we discuss the methodology and tools used in this work, including impact and content analysis to identify the topics. The next section provides analysis results. Finally, we discussed the identified topics in detail and, based on this, developed future research questions.
2. Background
2.1. Blockchain-based information security
A blockchain-based information security and privacy system ensures immutability and transparency while enhancing security and privacy through advanced cryptographic methods, such as ZKPs and FHEs, which validate data without revealing sensitive details (Zhou et al., Reference Zhou, Diro, Saini, Kaisar and Hiep2024). Thus, it significantly reduces vulnerabilities and enhances user trust through transparent, verifiable transactions (Liu et al., Reference Liu, Li, Lv, Wang, Zhao and Lu2024). However, regulatory compliance challenges remain. In particular, the immutability of blockchain records creates structural tensions with data subject rights under the GDPR, including rectification and erasure obligations (e.g., EDPB, 2025). Additionally, blockchain’s inherently cross-border and decentralized architecture raises complex issues concerning data sovereignty, jurisdictional oversight, and regulatory enforcement. (Bincoletto, Reference Bincoletto2020).
2.2. Computational literature review
The CLR topic modeling method used to uncover the hidden thematic structure from a large corpus of literature enables the conduction of a more comprehensive and unbiased analysis (Antons et al., Reference Antons, Breidbach, Joshi and Salge2023). CLR uses advanced machine learning (ML) algorithms to systematically analyze large volumes of text. The automated process of CLR accelerates the review process and increases the scope of insights gained from the literature. CLR relies on topic modeling techniques, particularly Latent Dirichlet Allocation (LDA) (Blei et al., Reference Blei, Ng and Jordan2003; Uddin et al., Reference Uddin, Shankar, Mukta, Kumar and Islam2024), to detect underlying thematic patterns across document collections. LDA topic modeling uses an unsupervised probabilistic statistical model to identify hidden topics in a corpus from the content of the articles (Blei et al., Reference Blei, Ng and Jordan2003).
To perform CLR, researchers follow a structured framework involving six key steps:
1. Begin with a conceptual goal that is the researcher’s motivation to perform the review.
2. Operationalizing the CLR helps identify the boundaries for selecting the content and the area of the work.
3. Choose a computational technique regarding the suitability of the corpus of the document.
4. Perform the content analysis by preparing the data based on the selected computational algorithm in the previous steps.
5. Generate original insights by organizing the evaluation of outputs in step four.
6. Present the findings by applying synthesis forms like research agenda, taxonomy, models, meta-analysis, and meta-theory to present the findings and synthesize the insights into useful building blocks for further research.
2.3. Previous literature works
Mohanta et al. (Reference Mohanta, Jena, Panda and Sobhanayak2019) conducted an SLR on 150 articles to analyze blockchain applications, in which 20 articles ware related to security and privacy challenges in blockchain implementation. A study by Zhang et al. (Reference Zhang, Xue and Liu2019) analyzed 14 articles that described consensus algorithms, hash-chained storage, mixing protocols, anonymous signatures, noninteractive ZKPs, and secure MPC to achieve security and privacy in blockchain-based systems. Waheed et al. (Reference Waheed, He, Ikram, Usman, Hashmi and Usman2020) analyzed 43 articles to evaluate security and privacy challenges and vulnerabilities and propose an ML-based automated security and privacy mechanism. Ismagilova et al. (Reference Ismagilova, Hughes, Rana and Dwivedi2022) reviewed 99 articles focusing on the security and privacy of mobile devices in smart cities, power systems, healthcare, and blockchain. Gugueoth et al. (Reference Gugueoth, Safavat, Shetty and Rawat2023) reviewed 31 articles on Internet of Things (IoT), describing attacks on IoT on security and privacy vulnerabilities, and identified countermeasures. An SLR by Kiania et al. (Reference Kiania, Jameii and Rahmani2023) examined 51 articles on blockchain-based healthcare systems to improve security and privacy. A study presented by Qahtan et al. (Reference Qahtan, Yatim, Zulzalil, Osman, Zaidan and Alsattar2023) provides a comprehensive taxonomy of attribute-related security and privacy developments for the blockchain-based healthcare industry 4.0 and identifies challenges in multicriteria evaluation. Myrzashova et al. (Reference Myrzashova, Alsamhi, Shvetsov, Hawbani and Wei2023) present an SLR of 100 articles on the adoption of Federated Learning (FL) in blockchain-based healthcare systems to identify vulnerabilities in security and privacy measures. Akanfe et al. (Reference Akanfe, Lawong and Rao2024) analyze 71 articles to explore uncertainties and misalignments between blockchain and privacy regulations, such as GDPR. The study used the Technology-Organization-Environment (TOE) framework to identify areas of conflict. Wylde et al. (Reference Wylde, Rawindaran, Lawrence, Balasubramanian, Prakash, Jayal, Khan, Hewage and Platts2022) present a comprehensive cybersecurity framework that integrates blockchain, IoT standardization, and machine learning to enhance privacy protection and regulatory compliance, while addressing data security and privacy vulnerabilities. Zafar (Reference Zafar2025) analyzed GDPR governance of joint controllership jurisprudence, highlighting compliance tools such as chameleon hashes, redactable chains, and ZKPs, and stressed the need for a clear GDPR regulatory framework for blockchain. Finck (Reference Finck2018) describes conceptual frictions between decentralization, ledger immutability, and GDPR duties (controller identification; encrypted/hashed data as personal data; and rectification/erasure), urging on techno-legal interoperability. Further, Z Li (Reference Li2020) examined how EU GDPR requirements align with blockchain, suggesting technical standardization to promote compliance with GDPR principles. The author focuses on accountability, the right to erasure, data portability, and data protection by design. Xu et al. (Reference Xu, Sun, Li, Sun, Zhang and Zhang2023) present a Web3 “deController” infrastructure that addresses cyber sovereignty and GDPR compliance, indicating that aligning blockchain identities with the GDPR’s “purpose limitation” can reduce liability gaps. De Filippi and Hassan (Reference De Filippi and Hassan2016) illustrate blockchain and smart contracts as regulatory technologies that shift from “code is law” to “law is code,” highlighting the need for legal flexibility in code-based governance.
The above-discussed studies employ a systematic/comprehensive literature review process on small corpora and offer only quantitative and qualitative assessments (Nightingale, Reference Nightingale2009; Thilakaratne et al., Reference Thilakaratne, Falkner and Atapattu2019). Researchers typically identify trends and process unstructured data using manual or semi-structured techniques. These approaches generally lack automation, scalability, real-time analysis, algorithmic topic evolution tracking, dynamic synthesis, and latent-topic insights, as shown in Table 1. However, Shahid (Reference Shahid2020) performed an LDA on a corpus of 2125 articles to identify topics. The research focused on computer science, followed by economics and business, highlighting the need for further research on blockchain development.
Comparison with existing literature review studies

Table 1. Long description
Starting from the top row, each study is listed in the leftmost column: Mohanta et al. 2019, Zhang et al. 2019, Waheed et al. 2020, Shahid Reference Shahid2020, Myrzashova et al. Reference Myrzashova, Alsamhi, Shvetsov, Hawbani and Wei2023, Qahtan et al. 2023, Gugueoth et al. 2023, Akanfe et al. 2024, and Our study. The first column shows the number of literature items included: 20, 14, 43, 2125, 100, 52, 31, 71, and 3904 respectively. The next twelve columns represent analytic features: quantitative analysis, qualitative analysis, data collection automation, scalability, real-time analysis, algorithmic topic evolution tracking, dynamic literature synthesis, trends and pattern identification, unstructured data processing, data-driven insights, and latent topic insight. For each feature, a check mark indicates presence and a multiplication sign indicates absence. Mohanta et al. has quantitative analysis, qualitative analysis, trends and pattern identification, data-driven insights, and latent topic insight, but lacks other features. Zhang et al. has quantitative analysis, qualitative analysis, trends and pattern identification, data-driven insights, and latent topic insight, but lacks other features. Waheed et al. has quantitative analysis, qualitative analysis, trends and pattern identification, data-driven insights, and latent topic insight, but lacks other features. Shahid has all twelve features present. Myrzashova et al. has quantitative analysis, qualitative analysis, trends and pattern identification, data-driven insights, and latent topic insight, but lacks other features. Qahtan et al. has quantitative analysis, qualitative analysis, trends and pattern identification, data-driven insights, and latent topic insight, but lacks other features. Gugueoth et al. has quantitative analysis, qualitative analysis, trends and pattern identification, data-driven insights, and latent topic insight, but lacks other features. Akanfe et al. has quantitative analysis, qualitative analysis, trends and pattern identification, data-driven insights, and latent topic insight, but lacks other features. Our study has all twelve features present. Numeric values and feature definitions are provided in the table footnote.
Note: Numeric values in the column headings are indicated as follows: 1 = Number of literature included in the analysis, 2 = Quantitative analysis, 3 = Qualitative analysis, 4 = Data collection automation, 5 = Scalability, 6 = Real-time analysis, 7 = Algorithmic topic evolution tracking, 8 = Dynamic literature synthesis, 9 = Trends and pattern identification, 10 = Unstructured data processing, 11 = Data-driven insights, 12 = Latent topic insight.
Further, analysis of previous blockchain-focused literature reveals that most authors acknowledge regulations such as the GDPR, highlighting blockchain and policy challenges, but lack regulatory text or purpose-specific solutions (Akanfe et al. (Reference Akanfe, Lawong and Rao2024), Finck (Reference Finck2018), Ismagilova et al. (Reference Ismagilova, Hughes, Rana and Dwivedi2022), and Zafar (Reference Zafar2025)). Additionally, the literature is confined to technical, social, and governance questions, hindering the development of a unified framework for scholars to integrate findings. Much of the research is domain-specific, limiting broader, cross-disciplinary insights into blockchain’s systemic impact. Moreover, scholars frequently overlook data governance concerns beyond technical security controls, offering limited examination of how decentralized ecosystems redistribute accountability among developers, node operators, end users, and regulatory authorities.
To address these issues, our work adopts LDA-based CLR topic modeling to uncover trends in security and privacy for blockchain systems policies. Our work examines nearly 4000 publications and is the only study to integrate all 12 parameters presented in Table 1. Furthermore, our work positions policy and regulation as the analytical centerpiece for topics related to blockchain-based security and privacy, examining landmark regulations such as the US FIT21 Act and the EU’s MiCA. Unlike previous works that broadly reference GDPR, our study examines specific legal articles and assesses how they can bridge compliance gaps. By balancing regulatory rigor with technological feasibility, we reframe blockchain regulation as a dynamic, multijurisdictional challenge. These findings offer actionable guidance for policymakers and future research directions on interoperability and privacy-enhancing architectures in the IS field.
3. Methodology
This study aims to identify emerging fields and promising paths for future research on blockchain-based security and privacy, as well as policies for individual users and organizations. Our methodology follows a step-by-step approach.
3.1. Data collection
The data collection process presented in Figure 1 is explained in detail with the following steps:
1. Identification phase: we conducted a comprehensive search across multiple databases, including IEEE, Web of Science, and Scopus by using specific keywords with Boolean logic: (“Blockchain” AND “Security” AND “Privacy” AND “Decentrali*”) OR (“Blockchain” AND “Security” AND “Privacy” AND “Distributed”).
2. Screening phase: search results overlap across databases, with the majority of relevant articles indexed in Scopus. The Scopus database is widely recognized as comprehensive, multidisciplinary, and reliable, as reflected in the robustness of its abstracting and citation indexing standards. Therefore, we continued with the 4975 relevant articles identified in the Scopus search interface and applied our inclusion and exclusion criteria in the subsequent phases.
3. Inclusion criteria:
• Publications indexed in Scopus.
• Articles published in peer-reviewed journals and conferences.
• Language limited to English.
• Subject areas specifically included: Computer Science, Engineering, Mathematics, Decision Sciences, Energy, Medicine, Business, Management and Accounting, Health Professions, Social Sciences, Environmental Science, Economics, Econometrics, and Finance.
4. Exclusion criteria:
• Articles not published in English.
• Books, book chapters, reviews, letters, editorials, notes, and other non-peer-reviewed materials.
• Articles outside the designated subject areas mentioned above.
Applying these inclusion and exclusion criteria reduced the total number of articles from 4975 to 4016.
5. Eligibility phase: We exported metadata for the 4016 retrieved articles into a CSV file and identified duplicate records using DOIs. Duplicates were removed using the pandas library in Python, resulting in a refined dataset of 3904 unique articles for the CLR analysis.
6. Included phase: To conduct thematic analysis and accurately identify research topics, we utilized the abstracts of the remaining 3904 articles.
Data collection process.

Figure 1. Long description
The flowchart begins at the top left with the Identification Phase, a blue box stating search across databases including I E E E, W o S, and Scopus with specific keywords, n equals zero. An arrow points right to the Screening Phase, an orange box, describing selection of Scopus due to comprehensive collection and overlap with other databases, n equals four thousand nine hundred seventy-five. Another arrow leads right to the Inclusion Criteria, a green box, listing indexed in Scopus, peer-reviewed, English language, and domain specific subject areas, n equals four thousand sixteen. From this box, an arrow points downward to the Eligibility Phase, a green box at the bottom left, stating export metadata as C S V and removing duplication by D O I, n equals four thousand sixteen. An arrow leads right to the Included Phase, a green box, stating for thematic analysis the abstracts of the remaining n equals three thousand nine hundred four articles were included.
3.2. Metadata analysis
To illustrate the research landscape, we conducted a bibliometric impact analysis on the cleaned corpus of 3904 Scopus records. We parsed the CSV metadata, including title, authors, source/venue, year, citation counts, and author affiliations. We processed it with the litstudy Python library (https://nlesc.github.io/litstudy/) to compute standard indicators (counts, group-bys, venue tallies, and per-year statistics), following established bibliometric practice (Glänzel and Moed, Reference Glänzel and Moed2002).
We defined four complementary impact views:
• Citation impact per year: Articles are binned into citation ranges and plotted by publication year. Due to a very small number of publications in earlier years, we started interpretation from the year 2016. This analysis represents the continuous research engagement of scholars in the field of security and privacy through blockchain (Figure 4).
• Output growth: Counts of annual publications are presented to show the trajectory over time, which highlights the growing number of publications by researchers (Figure 5).
• Venue concentration: We examined publication sources to identify leading journals and conferences and ranked them based on the number of articles they published in the blockchain domain (Figure 6).
• Geography and collaboration: Analyze the author affiliations aggregated by countries to plot the top-10 countries by author frequency and construct a country co-authorship network to understand the global view of research and their collaborative effort to tackle security and privacy challenges on blockchain (Figure 7a,b).
We visualized these indicators and provided concise narrations of the patterns (e.g., post-2016 growth, concentration in leading IEEE and LNCS/CCIS venues, and strong cross-country collaborations). In our analytical workflow, we positioned this impact analysis after data collection and cleaning, and before executing content analysis and topic modeling.
3.3. Abstract preprocessing and analysis with LDA
We conducted the content analysis by converting the CSV file into a Pandas DataFrame and extracting abstracts using the Pandas library. As abstracts concisely convey each study’s purpose, methods, and key findings, they help to understand emerging patterns and themes within the dataset while aligning with the methodological rigor suggested by Principe et al. (Reference Principe, de Souza Vale, de Castro, Carvano, Henriques, de and de2022).
Further, preprocessing of the abstract dataframe involved gensim.utils.simple_preprocess from Gensim ( https://pypi.org/project/gensim/) Python library to parse abstracts in four main steps programmatically:
1. Text cleaning: The process of removing unnecessary text and converting all text into lowercase, providing consistency, and removing repetition of words.
2. Removing stop words: Insignificant words such as “the,” “a,” “is,” “and,” and so forth, are removed, emphasizing key terms with higher significance.
3. Tokenization: It involves splitting text into minimal, considerable elements. It also applies bigrams and trigrams to groups of frequent words, treating them as single units, improving the semantic analysis of specific sentences in the LDA model.
4. Lemmatization: Through this process, a word is derived to its root form while preserving the context. For example, “organizational” will become “organization.”
After preprocessing, we applied LDA from Gensim on the dataset and built a corpus dictionary using gensim.corpora.Dictionary, which converts the dataset into a TF–IDF-weighted bag-of-words corpus, then trains the LDA model with 40 topics. We evaluated model performance using the UMass coherence metric and obtained a coherence score of
$ 0.46 $
through gensim.models.CoherenceModel. The result ware interpreted through manual verification, with human-readable labels and word clouds generated for the top-weighted terms (Figure 10). This process ensured that the corpus was processed efficiently, while the substantive meaning of each topic remained clear and reliable.
Furthermore, to provide a deeper understanding of the LDA process, we illustrate it using the probabilistic graphical model shown in Figure 2 (Momtazi, Reference Momtazi2018). In this model, we represent each document as a mixture of
$ T $
latent topics, where each topic is a probability distribution over the vocabulary. The outer plate (
$ M $
) denotes the full collection of documents, while the inner plate (
$ {N}_d $
) captures the repeated generation of words within each document.
The graphical model representation of unsupervised LDA.

Figure 2. Long description
The outermost rectangle labeled M contains a horizontal sequence of nodes: alpha points right to theta, which points right to z. z points right to w, which is shaded pink. w is inside a smaller rectangle labeled N sub d, nested within M. Above, beta points right to phi, which is inside a green rectangle labeled T. An arrow from phi points downward to w. All arrows indicate conditional dependencies. The model structure visually encodes the generative process of Latent Dirichlet Allocation, with each variable and plate representing parameters, latent variables, observed words, and document or topic groupings.
The generative process proceeds as follows:
1. $ \beta $
serves as the Dirichlet prior for the per-topic word distributions. For each topic
$ t\in T $
, we draw a multinomial distribution over words,
$ {\phi}_t $
, from
$ Dir\left(\beta \right) $
. The
$ T $
plate in the figure represents this process, which we repeat for all topics.2. $ \alpha $
functions as the Dirichlet prior for the per-document topic distributions. For each document
$ d\in M $
, we draw a multinomial distribution over topics,
$ {\theta}_d $
, from
$ Dir\left(\alpha \right) $
.3. For each word position $ n\in {N}_d $
in document
$ d $
, a topic
$ {z}_{dn} $
is sampled from
$ Multinomial\left({\theta}_d\right) $
and a word
$ {w}_{dn} $
is then drawn from
$ Multinomial\left({\phi}_{z_{dn}}\right) $
.
In our implementation, after preprocessing and tokenization (including bigram and trigram construction to preserve phrases such as “access-control”), we construct the Document-Term Matrix (DTM) as:
$ {DTM}_{ij}=f\left({t}_j,{d}_i\right) $
where
$ f\left({t}_j,{d}_i\right) $
is the frequency of term
$ {t}_j $
in document
$ {d}_i $
. LDA then estimates
$ \theta $
(topic distributions per document) and
$ \phi $
(word distributions per topic) iteratively.
Since LDA is unsupervised, the optimal number of topics
$ T $
is determined using the coherence score
$ C $
:
$ C=\sum \limits_{m=2}^M\sum \limits_{l=1}^{m-1}\log \frac{P\left({w}_m,{w}_l\right)+\unicode{x025B}}{P\left({w}_l\right)} $
where,
$ {w}_m,{w}_l $
= top words in a topic,
$ P\left({w}_m,{w}_l\right) $
= probability of co-occurrence of words
$ {w}_m $
and
$ {w}_l $
within a sliding window in the corpus, and
$ \unicode{x025B} $
= small constant to avoid division by zero.
Higher coherence scores indicate more interpretable and semantically coherent topics. We selected the value of
$ T $
that produced the most meaningful themes, and then examined the content within each topic to assess blockchain’s role in security and privacy, which further aligned with challenges related to policy and regulatory.
Figure 3 shows the systematic method followed in our work to explore blockchain Information security and privacy research. The process starts with selecting Scopus for data collection, followed by exporting and preparing the dataset. Impact analysis was conducted to evaluate key publications and authors. Next, we preprocess the abstracts for topic modeling using LDA. Through LDA, we identify the major research themes. Then, the deployment of computational techniques refines the focus and ensures coherence in topics. Furthermore, the content analysis phase includes interpreting output validity checks, manually reviewing significant articles, and identifying key insights. The process concludes with synthesizing findings into a techno-legal context and outlining future research directions.
Research framework.

Figure 3. Long description
At the top left, green boxes begin with Explicating slash Relating, listing summarizing previous findings and finding connections in research gap. Below, the first main step is Define Research scope. Moving right, a blue box defines domain for CLR and preparation of dataset, detailing database selection, export data, data collection process, and impact analysis through metadata. The next main step is Operationalize the CLR. Further right, a blue box covers dataset preprocessing and technique selection, including preprocess of dataset and topic modelling through L D A technique, leading to Computational technique selection. The next step is Perform content analysis, with a blue box below listing analysis, data cleaning process, CLR tools deployment, and topic number selection. The next step is Organise and evaluate outputs, with a blue box below for result discussion, including interpretation of output, manual checking of significant articles, and identifying insights. The next step is Generate original Insights, followed by Presentation of Findings. At the bottom, a blue box under Presentation of Findings lists synthesis of insights and techno dash legal discussion, and future studies. Two colored annotation bands run above and below the main flow: Dataset and CLR model Creation (orange, top right) spans the first five steps, and CLR Deployment and Interpretation (orange, bottom left) spans the last four steps.
4. Results
4.1. Impact analysis
From the metadata analysis, we can calculate the impact across various aspects. In Figure 4, we depicted the citation impact range for each year from 2015 to 2024 (Q1), against the number of publications. The data show that very few articles were published before 2016, limiting meaningful analysis for earlier years. Accordingly, we begin the impact assessment from 2016 onward. Furthermore, we presented the total number of publications per year in Figure 5, which demonstrates recent growth in blockchain research and helps predict future research trends across different domains.
Number of publications versus citation/year.

Figure 4. Long description
The layout consists of ten bar charts in two rows of five. Each panel is labeled with a year, starting with 2015 at the top left and ending with 2024 at the bottom right. In each chart, the x-axis is labeled Citation Range with categories 0-5, 6-10, 11-20, 21-30, 31-50, and 51 plus. The y-axis is labeled Number of Papers. In 2015 and 2016, only the 51 plus category has nonzero values, with fewer than 2 papers. In 2017, all categories have low counts, with 51 plus highest. In 2018, the 51 plus category dominates, with moderate counts in other ranges. In 2019, the 0-5 and 51 plus categories are highest, with intermediate values in other ranges. From 2020 onward, the 0-5 category increases sharply, peaking in 2023 with over 600 papers, while all other categories remain much lower. In 2024, only the 0-5 category has a high count, with all others near zero. The trend shows a dramatic increase in papers with low citation rates in recent years.
Publication per year.

We presented the top 10 journals and conferences based on publication counts in Figure 6. From Figure 6a, top journals, such as the IEEE IoT, IEEE Transactions on Industrial Informatics, and IEEE Transactions on Intelligent Transportation Systems, publish a significant number of articles. It indicates that the IS field views blockchain as a means of securing digital infrastructure. Furthermore, Figure 6b shows conference-like multidisciplinary series (LNCS, CCIS, AIS & C) and IEEE conferences (Globecom, ICC), reflecting a productive research cycle in which studies debut at conferences and subsequently mature into journal publications, refining architectural frameworks. Such dynamics support policymakers in developing a clearer taxonomy of blockchain and its associated technological domains for informed policy formulation.
Top journals and conferences.

Figure 6. Long description
The left panel shows the top ten journals by number of papers, ordered from top to bottom: IEEE Access (about 190), IEEE Internet of Things Journal (about 140), Sensors (about 50), Electronics (Switzerland) (about 45), Security and Communication Networks (about 35), Future Generation Computer Systems (about 30), IEEE Transactions on Industrial Informatics (about 30), Applied Sciences (Switzerland) (about 25), IEEE Transactions on Vehicular Technology (about 20), and EEE Transaction on Intelligent Transportation Systems (about 20). The right panel lists the top ten conferences by number of papers, from top to bottom: Lecture Notes in Computer Science (about 125), ACM International Conference Proceeding Series (about 100), Lecture Notes in Networks and Systems (about 90), Communications in Computer and Information Science (about 70), Lecture Notes in Electrical Engineering (about 45), Procedia Computer Science (about 35), Advances in Intelligent Systems and Computing (about 30), IEEE Global Communication Conference (about 15), IEEE International Conference on Communications (about 15), and Lecture Notes of the Institute for Computer Sciences (about 10). The x-axes for both panels are labeled Number of Papers, and the y-axes are labeled Journals and Conference, respectively.
We processed the affiliations of authors from each article using metadata analysis and identified the top 10 countries. Figure 7a displays the top 10 countries ranked by the number of affiliated authors, highlighting nations that demonstrate strong strategic engagement in advancing cybersecurity research. Figure 7b presents the international collaboration network among authors, where each node represents a country, and the thickness of connecting edges indicates the intensity of collaborative activity. This network structure emphasizes international cooperation, reflects a global, collective approach to addressing information security challenges, which supports policymakers to better understand the cross-border research advancement.
Top 10 countries by author affiliation and their collaboration network.

Figure 7. Long description
The left panel is a horizontal bar chart titled Top 10 Countries by Author Affiliation Frequency. The y-axis lists countries from top to bottom: China, India, United States, United Kingdom, Saudi Arabia, Australia, Canada, South Korea, Pakistan, United Arab Emirates. The x-axis is labeled Number of Authors, ranging from 0 to 5000. China has the highest bar, followed by India and United States, with decreasing bar lengths for the remaining countries. The right panel is a network diagram titled Top 10 Countries Collaboration Network. Each country is represented as a node. Lines connect nodes, with line thickness indicating collaboration strength. The thickest lines are between China and United States, China and India, and United States and United Kingdom. All countries are interconnected, but the densest connections cluster around China, United States, and India. Peripheral countries like United Arab Emirates and Canada have fewer, thinner connections.
4.2. Content analysis
Figure 8, a heatmap of the co-word analysis of selected words by frequency, highlights the key concepts of the current research. The analysis successfully identified relationships among themes, while the high frequency of blockchain with security, privacy, and data indicates significant research on enhancing data security, integrity, and overall governance in information security. Other terms, such as network, users, and management, occur with moderate frequency, reflecting the factors that influence technological adoption and integration. This heatmap helps scholars identify research trends in blockchain-based information security and their conceptual interactions, supporting the development of strategies for policy formulation.We trained 40 LDA topics, Figure 9 analyzes the coherence score of topics from our topic modeling process. Then selected 30 topics with a coherence score >0.4 because these topics exhibit strong semantic relations (Stevens et al., Reference Stevens, Kegelmeyer, Andrzejewski and Buttler2012). Further, these topics are presented in a word cloud in Figure 10.
Heat map of the selected top words based on frequency.

Figure 8. Long description
The heat map displays a 13 by 13 matrix where both axes list the same set of words: network, blockchain, information, systems, users, challenges, security, privacy, management, data, integrity, protection, sharing, process, access. Each cell at the intersection of a row and column shows the frequency of co-occurrence, with values such as 6.5e+03, 1.4e+03, 1.3e+03, and up to 2.3e+04. The diagonal cells are all zero, indicating no self-co-occurrence. The color intensity increases with frequency, as shown by the color bar on the right, ranging from pale yellow (low) to dark blue (high). Highest frequencies are observed between ‘blockchain’ and ‘data’ (2.3e+04), ‘security’ and ‘data’ (2.3e+04), and ‘privacy’ and ‘data’ (1.9e+04). Lower frequencies are found in cells such as ‘integrity’ and ‘users’ (5.2e+02). The map visually emphasizes which word pairs are most frequently associated.
Coherence score of topics.

Figure 9. Long description
The horizontal axis is labeled Topic Number, ranging from 1 to 40. The vertical axis is labeled Coherence Score, ranging from 0.0 to 0.6. Each topic number has a colored vertical bar representing its coherence score. Notable peaks occur at topics 3 and 23, both exceeding 0.6. Troughs are visible at topics 9 and 14, both near 0.3. Most bars fall between 0.4 and 0.6. The distribution of scores is uneven, with no clear trend across topic numbers. Each bar is uniquely colored for distinction.
Word cloud of identified topics.

Figure 10. Long description
Starting from the top-left and moving right, the first row contains clusters with prominent words: medical, ehr, bitcoin, fabric, crowdsourcing. The second row features deep video detection, edge, attribute, access control, survey research. The third row includes voting, supply chain, learning federated, authentication, i o t devices. The fourth row shows l i i o t industry, healthcare patient, vehicles i o v, energy trading, grid smart grid. The fifth row presents location knowledge zero, home smart home, contracts, i o m t devices healthcare, trading. The final row contains identity, smart cities, information sharing personal, metaverse, cloud computing. Each cluster contains related smaller keywords, with the largest words indicating the most frequent or significant topics within each group.
Based on thematic content analysis and coherence scoring of the 30 identified topics, we consolidated them into 10 higher-level thematic topics (T) on security and privacy in blockchain technology. These topics span various domains and are summarized as follows:
T1) Privacy of personal information in Healthcare.
T2) Identity management in E-education and E-voting systems.
T3) Security measures using IDS.
T4) Data privacy on Cloud and Edge computing.
T5) Access and authentication management in the supply chain using smart contracts.
T6) Advanced encryption protocols using ZKP.
T7) Privacy protection in Distributed Systems using FL.
T8) Security and privacy in IoT-driven systems and smart cities.
T9) Data privacy in Energy trading over the smart grid.
T10) Privacy of real identity in Metaverse.
Further, we analyze policy interactions with blockchain by highlighting key studies in these areas that offer actionable insights for regulators and policymakers in Table 2.
Overview of GDPR and blockchain-related topics

Table 2. Long description
The table has four columns: Topic, article, Highlight, and Policies/Regulations. From the top row downward: T1 lists Zafar Reference Zafar2025 with privacy-preserving blockchain redactable designs and GDPR; Finck Reference Finck2018 with blockchain as consent and audit framework, treating keys and hashes as personal information, and GDPR. T2 lists Xu et al. Reference Xu, Sun, Li, Sun, Zhang and Zhang2023 using Z K P-backed eligibility and auditable actions with real IDs off-chain under eIDAS 2.0 and GDPR; De Filippi and Hassan 2018 automating eligibility and auditable actions with smart contracts and legal safeguards, under eIDAS 2.0 and GDPR. T3 lists Wylde et al. Reference Wylde, Rawindaran, Lawrence, Balasubramanian, Prakash, Jayal, Khan, Hewage and Platts2022 with blockchain and A I slash M L-based I D S design for GDPR-aligned privacy. T4 lists Myrzashova et al. Reference Myrzashova, Alsamhi, Shvetsov, Hawbani and Wei2023 advocating data kept on devices, sharing only verifiable model updates on-chain, addressing cross-border data flows in edge computing, under GDPR; Akanfe et al. Reference Akanfe, Lawong and Rao2024 using a T O E lens for privacy-by-design on blockchain for cloud and edge privacy, under GDPR. T5 lists Z Li Reference Li2020 using contracts for role or attribute-based access, anchoring verifiable credentials on-chain, with off-chain identity and revocation management for compliance, under GDPR. T6 lists Zafar Reference Zafar2025 advocating privacy-preserving verification in blockchain using Z K P for transaction privacy and verifiability, under GDPR. T7 lists Xu et al. Reference Xu, Sun, Li, Sun, Zhang and Zhang2023 using decentralized identities with Z K P for access control and compliance, preventing loss of data owner sovereignty, under E D P B and GDPR. T8 lists Zafar Reference Zafar2025 using blockchain for verifiable provenance and consented sensor data access with joint-controller governance, under GDPR; Wylde et al. Reference Wylde, Rawindaran, Lawrence, Balasubramanian, Prakash, Jayal, Khan, Hewage and Platts2022 securing smart cities with blockchain governance for consented data access and packet-level audit, under GDPR. T9 lists Z Li Reference Li2020 keeping personal and consumption data off-chain with pseudonymous I D and zero-knowledge proofs, assigning controller and processor roles for compliant peer-to-peer trades, under GDPR. T10 lists De Filippi and Hassan 2018 advocating age verification and consent mechanisms with pseudonymous participation via smart contracts to prevent identity linkages, under GDPR.
Further, we examine the evolution of topics from 2016 to 2024, as shown in Figure 11. This topic trend highlights recent growth in research on blockchain-based security and privacy for specific domains such as supply chain, healthcare, and IoT-driven systems.
The evolving topics trend over the year.

Figure 11. Long description
The x-axis is labeled Year, spanning 2016 to 2024. The y-axis is labeled Number of Publications, ranging from 0 to 250. Ten colored lines represent topics: Access-Control and authentication management in supply chain using smart contracts, Advanced encryption protocols using Z K P, Data privacy in Energy trading over smart grid, Data privacy on Cloud and Edge computing, Identity Management in E-education and E-voting systems, Privacy of personal information in Healthcare, Privacy of real identity in Metaverse, Privacy protection in Distributed Systems using F L, Security Measures using I D S, and Security and privacy in I o T-driven systems and smart cities. Most topics show a steady increase in publications from 2016, peaking sharply in 2023, then dropping in 2024. The highest peak is for Identity Management in E-education and E-voting systems, reaching over 220 publications in 2023. Access-Control and authentication management in supply chain using smart contracts and Security and privacy in I o T-driven systems and smart cities also show strong peaks above 150 in 2023. Other topics, such as Privacy of real identity in Metaverse and Security Measures using I D S, remain below 50 publications throughout. The legend on the top right matches each topic to its line color.
The pattern shows strong interest in research on information security and privacy protection in the blockchain across growing fields such as computing, IoT, cloud, and FL. The surge in publications after 2020 addresses the critical role of emerging technological threats. This topic trend analysis indicates that ongoing innovation and adaptive security measures will be essential for future research directions and policy development.
Figure 12 represents a hierarchical clustering dendrogram between the topics, where branches represent connections and length represents closeness between the topics. This dendrogram emphasizes the complex relationships among security, privacy, and data protection. The relationship between T3 and T6 suggests the need for research on ZKP-based IDS systems. The relationship between T1 and T10 highlights privacy-related concerns in real and virtual worlds. The interdisciplinary intersections of T7, T2, and T8 show themes that integrate privacy-preserving technologies into various applications. Another Cluster, centered around T9, T5, and T4, suggests an intersection of blockchain with privacy measures in industrial and critical infrastructure.
Relations among evolving topics trend over the year.

Figure 12. Long description
The dendrogram displays ten topics on the vertical axis, labeled from top to bottom as T9 Data privacy in Energy trading over the smart grid, T5 Access-Control and authentication management in the supply chain using smart contracts, T4 Data privacy on Cloud and Edge computing, T8 Security and privacy in I o T-driven systems and smart cities, T2 Identity Management in E-education and E-voting systems, T7 Privacy protection in Distributed Systems using F L, T10 Privacy of real identity in Metaverse, T1 Privacy of personal information in Healthcare, T3 Security Measures using I D S, and T6 Advanced encryption protocols using Z K P. Horizontal branches extend rightward from each topic, merging at various points along the distance axis, which ranges from zero to 1.6. The closest clusters are T1 and T3, which merge first, followed by T6 joining this cluster. T10 and T7 merge next, then T2 joins this group. T8, T4, T5, and T9 form another cluster, merging sequentially. The final branches show three main clusters combining at higher distances, illustrating the hierarchical similarity among the topics.
5. Discussion
The CLR findings can promote multidisciplinary research and policy-making by directing resources toward the development and management of blockchain technology. To clarify, Figure 13 shows the identified topics and their related keywords. Further, we selected the most impactful articles on each topic and offered an in-depth discussion of blockchain technological advancements, aligning with policy and regulatory development.
Topic keyword subdivision based on security and privacy in blockchain.

Figure 13. Long description
At the center is Blockchain based security and privacy. Four arrows radiate outward, each labeled. The top left branch, Personal Information, leads to Topic 1 Privacy of personal information in Healthcare with keywords E H R, E M R, P I I, and Topic 2 Identity Management in E-education and E-voting systems with keywords Certificate, Voter, e-voting. The bottom left branch, Advancement on blockchain, connects to Topic 3 Security Measures using I D S with keywords Intrusion, F L, Security, Topic 6 Advanced encryption protocols using Z K P with keywords Privacy, Verification, Anonymity, and Topic 7 Privacy protection in Distributed Systems using F L with keywords Privacy, P2P, distributed system. The top right branch, Virtual reality, leads to Topic 10 Privacy of real identity in Metaverse with keywords V R, Metaverse, Digital, and Topic 4 Data privacy on Cloud and Edge computing with keywords computing, I o T, Privacy. The bottom right branch, I o T, connects to Topic 8 Security and privacy in I o T-driven systems and smart cities with keywords I o V, I I o T, I o M T, Topic 9 Data privacy in Energy trading over the smart grid with keywords Energy, P2P, Smart grid, and Topic 5 Access and authentication management in supply chain using smart contracts with keywords Authentication, verification, Integrity. Each topic box contains a title and a set of keywords.
T1) Researchers increasingly explore smart contracts and ZKPs to enhance privacy and trust in healthcare self-sovereign identity systems (e.g., Liu et al., Reference Liu, He, Obaidat, Kumar, Khan and Choo2020). Where a wallet provider exercises custody or control over tokenized digital assets linked to such credentials, it may qualify as a digital-asset custodian under FIT21, triggering cybersecurity obligations (U.S. Congress, 2024). In the EU, the EDPB has emphasized the complexities of blockchain-based personal data processing, prompting proposals for redactable architectures (e.g., chameleon hashes) to support Article 17 erasure while safeguarding special-category data under Article 9 GDPR (Finck, Reference Finck2018; Zafar, Reference Zafar2025). Additionally, where healthcare blockchain operates as a crypto-asset service provider or issuer within the scope of MiCA, it must comply with authorization, governance, and operational resilience requirements, subject to EU supervisory coordination, including ESMA oversight, where applicable (Ferreira and Sandner, Reference Ferreira and Sandner2021). However, high implementation costs, regulatory fragmentation, uncertainties in medical-device liability, and interoperability constraints continue to hinder broader adoption.
T2) E-education and e-voting systems are advancing through secure authentication and data management mechanisms based on smart contracts and modern cryptography (Dewangan et al., Reference Dewangan, Chandrakar, Kumari and Rodrigues2023). In such architectures, identity authorities may qualify as joint controllers under Article 26 GDPR where they jointly determine the purposes and means of processing (Zafar, Reference Zafar2025). Moreover, Article 20’s data portability principle supports interoperable and verifiable credential architectures, while the EU Digital Identity Wallet under eIDAS 2.0 aims to establish a harmonized cross-border trust framework (Li, Reference Li2020). Where DID wallet providers or credential issuers operate as crypto-asset service providers within the scope of MiCA, they must comply with authorization, governance, and operational resilience requirements under EU supervisory coordination, including ESMA oversight where applicable. However, these systems face persistent challenges, including scalability constraints, implementation costs, evolving alignment with the final eIDAS 2.0 technical specifications (EDICG, 2025), and limited harmonization with education-sector standards and national electoral-law restrictions on cross-border voting.
T3) Blockchain-based IDS can enhance anomaly detection and threat mitigation while incorporating privacy-preserving mechanisms such as ZKPs (Saveetha and Maragatham, Reference Saveetha and Maragatham2022). Where IDS nodes determine the purposes and means of processing metadata, they may qualify as controllers under Article 4(7) GDPR and must identify a lawful basis for processing, potentially relying on Article 6(1)(f) (legitimate interests), subject to a documented balancing test consistent with EDPB guidance on security monitoring (Zafar, Reference Zafar2025). Operators of blockchain-based IDS services may align their governance with EU operational resilience and incident-response frameworks, such as MiCA, where applicable, to benchmark cybersecurity practices (Ferreira and Sandner, Reference Ferreira and Sandner2021). Furthermore, developers can embed compliance logic into IDS-based smart contracts to operationalize certain regulatory obligations, enhancing transparency and reducing ambiguity in privacy governance (De Filippi and Hassan, Reference De Filippi and Hassan2016). However, scalability limitations and dependence on high-quality data remain significant concerns, particularly for operators subject to the NIS 2 Directive’s mandatory cybersecurity risk-management and incident-reporting requirements.
T4) Distributed authentication systems using optimized consensus and elliptic curve cryptography protect user privacy on cloud and edge platforms (Guo et al., Reference Guo, Hu, Guo, Qiu and Qi2019). ZKPs can further limit data disclosure, supporting the GDPR principles of purpose limitation and data minimization. Under the EDPB Guidelines 07/2020, the controller and processor roles in decentralized architectures must be assessed on a case-by-case basis, depending on who determines the purposes and means of processing. The “deController” model reduces centralized control by keeping user keys client-side, though GDPR responsibility depends on actual decision-making power (Xu et al., Reference Xu, Sun, Li, Sun, Zhang and Zhang2023). However, Latency remains a technical challenge, and future research should consider data-sharing and governance implications under the EU Data Act, where applicable (Jahnke et al., Reference Jahnke, Rohde, Kraus, Schmuntzsch, Shajek and Hartmann2025).
T5) Blockchain-based traceability systems use access control models to manage permissions, access, and data integrity in supply chains (Dwivedi et al., Reference Dwivedi, Amin and Vollala2020). Where actors jointly determine the purposes and means of processing through shared ledger governance, they may qualify as joint controllers under Article 26 GDPR (Finck, Reference Finck2018). Platforms that issue or trade crypto-assets within MiCA’s scope may be subject to authorization and supervision. At the same time, tokenized assets classified as digital commodities under the proposed FIT21 framework could trigger CFTC registration and customer asset protection obligations. Although chameleon hashes and zero-knowledge mechanisms enhance auditability and programmable compliance, US securities classification depends on substantive asset characteristics rather than technical design (U.S. Congress, 2024). Moreover, the Corporate Sustainability Due-Diligence Directive imposes traceability and retention duties that may conflict with GDPR erasure rights (Anagnostopoulou, Reference Anagnostopoulou2025). Scalability and electronic asset tagging remain practical constraints.
T6) ZKPs enhance privacy in blockchain transaction verification (Wang et al., Reference Wang, Chaliasos, Qin, Zhou, Gao, Berrang, Livshits and Gervais2023), but where identification remains possible, they generally constitute pseudonymization rather than anonymization under the GDPR. Accordingly, such systems remain subject to data protection requirements, prompting developers to integrate selective disclosure as a privacy-by-design measure. Technical approaches that render data effectively inaccessible may help address Article 17 erasure tensions, subject to supervisory interpretation, as indicated by the Austrian Data Protection Authority (Zafar, Reference Zafar2025). However, trusted setup assumptions, scalability limits, performance constraints, and the carbon cost of large ZK circuits raise practical concerns, including whether data minimization and proportionality requirements under Article 5(1)(c) and broader GDPR necessity principles are met in practice, as reflected in EDPB guidance (EDPB, 2020).
T7) Blockchain-based FL enhances security and resilience while enabling decentralized training on distributed data (Li et al., Reference Li, Han, Weng, Zheng, Li, Liu, Castiglione and Li2022). The “deController” model seeks to reinforce accountability under Article 5(2) GDPR by allocating key control to data subjects, reflecting the Charter’s emphasis on individual data protection rights (Article 8 Charter of Fundamental Rights), though legal responsibility depends on who determines processing purposes and means (EDPB, 2020; Xu et al., Reference Xu, Sun, Li, Sun, Zhang and Zhang2023). Further, FL-based blockchain architectures may support purpose limitation by reducing cross-border data transfers and centralized aggregation. However, limited empirical evaluation highlights the need for broader assessment. Future research should also consider potential risk classifications under the AI Act and complementary safeguards, such as differential privacy.
T8) Decentralized IoT systems integrate advanced cryptography and AI to enhance security and reliability (Arshad et al., Reference Arshad, Khan, Azam, Khan, Yu and Zikria2023; Dewangan and Shankar, Reference Dewangan and Shankar2026). Under the GDPR, device manufacturers may qualify as data controllers where they determine the purposes and means of processing and must provide transparent consent mechanisms, grounded in the fundamental right to data protection under Article 8 of the Charter and Article 16 of the Functioning of the European Union (TFEU) (Zafar, Reference Zafar2025). Smart contract-based consent receipts may support scalable consent documentation, though they do not replace substantive legal requirements (De Filippi and Hassan, Reference De Filippi and Hassan2016). However, maintaining user trust, ensuring data integrity, scaling IoT ecosystems, and complying with energy efficiency obligations under the EU Energy Efficiency Directive remain significant challenges (Hoppe et al., Reference Hoppe, Hübner, Princen and Svec2025).
T9) Adoption of blockchain in smart grids enhances privacy protection, identity authentication processes, and prevents a single point of failure (Cao et al., Reference Cao, Wang, Ding, Guo, Wu and Liang2023). Redactable ledger architectures may support compliance with Article 17 by enabling modification of household identifiers while preserving settlement proofs, subject to supervisory interpretation (Li, Reference Li2020; Zafar, Reference Zafar2025). Controllers may process aggregated consumption data for dynamic pricing where such use remains compatible with the specified billing purpose under Article 5(1)(b) (Li, Reference Li2020; Zafar, Reference Zafar2025). If tokenized kWh credits qualify as digital commodities under the proposed FIT21 framework, trading venues that facilitate their exchange may be subject to CFTC registration requirements (Marques et al., Reference Marques, Gomes and Brandão2023). However, scalability limitations, computational complexity, privacy risks associated with public blockchains, and emerging obligations under the European Data Governance Act remain significant challenges.
T10) Blockchain-based metaverse architectures integrating ZKPs can strengthen authentication while minimizing unnecessary data disclosure (Huang et al., Reference Huang, Li and Cai2023). Where digital assets are involved, such mechanisms may align with FIT21’s emphasis on custody and cybersecurity obligations. The transition from “Code is Law” to “Law is Code” can inform the embedding of age verification and consent logic in smart contracts (De Filippi and Hassan, Reference De Filippi and Hassan2016). These approaches are grounded in the fundamental right to data protection under Article 8(1) of the Charter and Article 16 TFEU (Zafar, Reference Zafar2025). However, integration and scalability challenges persist, and immersive platforms may face additional obligations under the EU Digital Services Act, particularly regarding risk mitigation and protection of minors.
Figure 14 presents a regulatory mapping matrix that aligns key policy instruments with 10 identified thematic topics (T1–T10). Each row corresponds to a specific legal or policy document, including GDPR, FIT21, ESMA guidelines, MiCA, CFTC rules, eIDAS 2.0, the NIS 2 Directive, the EU AI Act, the EU Energy Efficiency Directive, and the EU Digital Services Act. In this figure, columns represent thematic topics, while green cells indicate direct regulatory applicability or substantive relevance, and pink cells denote no explicit coverage. This structured mapping enables legal and technical analysis by identifying intersections between regulatory frameworks and operational domains, supporting compliance assessments and policy gap analysis.
Policy documents alignment matrix with discovered topics.

Figure 14. Long description
The chart is a matrix with policy documents listed vertically on the left and topics labeled T1 through T10 horizontally across the top. From top to bottom, the policies are G D P R, F I T 21, E S M A, Mi C A, C F T C, E D P B, e I D A S 2 point 0, N I S 2 Directive, E U A I Act, E U Energy Efficiency Directive, and E U Digital Services Act. For each policy, green cells indicate alignment with specific topics. G D P R aligns with T1, T2, T3, T5, T6, T7, and T9. F I T 21 aligns with T1, T2, T3, T5, and T10. E S M A aligns with T3 and T5. Mi C A aligns with T3 and T5. C F T C aligns with T5. E D P B aligns with T6. e I D A S 2 point 0 aligns with T6 and T7. N I S 2 Directive aligns with T7. E U A I Act aligns with T8. E U Energy Efficiency Directive aligns with T9. E U Digital Services Act aligns with T10. All other cells are pink, indicating no alignment.
Based on our analysis findings and discussion, we have developed future research questions listed in Table 3. These questions can translate into blockchain security and privacy research opportunities, aligning with policies and regulatory development.
Research topics and questions

Table 3. Long description
The table consists of two columns labeled Topic and Research questions. From the top row, Topic T1 presents questions on integrating smart contracts with Z K P for G D P R compliance in healthcare and designing governance frameworks for blockchain healthcare solutions. T2 covers blockchain-enabled D I D alignment with e I D A S 2 dot 0 for education credentials and integrating Z K P or M P C for secure cross-border e-voting with G D P R compliance. T3 addresses scalable Z K P-based blockchain I D S for G D P R obligations and developing E S M A audit benchmarks for monitoring blockchain I D S. T4 explores E U Data Act and E D P B definitions for controller and processor roles in Z K P and blockchain edge authentication, plus strategies to mitigate latency and localization. T5 focuses on blockchain supply chain systems for G D P R data erasure and joint controllership, and guidelines coordinating E U Mi C A with U S F I T 21 for tokenized supply-chain assets. T6 discusses policy measurement frameworks for G D P R proportionality in scalable Z K P and compliance strategies for E D P B-identified energy risks. T7 examines integrating F L with blockchain for G D P R accountability and developing blockchain-based F L for privacy and purpose-limitation under A I Act assessments. T8 covers blockchain-based I o T solutions for G D P R compliance and energy efficiency, and smart contracts for consent management in city-scale digital services. T9 investigates redactable blockchains for G D P R compliance in energy trading and developing privacy-compliant energy trading tokens aligned with F I T 21, C F T C, and E U Data Governance. T10 addresses integrated blockchain and Z K P design for D S A or G D P R user identity verification in the Metaverse and regulatory frameworks for metaverse scalability and governance.
Analysis of the topics and proposed research questions indicates that blockchain has significant potential to address identity management and data security. However, domains such as healthcare, online education, supply chain management, and the metaverse express heightened concern regarding privacy preservation within blockchain-based systems. At the same time, the integration of advanced security and privacy methods such as ZKP, MPC, and FL is increasing, with claims that they can address the challenges that hinder their wider adoption.
6. Policy implications
This study offers policy-relevant insights into blockchain-based architectures when combined with privacy-enhancing technologies such as FL, ZKPs, and MPC. It can support compliance with data protection and information security regulations, such as GDPR, while remaining adaptable across different regulatory environments.
6.1. Technical design in regulatory and policy compliance
Our analysis shows that system architects can operationalize the GDPR’s Article 25 privacy-by-design principle through deliberate architectural choices (e.g., Finck, Reference Finck2018; Zafar, Reference Zafar2025). Integrating FL and MPC with blockchain can reduce centralized access to personal data, supporting data minimization and purpose limitation under Article 5(1)(b) (De Filippi and Hassan, Reference De Filippi and Hassan2016), while also reducing cross-border transfer exposure and facilitating accountability under Article 5(2) (Zafar, Reference Zafar2025). When personal data is kept off-chain, blockchain infrastructures mitigate tensions related to immutability and the right to erasure (Article 17). Furthermore, ZKPs can address selective disclosure and pseudonymization safeguards consistent with Recital 28 (Introduction of Pseudonymisation at https://gdpr-info.eu/recitals/no-28/). MPC enables collaborative analytics without revealing raw data and can structure processing arrangements in environments that may qualify as joint controllership under Article 26. Together, these technologies demonstrate the study’s central finding that technical design choices play a critical role in regulatory compliance (Finck, Reference Finck2018; Zafar, Reference Zafar2025).
6.2. Adapting to different regulatory and economic contexts
Although this study focuses on the GDPR and FIT21, many jurisdictions operate comparable data protection or sector-specific privacy frameworks, including LGPD in Brazil (European Commission, 2019), PDPA-type laws across Asia (Wong YongQuan, Reference Wong YongQuan2017), and the CCPA/CPRA and HIPAA in the United States (Determann and Tam, Reference Determann and Tam2020; Mulgund et al., Reference Mulgund, Mulgund, Sharman and Singh2021). The technical patterns identified here can be adapted to diverse regulatory contexts. In strict data-protection economies, FL can reduce exposure to cross-border data transfers, while ZKP and MPC can support sensitive-data governance. In sector-specific economics such as healthcare, finance, and energy, tailored architectures may enable privacy-preserving analytics and collaborative oversight. Emerging or resource-constrained economies, incremental deployment using lightweight FL, simplified ZKPs, and outsourced MPC can facilitate privacy-aware design (Lim and Oh, Reference Lim and Oh2025). Open-source tools and international guidance may further lower adoption barriers.
6.3. Practical relevance for policymakers and researchers
The findings highlight the need for simplified, technology-aware regulatory guidance. Blockchain systems combined with privacy-preserving FL, ZKP, and MPC can support regulatory objectives while enabling innovation. For policymakers, this suggests prioritizing guidance, certification, coordination, and regulatory sandboxes over technology-specific rules. Scenario-based guidance and interoperability standards can help clarify how privacy-preserving architectures support compliance (Martin and Kung, Reference Martin and Kung2018; Ulnicane, Reference Ulnicane, Hoerber, Weber and Cabras2022; Raudla et al., Reference Raudla, Juuse, Kuokstis, Cepilovs and Douglas2024). For researchers, system design should begin with legal requirements, such as controller roles, data sensitivity, and user rights, before selecting appropriate combinations of blockchain, FL, ZKP, and MPC. Where feasible, personal data should remain off-chain, with blockchain used primarily for proofs and logs, and design decisions documented to support DPIAs (Data Protection Impact Assessment at https://gdpr.eu/data-protection-impact-assessment-template/) or similar compliance tools (Bu et al., Reference Bu, Wang, Jiang and Liang2020; Ali et al., Reference Ali, Suchismita, Ali and Choi2025).
Overall, blockchain-based systems are not inherently incompatible with data-protection regulations. When aligned with advanced cryptographic and distributed learning techniques, they can contribute to more coherent and adaptive governance in data privacy and information security.
7. Contributions
From a theoretical perspective, our study is among the first to apply the CLR technique in security, privacy in blockchain systems, and its governance. Based on our findings, we discussed issues related to information security and privacy protection policies. These findings show that blockchain has been widely implemented across the industry and public sectors, including healthcare, education, and supply chains, highlighting its relevance to data governance and policy frameworks. Furthermore, our findings suggest that blockchain-based systems can enhance information security and privacy management through methods such as FL, ZKPs, and MPC. These support robust data protection and compliance with evolving data policy regulations. Future IS research can investigate the implications of these techniques for enhancing security and privacy with the development of policy frameworks in various enterprise and public sectors.
Our findings provide a practical contribution in the form of blockchain-based, secure, privacy-oriented frameworks for processing and storing users’ personal information. These frameworks can implement ZKP-based operations on encrypted data in an interoperable environment that keeps the original data secure during analysis. Additionally, integrating FL and IoT can enable scalability and interoperability by processing data locally and reducing exposure to cross-border data transfers, while maintaining regulatory compliance with data governance policies. These systems are adaptable for both industry and public services, where handling users’ personal information and data is crucial. As these systems can perform intelligent, decentralized data processing with lower energy consumption, they can also provide a sustainable solution.
8. Limitations of the work
The primary focus of our work is to identify the current themes and topics related to information security and privacy of blockchain technology, using CLR. Based on current themes and topics, we develop future directions for information security and privacy, aligning with regulations and policies. However, our study is not without limitations. In our research, we primarily focused on the scientific literature, including peer-reviewed research and conference articles indexed in the Scopus database. Previous works also include gray literature and reports (Yasin et al., Reference Yasin, Fatima, Wen, Afzal, Azhar and Torkar2020). Also, relying on a single database may sometimes yield limited article search results. As we conducted this literature review across a very large corpus, it may yield false positives, but careful keyword selection helps to reduce them. Further, LDA requires a predetermined number of topics (K) to prevent overfitting or underfitting. In LDA, the subjective evaluation of the analysis impacts the resulting topics. Because the feeding content is presented in different orders, LDA may yield varied outcomes, leading to temporal biases and confusion. Overall, this literature review is expected to provide valuable insights, despite these minor limitations. However, we suggest including the gray literature, reports, and articles from various academic databases in future research.
9. Conclusion
We conducted CLR on a corpus of 3904 documents to explore topics in blockchain-based security and privacy for information management, further aligning these themes with regulatory and policy frameworks to emphasize their importance for effective data governance. Through impact and content analyses, we identified the journals and conferences that support our chosen area and the number of past publications in these venues. We applied LDA topic modeling to identify 10 trending topics within the corpus. We manually reviewed the literature on these topics to ensure our findings were accurate. Our results and discussions showed that blockchain technology significantly impacts privacy-preserving techniques and secure information management. These findings underscore the need for comprehensive policy frameworks to address data privacy across various domains. We also present the trend in evolving topics over the year to show the growing interest in blockchain-based security and privacy research. We examined emerging topics and proposed future research opportunities in Information security and privacy protection while highlighting the essential role that policy frameworks play in creating and supporting secure, blockchain-enabled environments.
Acknowledgments
For the preparation of this manuscript, Grammarly (a web-based tool) has been used to assist with grammatical correction, language refinement, and improvement of textual clarity. The tool is used only for editorial enhancement of language and readability. All revisions were reviewed and validated by the authors, who retain full responsibility for the manuscript’s content.
Data availability statement
This study did not generate new primary data. Instead, it utilized bibliometric metadata from 3904 articles retrieved from the Scopus database, covering publications from 2016 to the first quarter of 2024. The dataset and the necessary scripts are openly available on Zenodo under the doi:10.5281/zenodo.16935370. Additionally, researchers can independently reproduce the dataset by querying the Scopus database using the inclusion and exclusion criteria outlined in the Data Collection section of the manuscript (cited in Shankar, Reference Shankar2025).
Author contribution
Conceptualization: G.S., P.K., and A.I.; Data curation: G.S.; Investigation: G.S.; Methodology: G.S. and M.U.; Visualization: G.S.; Supervision: P.K., S.I., and A.I.; Writing—original draft: G.S., P.K., and A.I.; Writing—review and editing: G.S., P.K., A.I., and S.M.
Funding statement
This work was supported by the Research Council of Finland with CHIST-ERA, grant agreement no 359790, Di4SPDS-Distributed Intelligence for Enhancing Security and Privacy of Decentralized and Distributed Systems.
Competing interests
The authors declare none.








Comments
No Comments have been published for this article.