With only a few days to go until the IFIP summer school 2021, we are happy to announce that Sandra will lead a workshop related to EnCaViBS on 19 August 2021. The workshop aims to contribute to defining the concept of ‘state of the art’ in the context of IT security.
Workshop Abstract: In the context of IT security, legal instruments commonly demand that IT security is brought up to the level of ‘state of the art’. This leads to the question what exactly constitutes or amounts to ‘state of the art’. Commonly, the notion refers to the highest level of general development achieved at a particular time.
In law, the notion has some tradition in patent law as well as in tort law. As regards the latter, it may be used as a legal defence, meaning that for instance a manufacturer can not be held liable if he can prove that the state of technical and scientific knowledge, at the time when the product was put in circulation, was not such as to enable the existence of a certain defect to be discovered. With increasing regulation of technology and in particular information technology, the notion of state of the art gains in importance.
As the first horizontal instrument on cybersecurity at EU level, the NIS Directive requires that Member States shall ensure that operators of essential services (OESs) and digital service providers (DSPs) take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations, or in the context of offering specific services. Having regard to the ‘state of the art’, those measures shall ensure a level of security of NIS appropriate to the risk posed. Similarly, the GDPR requires data controllers, and to some extent processors, to take ‘state of the art’ into account when implementing appropriate technical and organisational measures to mitigate the risks caused by their data processing activities. The same applies to public electronic communications networks or services regarding the security of their networks and services under the EECC. However, none of these legal interventions provides a binding legal definition of the concept of ‘state of the art’ in the context of IT security. Although the notion is widely referred to in legal texts, there is no standard legal definition of the notion.
In this workshop, we will try to define what can be considered ‘state of the art’: We will analyse the contexts in which the notion or similar notions like ‘best available techniques’ have been used by legislators. Following an introduction to the three step theory employed in German law, where ‘state of the art’ is located between the ‘generally accepted rules of technology (‘allgemein anerkannte Regeln der Technik’) and the ‘state of science and technology’ (‘Stand der Wissenschaft und Technik’), we will then try to determine ‘state of the art’ in the context of IT security.