Conceptualising the Legal Notion of ‘State of the Art’ in the Context of IT Security

In the context of IT security, legal instruments commonly demand that IT security is brought up to the level of ‘state of the art’. As the first horizontal instrument on cybersecurity at EU level, the NIS Directive requires that Member States shall ensure that operators of essential services (OESs) and digital service providers (DSPs) take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations, or in the context of offering specific services. Having regard to the ‘state of the art’, those measures shall ensure a level of security of NIS appropriate to the risk posed. Similarly, the GDPR requires data controllers, and to some extent processors, to take ‘state of the art’ into account when implementing appropriate technical and organisational measures to mitigate the risks caused by their data processing activities. The same applies to public electronic communications networks or services regarding the security of their networks and services under the EECC. Although the notion is widely referred to in legal texts, there is no standard legal definition of the notion. This paper, based on a workshop held at the 14th IFIP summer school, analyses the contexts in which the notion ‘state of the art’ is being used in legislation. Briefly, the reasons for abstaining from clear technical guidance are addressed. Following an introduction to the three-step theory developed by the German constitutional court, where ‘state of the art’ is located between the ‘generally accepted rules of technology’ and the ‘state of science and technology’, this paper argues that this approach can also be applied at EU level in the context of IT security.