Identification and demarcation—A general definition and method to address information technology in European IT security law

Abstract

Information technology (IT) as a regulatory object is defined and viewed differently across various domains of European IT security law. However, common definitions and methods for the demarcation and separation of operational information technology can contribute to coherence in the historically grown body of regulation. This paper identifies three different general approaches for the treatment of information technology within the existing body of law: information technology as a means, as a service and as a product. Furthermore, we compile a general definition of information technology, which consists of three logical subentities: components, systems, and services. Additionally, steps for the practical identification of the operational information technology addressed by material law requirements are shown. First, all services that affect an articulated protected good must be identified. Within the identification of the systems used to realize those services, two dimensions must be considered. There is the functional dimension as well as the control and power of the disposal dimension. An identified weakness of the current state of IT security law is a lack of clearly formulated protected goods within the existing regulations, which contributes to the difficulties of addressing information technology in general. Furthermore, this paper discusses which actors are responsible for a demarcated piece of information technology and what responsibilities are assigned to them. This section also elaborates on the difficulty of appropriately addressing commercial and non-commercial actors.