Das Standardsetzungsmodell des IT-Sicherheitsrechts im Kontext kritischer Infrastrukturen

Abstract

The integration of extra-legal knowledge into legal regulations poses a particular challenge, especially in the context of regulating new techniques and technologies. This also applies to digital and networked facilities and services of so-called critical infrastructures. Due to their vulnerability, the regulation of legal IT-security requirements for information technology systems is becoming socially relevant. In order to regulate this complex and constantly changing area of technology, the legislator is resorting less to the classic forms of sub-legislative standardization and more to a variety of forms of involving external expertise. In doing so, the legislative introduces new forms of cooperation in the BSIG, such as the regulation of so-called industry-specific standards. However, when the state and the private sector work together, the question arises as to whether the requirements of the rule of law are being observed and to what extent the legislature is fulfilling its responsibility to guarantee the quality and general welfare of the regulations. Environmental law has had to face this problem early on and has found ways to strike a balance between flexibility and specificity of standards on the one hand and regulatory control and comprehensive involvement of all relevant actors on the other. This paper analyzes the possibilities of integrating extra-legal knowledge in environmental and IT security law and develops from their comparison a proposal for an improved development and incorporation.