Critical infrastructure protection is a joint task of the state and the economy. Nevertheless, there does not yet exist any standardized approach for a common risk management approach. This article proposes such a methodology, leaning on ISO 27000-series and implying three perspectives: the technical, micro perspective, the organizational macro perspective besides the country-wide meta perspective.

The article critically examines the current discourse on the legal status and substance of “sovereignty” in the context of the application of international law to cyberspace against the backdrop of conflicting political-ideological attitudes. After tracing the origins of the interpretation of “respect for sovereignty” as a primary rule of international law, two approaches to cyberspace are surveyed that challenge the emerging consensus: “cyber imperialism,” embodied by the US and the other Five Eyes members on the one hand, and “cyber Westphalia,” represented by China, Russia, and Iran on the other. Both conceive cyberspace in ways fundamentally irreconcilable with prevailing legal views. A third group of states endorses the “sovereignty-as-rule” understanding but leaves this legal position vulnerable to both authoritarian co-optation and imperialist dismissal. In light of this, the paper offers an alternative interpretation of state practice and international jurisprudence that constructs sovereignty as a principle with derivative primary rules. It is shown that despite not by itself having the status of a rule, the principle of sovereignty allows for the identification of rules that protect the territorial integrity and political independence of states beyond the traditional notions of the prohibition of intervention and the use of force. Following a careful analysis of evidence in existing practice in support of this novel, doctrinally more precise understanding of sovereignty, the policies of “persistent engagement” and “cyber sovereignty” are assessed in light of the argument’s legal implications.

Two articles explain the genesis and contents of the German IT Security Act 2.0, which was enacted in May 2021. This first article focuses on the origins of the law, the obligations of companies as operators of information technology, and the new regulations on the security of IT products.

The European Commission has presented proposals for the horizontal regulation of artificial intelligence. It is thus foreseeable that the regulatory systems of data protection and IT security will be supplemented by a further cross-sectoral approach to the regulation of information technology. This article explains the proposals and describes their advantages and disadvantages.

[Die Europäische Kommission hat Vorschläge vorgelegt, wie eine horizontale Regulierung künstlicher Intelligenz erfolgen soll. Damit ist absehbar, dass neben die Regulierungssysteme des Datenschutzes und der IT-Sicherheit ein weiterer sektorübergreifender Ansatz zur Regulierung von Informationstechnik treten wird.]

Since its foundation 30 years ago, the Federal Office for Information Security (BSI) has developed into an internationally and nationally recognized center of competence for IT security. With a steady increase in tasks, the discussion about the governance of the office has become stronger - many voices are calling for greater independence of the BSI. The article examines the reasons for and options for greater independence of the agency. As a result, it argues for a further development of the agency's governance that represents a balance between independence and political responsibility.

[Seit seiner Gründung vor 30 Jahren hat sich das BSI zu einem international und national anerkannten Kompetenzträger für IT-Sicherheit entwickelt. Mit stetigem Aufgabenzuwachs ist die Diskussion über die Steuerung des Amtes stärker geworden – viele Stimmen fordern eine größere Unabhängigkeit des BSI.]

The article survey the current situation concerning the operative cybersecurity cooperation of public and private-sector entities in Germany and compares it with solutions implemented in the United States, Israel, and the United Kingdom. Subsequent to the analysis, the establishment of trust between the different involved actors is identified as the principal challenge for efficient cooperation in this subject area.

[Der vorliegende Artikel stellt die bisherige Situation der operativen Zusammenarbeit zwischen Staat und Wirtschaft in der Cybersicherheit in Deutschland dar und vergleicht sie mit den Lösungen, die in den USA, Israel und Großbritannien für das gleichlautende Problem gefunden worden sind. Im Anschluss wird die Herstellung von Vertrauen zwischen den beteiligten Akteuren als größte Herausforderung für eine effiziente Zusammenarbeit näher beleuchtet.]

This article presents a novel way to conceptualize the protection of data in situations of armed conflict. Although the question of the targeting of data through adversarial military cyber operations and its implications for the qualification of such conduct under International Humanitarian Law has been on scholars’ and states’ radar for the last few years, there remain a number of misunderstandings as to how to think about the notion of “data.” Based on a number of fictional scenarios, the article clarifies the pertinent terminology and makes some expedient distinctions between various types of data. It then analyzes how existing international humanitarian and international human rights law applies to cyber operations whose effects have an impact on data. The authors argue that given the persisting ambiguities of traditional concepts such as “object” and “attack” under international humanitarian law, the targeting of content data continues to fall into a legal grey zone, which potentially has wide-ranging ramifications both for the rights of individual civilians and the functioning of civilian societies during situations of conflict. At the same time, much legal uncertainty surrounds the application of human rights law to these contexts, and existing data protection frameworks explicitly exclude taking effect in relation to issues of security. Acknowledging these gaps, the article attempts to advance the debate by proposing a paradigm shift: Instead of taking existing rules on armed conflict and applying them to “data,” we should contemplate applying the principles of data protection, data security, and privacy frameworks to military cyber operations in armed conflict.

The article deals with necessity as one of the circumstances precluding wrongfulness under customary international law and how it will likely gain relevance in view of the difficulty to quickly attribute malicious cyber operations that threaten important assets of a state. While the necessity doctrine seems fit for purpose, it lacks granularity and is problematic from an international rule-of-law point of view. Taking these pitfalls into account, the article proposes some general principles for a possible special emergency regime for cyberspace.