'State of the art' is a common legal term. Since technology develops faster than legislation, it has proven useful in many areas of law to refer to the 'state of the art' in laws instead of trying to lay down concrete technical requirements in the law. What is the state of the art at a certain point in time can be determined, for example, on the basis of existing national or international standards or on the basis of role models for the respective area that have been successfully tested in practice. Since the necessary technical measures may differ depending on the specific case, it is not possible to describe the 'state of the art' in general and conclusive terms.
In the explanatory memorandum to the IT Security Act the 'state of the art' is described as follows:
Due to the far-reaching effects on society, the state of the art must be taken into account in the technical and organisational precautions. The state of the art in this sense is the level of development of advanced processes, facilities or modes of operation that makes the practical suitability of a measure to protect the functionality of information technology systems, components or processes against impairments of availability, integrity, authenticity and confidentiality appear assured. In determining the state of the art, reference shall be made in particular to relevant international, European and national norms and standards, but also to comparable procedures, equipment and modes of operation that have been successfully tested in practice. The obligation to take into account the state of the art does not exclude the possibility of using such precautions that provide protection as effective as the recognised state of the art precautions.
The preparation of a B3S is an opportunity for an industry to formulate its own 'state of the art' specifications based on its own expertise.