Bus Inf Syst Eng

https://doi.org/10.1007/s12599-024-00902-6

EDITORIAL

New Laws and Regulation

Opportunities for BISE Research

Jella Pfeiffer • Jens F. Lachenmaier • Oliver Hinz • Wil van der Aalst

 The Author(s) 2024

1 Introduction – The Emergence of a Research Topic in the financial industry – these new regulations span
multiple sectors at once. In this editorial, we aim to explore
Consider regulations such as the GDPR, the EU AI Act, the the most recent regulations relevant to BISE researchers
Digital Services Act, and the Corporate Sustainability and outline future research directions. Before delving into
Reporting Directive. In recent years, we as researchers specific regulations, we want to emphasize that laws and
have observed that laws and regulations in the digital regulations should be recognized as valuable and intriguing
domain have rapidly moved to the forefront, raising sources of research problems for BISE.
numerous questions and challenges: Where does the data To illustrate this, we begin with a broad perspective by
required to comply with these regulations come from? How examining a typical BISE research process. This process
can data ecosystems be effectively created and managed, generally starts with (1) identifying a problem, followed by
and how can the resulting processes be integrated into (2) systematically investigating and studying it, and (3)
information systems? How do users respond when faced creating new knowledge and understanding, as well as,
with seemingly endless cookie settings? When do users sometimes, an artifact. For research to be impactful, the
feel they are being treated fairly by AI algorithms? outcomes – whether knowledge or artifacts – should ulti-
It appears that a new source of research challenges has mately be (4) transferred into practice (see Fig. 1). While
emerged alongside our typical research processes: legal the target audience for BISE is typically understood in the
and regulatory frameworks. Unlike earlier regulations that sense of ‘‘business’’ (Benbasat and Zmud 1999), the
focused on specific sectors – such as Basel III or BSBC 239 transfer of research results into the social and political
spheres has been the subject of increasing interest.
(Weinhardt et al. 2024). There is also the viewpoint that
J. Pfeiffer (&)
J. F. Lachenmaier relevance needs to be understood as being pluralistic in
Chair of Information Systems 1, Stuttgart University, Keplerstr. nature (Lee et al. 2021; Mohajeri and Leidner 2017), par-
17, 70174 Stuttgart, Germany
ticularly with regards to the diverse range of stakeholders
e-mail: [email protected]
addressed. Indeed, there has been an intense discussion in
J. F. Lachenmaier
the BISE community how we can focus not only on rigor,
e-mail: [email protected]
but also on relevance (Österle et al. 2011; Straub and Ang
O. Hinz 2011; Buhl et al. 2012). Nunamakar et al. (2015) noted that
Faculty of Economics and Business Administration, Goethe ‘‘going the last research mile means using scientific
University Frankfurt, Theodor-W.-Adorno-Platz 4,
knowledge and methods to address important unsolved
60323 Frankfurt am Main, Germany
e-mail: [email protected] classes of problems for real people with real stakes in the
outcome’’ (Nunamaker et al. 2015, p. 15). Van der Aalst
W. van der Aalst et al. go in a similar direction, calling for open science that
Chair of the Process and Data Science group (Lehrstuhl für
makes scientific research and related artifacts accessible to
Informatik 9), RWTH Aachen, Ahornstr. 55, 52056 Aachen,
Germany everybody (van der Aalst et al. 2016).
e-mail: [email protected]

123
 J. Pfeiffer et al.: New Laws and Regulation, Bus Inf Syst Eng

Fig. 1 Connections between

research steps and problem
sources

Steps 2 and 3 have also been treated extensively in the (Baskerville 1999; Iivari et al. 1998). While much more
literature. All social scientists approach their subject via could be discussed regarding the creation of knowledge,
assumptions about the nature of the world and the way in artifacts, and research methods, further insights can be
which it can be studied. This involves assumptions about found in the works of (Saunders et al. 2016) and (Bas-
the ontological (e.g., whether the essence of phenomena is kerville et al. 2015).
external or the product of individual consciousness) and The driving factor behind the topic of this editorial is
epistemological nature (e.g., the grounds of knowledge, for step 1 in the research process: Where do the problems we
example, whether it is hard or soft, or whether it can be conduct research on originate? We find less research on
acquired or must be personally experienced) (Burrell and this important first step and identify several typical sources
Morgan 1979). Burrel and Morgan further consider a third that are often interrelated rather than mutually exclusive (as
set of assumptions about human nature and its relationship illustrated in Fig. 2).
to the environment (e.g., responding in a deterministic way First, our research may be inspired by practical prob-
or being in control of and creating the environment). Other lems and phenomena, typically at the organizational or
authors include axiology, which describes the way we as individual level. Examples include studying the factors that
researchers deal with our own values and those of other affect the successful transfer to cloud services (Benlian
people involved in our research (Saunders et al. 2016). The et al. 2018) or how governance and strategic alignment
set of assumptions we make as researchers directly influ- influence organizational performance (Wu et al. 2015). At
ences the methods we choose. There are different ways to the individual level, further examples include examining
categorize these methods. One approach is to distinguish the factors that influence users’ trust in e-commerce
between constructivist, nomothetical and idiographic (Benbasat and Wang 2005) or users’ acceptance of large-
methods. Constructivist methods focus on the conceptual language-model-based chat interactions in the service
and technical development of artifacts, as seen in design industry (Le et al. 2024).
science (Hevner and Chatterjee 2010; Peffers et al. 2007). Second, we often seek to identify gaps or inconsistencies
Nomothetical methods confirm hypotheses and are often in existing theories or research methods. Theory gaps fre-
used in BISE by applying surveys and conducting experi- quently serve a source of inspiration for our research, as
ments in labs, in the field, or in virtual reality environments theories in BISE can vary widely in nature. They do not
(Loomis et al. 1999; Meißner et al. 2019). These methods only aim at explaining but also focus on analyzing (and
typically follow the hypothetico-deductive approach. describing), predicting, and providing guidance on how to
Idiographic methods explore and focus on understanding do something (design and analysis) (Gregor 2006). A
the unique aspects and complexities of individual cases or prominent example is the Unified Theory of Acceptance
events with case studies, action research or ethnography and Use of Technology (UTAUT; (Venkatesh et al. 2003)),

123
J. Pfeiffer et al.: New Laws and Regulation, Bus Inf Syst Eng

which extended and integrated the Technology Acceptance

Model and others by adding several constructs to address
theory gaps. Other examples can be found in theory models
concerning algorithm aversion, where context-dependent
boundary conditions help explain why, in certain situa-
tions, algorithms may be appreciated, while rejected in
others (Castelo et al. 2019; Heßler et al. 2022). A classic
example of a descriptive theory would be Gorry and Scott
Morton’s framework for Management Information Systems
(Gorry and Morton 1989). Besides gaps in theory, there are
problems arising from insufficient research methods or
ethical concerns (Spiekermann et al. 2022). For example,
BISE researchers have intensively discussed and further
refined design science as a method (Peffers et al. 2007;
Hevner and Chatterjee 2010). Methodological challenges
in experimental research for BISE have also been addres-
sed, including optimizing experimental designs (Pfeiffer
et al. 2015), and conducting NeuroIS experiments with
multiple physiological sensors (Hariharan et al. 2017).
Third, technological advancements often create new
Fig. 2 Problem sources
opportunities and challenges, prompting research questions
about their implications, adoption, and integration. Recent
2 Buckle Up, it’s the Law
notable examples include advances in AI, such as
explainable AI (Bauer et al. 2023) and generative AI
2.1 Legal Acts in the European Union
(Feuerriegel et al. 2024), as well as virtual and augmented
reality (Peukert et al. 2022; Pfeiffer et al. 2020) or block-
As the digital domain continues to grow in value and sig-
chain technology (Beck et al. 2017). This third source of
nificance for both businesses and everyday life, it has also
research problems highlights the overlap between these
attracted increasing public interest and regulatory attention.
sources. For example, with the availability of the latest
In response, a rising number of legislative acts have been
versions of generative AI tools, concrete problems for
introduced worldwide to address digital aspects of life and
companies and users arise, for example concerning privacy
business. Some prominent examples of international laws
and trust. Other technologies, such as the use of blockchain
are the Digital Platform Commission Act of 2023 in the
technology for non-fungible tokens in the metaverse,
United States, new GDPR-like regulations in individual
remain more speculative, prompting research questions
U.S. states, such as the California Privacy Rights Act and
stemming from potential or prototype implementations.
the Utah Consumer Privacy Act, as well as the Cyberse-
This type of research aligns with the call by Orlikowsky
curity Law of the People’s Republic of China – to only
and Iacono to focus more on the IT artifact and to attempt
name a few.
‘‘to understand the complex and fragmented emergence of
In this article, we are looking at legislation by the
IT artifacts, [and] how their computational capabilities and
European Union (EU) that affects us as the BISE com-
cultural meanings become woven in dense and fragile ways
munity. We have chosen the EU because, with GDPR and
[…]’’ (Orlikowski and Iacono 2001, p. 133).
the EU AI Act, we have two prominent examples with
In this article, we highlight a fourth promising source of
which the EU seems to be the pioneer with important
relevant research questions: contextual changes. These
regulations concerning digital business. The EU’s overar-
include socio-economic and cultural shifts, such as glob-
ching goal is to establish a single, common market for all
alization, financial crises, evolving cultural norms (e.g.,
its members, encompassing both digital and physical
polarization, the increasing importance of diversity), as
markets. This goal also applies to international companies
well as phenomena such as pandemics, climate change, and
that wish to provide products and services within the EU.
wars. A recent example is research that emerged from the
The legislative process in the EU involves several key
societal, scientific, and educational impacts of the Covid-
bodies: the European Parliament, the Council of the EU,
19 pandemic (van der Aalst et al. 2020). We are particu-
and the European Commission. These institutions work
larly also observing the growing prevalence of a subgroup
together to create new laws, referred to as legal acts. We
of contextual changes, which is increasingly influencing
will focus on the binding types of legal acts, which include:
our research: laws and regulations.

123
 J. Pfeiffer et al.: New Laws and Regulation, Bus Inf Syst Eng

Fig. 3 Percentage of legal acts

concerning digital topics
compared to all legal acts
passed by the EU per year
Source: EUR Lex.

• Regulations, that are directly binding for all member significant legal acts that have been passed in recent years
states, that have direct or indirect ramifications on BISE related
• Directives, which set goals that must be achieved by topics. For example, acts that deal with the supply chain or
national law, with corporate social responsibility may require the
• Decisions, which are often addressed to a specific target development of corresponding information systems to
group or one state. monitor or report relevant issues. Table 1 provides a
selective overview of acts that might be of interest for
The more extensive laws are regulations and directives.
BISE researchers. We have selected them based on their
Over the last 20 years, the EU has passed 7728 new reg-
connection to BISE as well as their timeliness and have
ulations and directives (see Fig. 3). While the pace of
grouped them by the topic they address.
lawmaking may be slowing due to the increasing com-
To further examine these legal acts from a BISE per-
plexity of legislative processes, efforts for ‘‘better regula-
spective2, we clustered them into four groups, while acts
tion’’ (European Commission 2024b), and ongoing
that belong into more than one groups are possible, (see
amendments to existing laws, this trend does not hold true
also last column of Table 1): (1) data interoperability,
for the digital domain. In 2021, the EU declared the onset
sharing, and protection, (2) specific technologies, (3) dig-
of the ‘‘digital decade’’, setting the ambitious goal of cre-
ital markets and services, and (4) cyber security.
ating ‘‘a human-centered, sustainable and more prosperous
Acts on data interoperability, sharing, and protection:
digital future’’ (European Commission 2024c). This vision
Many legal acts concern data which focus on one of three
is to be realized through a series of regulations and funding
areas: First, acts that govern data collection and data
measures that help to convey skills, empower the govern-
sharing. Data collection and data sharing are essential to
ment, improve infrastructures and gear up business for the
achieve transparency, for example in supply chains. Data is
digital transformation (European Union 2024). This has so
the foundation for any type of reporting, and as such, must
far resulted in about 75 new legal acts since 2021 and leads
be carefully managed to comply with legal requirements
to an increasing share of acts that address the digital
set by laws such as the Corporate Sustainability Due
domain1. Details on the progress of the digital decade can
Diligence Directive and the Corporate Sustainability
be found in the track record published by the EU (European
Reporting Directive. Second, there are acts specifically
Commission 2024a).
addressing data provision to authorities, such as Digital
BISE, however, is not only concerned with legislation
Identity frameworks or public Open Data initiatives. Third:
aimed at the digital domain; it also addresses other
there are acts related to data sharing. These acts deal with
data sharing across company borders and specifically
1
An act is considered to concern the digital domain when it address industrial IoT data. This is meant to foster new
addresses either the theme of ‘‘information technology and data
processing’’ or one of the subcategories of ‘‘information’’ (selected
2
subcategories are: information system, exchange of information, data For further details on the legal perspective, we recommend the
sharing, data protection, data governance, open data, artificial work of Aueamnuay et al. who assessed the legal quality and impact
intelligence) in the EU Lex database. of various digital acts passed by the EU (Aueamnuay et al. 2024).

123
J. Pfeiffer et al.: New Laws and Regulation, Bus Inf Syst Eng

Table 1 Selected digital acts by the EU that matter in BISE

Year Legal act Purpose [quotes from official EU documents] Group

Group 1: data interoperability, sharing, and protection

2018 General data protection regulation (GDPR) Protection of personal data 1
Free movement of personal data within the Union
2018 Regulation on the free flow of non-personal Removing obstacles to the free movement of non-personal data between different EU 1
data countries and IT systems in Europe
2018 Single digital gateway Facilitates online access to information, administrative procedures, and assistance 1
services that EU citizens and businesses may need in another EU country
2019 Directive on open data and the re-use of legal framework for the reuse of public-sector information such as geographical, land 1
public sector information registry, statistical or legal information held by public-sector bodies or public
undertakings, and of publicly funded research data
2022 Data governance act Increase trust in data sharing 1
Strengthen mechanisms to increase data availability
Overcome technical obstacles to the reuse of data
2023 Corporate sustainability due diligence Foster sustainable and responsible corporate behavior in companies’ operations and 1
directive (CSDDD) across their global value chains
2023 Corporate sustainability reporting directive Modernize and strengthen the rules concerning the social and environmental 1
(CSRD) information that companies have to report
2024 Data act Making data (in particular industrial data) more accessible and usable 1
Encouraging data-driven innovation
Increasing data availability
2024 European digital identity (eudi) regulation Enable the creation of a universal, trustworthy, and secure European digital identity 1
wallet
2024 European health data space regulation Empower individuals to take control of their health data and facilitate the exchange 1
of data for the delivery of healthcare across the EU
Foster a genuine single market for electronic health record systems
Provide a consistent, trustworthy, and efficient system for reusing health data for
research, innovation, policy-making, and regulatory activities
2024 Interoperable Europe act Facilitate cross-border data exchange 1
Accelerate the digital transformation of the public sector
Group 2: Acts on specific technologies
2022 Pilot regime for market infrastructures Remove regulatory barriers to the issuing, trading and settlement of crypto-assets that 2, 3
based on distributed ledger technology are financial instruments
2024 AI act Address risks to health, safety and fundamental rights 2
Protect democracy, rule of law and the environment
Group 3: Acts on the digital market
2022 Digital markets act Make the markets in the digital sector fairer and more contestable 3
2022 Digital services act Prevent illegal and harmful activities online 3
Prevent the spread of disinformation
2022 Pilot regime for market infrastructures Remove regulatory barriers to the issuing, trading and settlement of crypto-assets that 2,3
based on distributed ledger technology are financial instruments
Group 4: Acts on cyber security
2016 Network and information systems directive Improved cybersecurity capabilities at the national level 4
1 (NIS 1) Increased EU-level cooperation
Risk management and incident reporting obligations for operators of essential
services and digital service providers
2022 Network and information systems directive Improve the resilience and incident response capacities of public and private entities, 4
2 (NIS 2) competent authorities and the EU
Upcoming Cyber resilience act Safeguard consumers and businesses buying or using products or software with a 4
digital component
Upcoming Cyber solidarity act Strengthen common EU detection, situational awareness, and response capabilities, 4
Build an EU-level cybersecurity reserve with services from trusted private providers,
and
Support testing of critical entities

123
 J. Pfeiffer et al.: New Laws and Regulation, Bus Inf Syst Eng

digital business models to strengthen the competitiveness The organization ‘‘Interface’’ has identified 154 legal acts
of European companies. Relevant acts are the Data related to cybersecurity (Rupp 2024). As digital services
Governance Act, the Data Act, and the Health Data Space are now the foundation of modern society and everyday
Regulation. Lastly, this group also includes the General life, the EU is making efforts to ensure that critical
Data Protection Regulation (GDPR), which is well-estab- infrastructure, in particular, is well-protected against cyber
lished and focuses on the protection of personal data. threats. These regulations cover a wide range of areas, from
Acts on specific technologies: The EU tries to regulate ensuring a more secure global Internet and establishing
impactful technologies, such as blockchain and AI. With rules for secure digital products, to forming joint defense
the first AI regulation worldwide and the pilot market for centers that integrate cyber defense capabilities. The leg-
blockchain applications in the financial sector, the EU islation also includes industry-specific regulations targeting
considers itself to be on the forefront of digital legislation. sectors such as energy, finance, transportation, and educa-
The pilot market regulation for distributed ledger tech- tion. A key principle in these regulations is the risk-based
nology creates temporary exempts from existing other legal approach, which requires organizations to identify potential
requirements in the financial industry. The purpose of this risks and implement measures to mitigate them (Lemnitzer
act is to give financial institutions the possibility to advance 2022). Additionally, companies are obligated to report
their business models and authorities to gain practical cyber-attacks, and they can be audited for their preventive
insights into the application and control of blockchain measures. In the worst-case scenario, failure to pass an
technologies. The AI Act aims to provide a comprehensive audit could result in a company’s operations being halted,
legal framework for AI developers, outlining the require- and corporate leaders may be held personally liable for
ments for AI systems used within the European Union. It their organization’s cybersecurity posture.
classifies AI applications into four risk categories: unac-
ceptable, high, limited, and minimal risk. For high-risk AI 2.2 Existing Research on Laws and Regulations
systems, the Act imposes stricter obligations. These are
systems that are used as safety components in critical So, how exactly have researchers in the BISE community
infrastructure, profile individuals, or determine access to addressed these new laws and regulations in the past? We
educational institutions or for recruitment of companies. have identified several contributions that fall into three key
Providers of such systems must implement risk manage- areas:
ment and quality management systems, ensure thorough
a) Investigating specific regulations, particularly for
documentation, and maintain human oversight in decision-
their impact on the BISE domain
making processes to ensure that humans-in-the-loop retain
b) Designing new solutions to handle challenges arising
the final authority in key decisions.
from legislation
Acts on the digital market: With the increasing market
c) Discussing the contribution of BISE to legislation in
share of global hyperscaling platforms and the growing
general.
significance of social media, the EU has introduced rules
specifically targeting these providers to ensure the safe, Research focusing on legal acts (A): In recent years,
secure, and efficient use of their digital services. At the research has also examined the impact of specific regula-
same time, these regulations aim to reduce the influence of tions on research: Vainionpää et al. (2023) conducted a
platforms as gatekeepers. Since platforms have the ability deep dive into the AI Act. After presenting and discussing
to steer users towards certain websites or withhold others, potential challenges, they proposed a research agenda for
the Digital Markets Act (DMA) ensures equal rights for all further research based on the AI Act. They analyzed the
market participants, prohibiting platforms from prioritizing scope of the AI Act, as well as its approach, wording,
their own products and services. These laws are particu- coherence with other laws, and enforcement. From this
larly focused on protecting users’ rights by regulating analysis, they identified three key areas for future research:
platform providers and shielding users from illegal or the daily handling of the regulation within organizations,
misleading content. The Digital Services Act (DSA), for the law itself, and its long-term effects.
instance, targets the largest platforms, specifically those Similarly, Pfeiffer et al. (2023) explored algorithmic
with at least 45 million users in Europe. Non-compliance fairness as a critical aspect of the EU AI Act. Their dis-
with these acts can result in significant penalties, with cussion in the BISE community covered topics such as the
companies facing substantial fines for failing to adhere to definition of fairness, the mitigation of bias and discrimi-
the regulations. nation in AI systems, and the long-term impacts of AI with
Acts on cyber security: Cybersecurity has become a respect to its trustworthiness. Empirical studies such as the
major focus in European legislation, with numerous acts one by Bauer et al. (2024) investigated how machine
passed since 2018 and more expected in the near future. learning impacts human discrimination and how these

123
J. Pfeiffer et al.: New Laws and Regulation, Bus Inf Syst Eng

findings relate to the AI Act. Their papers also analyzed the research process. This makes it crucial to engage with
effects of explainable AI, which is explicitly demanded by policymakers and political actors, informing them of rele-
the AI Act, on the mental processes of decision makers and vant research findings that could influence their decision-
highlight some potential, unwanted downstream conse- making.
quences of these regulations (Bauer et al. 2023). The discussion on how to establish a continuous
Regarding the Digital Markets Act, Weigl et al. (2023) exchange between the BISE community and the political
examined its implications for privacy, while Shekhar et al. domain has been ongoing for quite some time. For exam-
(2022) focused on its economic effects. Weigl et al. (2023) ple, as early as 1997, an ICIS panel discussed the inter-
showed that the goal of data sharing – which is necessary to sections between politics and information technology
allow more players to compete in the digital realm – may (Romm et al. 1997). Later, Beck called on researchers to
be in conflict with the GDPR and, thus, developed a rec- become more involved in politics and to develop a political
ommended procedure based on the type of anonymization agenda (Beck 2002). This conversation continued with
that is possible in a given situation. Shekhar et al. (2022) panel discussions in 2012 and 2019, where international
found that the mandated compatibility between platforms BISE researchers shared arguments, opinions, and recom-
will lead to reduced platform profits but to an increase in mendations (Loebbecke et al. 2012; Fedorowicz et al.
total welfare, including developers and consumers. 2019). More recently, Weinhardt et al. (2024) published an
Additionally, some researchers, such as Heimburg et al. editorial proposing a research agenda on digital democracy,
(2023) have investigated the law-making process itself. By highlighting IT regulation as a key area of focus. Their
gathering and analyzing public comments made during the article emphasizes the need to enhance public under-
drafting of regulations, they determined impacts on issues standing of technological and digital innovations. The
such as power distribution and value creation, which in turn authors argue that it is the duty of information systems
are to be considered in platform-based ecosystems. researchers to provide the public with the necessary tools,
Research addressing challenges arising from legislation guidance, and education. We support this call to action,
(B): Design-oriented research has already begun addressing stressing the importance of well-informed lawmaking to
the requirements stemming from new laws and regulations. minimize unintended consequences and maximize the
One example that is broadly discussed in the literature is benefits of digital advancements.
the proposal of blockchain data storage for supply chains,
with the goal of creating a sophisticated level of docu-
mentation, which can be trusted by all parties, including 3 Research Topics that Arise from Regulation
auditors (Kumar et al. 2020; Chandan et al. 2019).
Blockchain can also be used to document greenhouse gas In our view, there are numerous research topics open for
emissions (Darwish et al. 2023). Other circular economy further exploration. Therefore, we propose a range of
data can be stored in a digital twin as suggested by Mon- research topics and questions to inspire BISE researchers.
teiro and Barata (2024). Table 2 presents one legal act from each of the groups
There is existing research about the design of GDPR- discussed earlier, along with corresponding research topics.
compliant information systems (Guggenmos et al. 2020) as These topics are listed in no particular order, and some are
well as cybersecurity-compliant systems – in this example further elaborated below. While the list is not exhaustive, it
in the healthcare domain (Plachkinova and Faddoul 2022). is intended to serve as a foundation to encourage BISE
Additionally, information systems are being explored as researchers to pursue these relevant and timely areas of
tools for reducing Scope 3 greenhouse gas emissions within inquiry.
organizations, though several challenges remain (Cauderay Research topics arising from the Data Act: Data sharing
et al. 2024). will soon become mandatory for specific industries and
Further, researchers have looked into the strategic inte- data sources to maximize the value of data and reduce
gration of the Corporate Sustainability Reporting Directive redundant data collection. But in order to achieve those
(CSRD) into corporate management systems. For instance, benefits of data sharing, we need to overcome different
decision support systems have been highlighted as crucial hurdles on the way.
for achieving sustainability goals (Farkas and Matolay Even though the potential benefits for better analytic
2024). The study by (Krasikov and Legner 2023) outlines results based on a more extensive data basis and the pos-
how companies are developing specialized data procure- sibility of leveraging third party analytic capabilities and
ment practices to ensure reliable sustainability reporting. resources are promising – especially to SMEs, currently,
Articles focusing on the influence of BISE on legislation many companies are reluctant to share data with others. To
(C): As described in the introduction, the transfer of address this, a framework should be developed that helps
research outcomes to the society is an essential part of the organizations assess the criticality and importance of their

123
 J. Pfeiffer et al.: New Laws and Regulation, Bus Inf Syst Eng

Table 2 Research topics based on legal acts

Group: selected legal act Research topics

Data interoperability, sharing, and Which framework could guide companies regarding the criticality and value of data?
protection: data act How can data trustees facilitate data sharing between organizations?
How can we design, implement and promote data spaces and data ecosystems that foster inter-organizational
data sharing?
Which data is truly necessary to achieve desired outcomes?
How can we verify or validate the quality and trustworthiness of external data that has been shared by third
parties?
What prevents companies from implementing privacy-by-design paradigms?
How can effective and efficient processes be designed to handle user privacy requests?
How can we effectively separate shared data from sensitive data (e. g. due containing to personal data or
business secrets)?
How can we manage new outsourcing and cloud models, such as Compute-as-a-Service, that leverage
offshore development or are intended to reduce the amount of involved personal data?
Technologies: AI act How to assess whether an application falls under the AI definition of the EU AI Act?
Which framework can we establish to help categorize AI applications into appropriate risk classes?
How can the sandbox concept of the EU AI Act be implemented in a way that encourages SMEs to invest in
AI development?
What specific challenges does the AI Act pose to existing AI governance and strategy frameworks and how
can we reconcile those frameworks with the AI act?
How should an effective market for third-party certification of AI systems be designed?
Which measurements and processes are necessary to certify compliance with the EU AI Act?
What are user perceptions of fairness, and how can we mitigate discrimination in AI systems?
Digital market and services: digital service How can we efficiently detect and flag incorrect information, hate speech and other illegal content?
act How can we identify and mitigate harmful network effects and power dynamics? How can we generate,
govern, and foster beneficial ones?
How can we design effective structures for the handling of such content?
How can we leverage gamification to stimulate user participation?
What is the impact of removing undesired content on different user groups and their internet usage patterns?
How is the Digital Services Act affecting the ecosystem surrounding platform providers?
Cyber security: network and information Which are the critical factors that determine an organizations’ level of security?
systems directive 2 How can we design information systems that follow the paradigms of security by design or zero trust?
What are possible frameworks for risk management and risk assessment?
Which processes and structures enable organizations to handle cyber-attacks efficiently and effectively?
How can we leverage the potential of new technologies while addressing cybersecurity challenges?
How can we systematically learn from incidents, share experiences across organizations and prevent future
occurrences?
How can the coordination of government agencies be improved from an e-government perspective?
Research topics that concern all the groups What are the benefits, tasks, and required skills and tools for the new role of a Chief Regulation Officer?
at once How can we turn the adherence to regulations into a competitive advantage?
What mechanisms can be established to facilitate ongoing communication between lawmakers and the BISE
community to keep them informed about critical topics?
How can we handle different legal requirements in different countries in information systems?
How can automated tools for documentation purposes be designed?
How to predict and weigh intended versus unintended consequences that arise from new laws?
How can we incorporate laws and regulations in the BISE community and into teaching?
Why and how do local implementations of directives differ across EU member states?
Why are legislators creating specific regulations, and do these achieve the desired outcomes?
How are the regulations impacting start-ups?

123
J. Pfeiffer et al.: New Laws and Regulation, Bus Inf Syst Eng

data sets in relation to their specific business models. This assignment of AI applications to risk classes. Companies
framework would guide companies in identifying which face the challenge of judging which of the applications fall
data can be shared without negatively impacting their under the Act’s AI definition and if so, whether they belong
operations. Additionally, companies must weigh the to the high-risk class. This classification is particularly
potential benefits of data sharing against the associated challenging and context dependent. For example, deter-
risks, making decisions about whether to share data with mining whether an AI application used in critical infras-
partners or the public. The framework should, therefore, tructure management or digital infrastructure should be
consider criteria that determine the risk of data sharing classified as high-risk requires careful consideration of its
versus its benefits. One method to differentiate between operational context. Here, BISE research can provide
critical and non-critical data is by separating data from its valuable insights by helping to assess AI applications
context, as suggested by Werling et al. (2022). Once the within specific business or safety frameworks. BISE
decision to share data has been made, the question arises: research, such as research on NeuroIS, may even be
how should this data be shared? One current model impacted by the AI Act itself, especially if the systems are
involves data brokers or data trustees who manage data designed to detect emotions in educational or workplace
exchanges. However, the definition, roles, and obligations environments. The AI Act adopts a broad definition of
of data trustees are still under development, and their ‘‘emotion,’’ extending to user intentions and feelings such
authority or ability to intervene in case of issues has not yet as satisfaction. This raises questions on how the used
been finalized. The data trustees can run so-called data definitions in the AI Act fit to our understanding of long
spaces that are the infrastructure for data management. and well-studied concepts in research. Although the AI Act
Hutterer states that even though the idea of data spaces is explicitly does not apply to AI systems and models
very promising, it is impossible to get empirical insights ‘‘specifically developed and put into service for the sole
into their mechanisms due to the lack of implemented data purpose of scientific research and development’’ (see
spaces (Hutterer 2023). recital 6 EU AI Act), the regulation may still influence
On the other hand, before using external data which we funding efforts. This is because AI models initially
have received in critical applications, both users and developed for scientific research may later be adapted for
developers need to be sure that the external data is accu- commercial purposes and put on the market. Consequently,
rate, correct, and reliable. This has so far been discussed as funding bodies may require research projects to consider
an issue of data quality, which is typically addressed within compliance with the broader regulatory framework, antic-
one organization. Most of the time, the organization that ipating the potential future commercialization of these
produces the data has a good understanding of its data models.
quality – but others will not because they do not know how Another interesting area of research comes from the
the data was generated. We therefore propose to look at the obligation for certification and compliance with the AI Act.
data quality problem from another perspective, which is: There is a need to develop processes and measurements
how can we verify or validate external data to assess its that help companies to check for compliance need to be
data quality? We need to develop mechanisms and proce- developed. This is a core area of expertise for BISE
dures that can help with the task of assessing the quality of researchers. However, compliance involves not only
data collected by others. Mechanisms to address this could monitoring and control but also a comprehensive approach
include comparing data with other sources, involving or to AI strategy and governance. For high-risk AI systems,
creating trusted third-parties to assess and certify data organizations must implement a quality management sys-
quality (Baars et al. 2022; Weber et al. 2023), or detecting tem that includes a clear strategy for regulatory compli-
outliers by comparing the data to expected or standard ance. Additionally, the AI Act mandates a risk
operational values. management system throughout the life cycle of a high-risk
Research topics arising from the AI Act: The EU AI Act AI system, covering mitigation and control measures. BISE
has been under discussion for five years across various researchers that have a tradition in IT management, strat-
European boards and countries and has evolved into an egy and governance are well-positioned to explore the
extensive piece of legislation. One of the main challenges specific challenges that the AI act poses to existing theories
is the dynamic evolvement of AI. For example, generative and frameworks. This includes identifying the roles and
AI was hardly part of the first draft of the EU Act but responsibilities needed for managing critical AI applica-
needed to be incorporated during the development of the tions, decision-making processes for AI development, and
regulation (see, for instance, recitals 99 and 105 of the EU strategies for keeping AI systems up to date and in com-
AI Act). Likewise, other aspects in the AI Act are formu- pliance. Finally, the EU AI Act is expected to impact the
lated quite openly and leave room for further discussion society as a whole and in the long-term. For example,
and development, like the definition of AI itself or the algorithmic discrimination might manifest itself because

123
 J. Pfeiffer et al.: New Laws and Regulation, Bus Inf Syst Eng

the same software is used for many different decisions, and Beyond the central platform, a broader ecosystem of
it might be self-reinforcing because decisions made by AI partners – including content creators, advertisers, and ser-
algorithms are used for re-training and fine-tuning (Pfeiffer vice providers – often operates within the platform’s
et al. 2023). The AI Act seeks to acknowledge these threats structure. The impact of the DSA on this ecosystem has not
and stresses the fact that AI algorithms must not discrim- yet been thoroughly explored, raising important questions
inate, a principle already enshrined in EU law. Thus, BISE about how these partners are affected by the regulation.
researchers are asked to investigate how to mitigate algo- Researchers can investigate how the new reporting
rithmic discrimination and how to ensure that all users are requirements and content moderation processes influence
treated equally. not only the platform but also its connected stakeholders,
Research topics arising from the Digital Service Act: potentially uncovering challenges or opportunities for
The Digital Services Act (DSA) requires platform provi- adaptation within this ecosystem.
ders to detect and remove illegal content, such as hate Research topics arising from Network and Information
speech and misinformation, offering significant opportu- Systems Directive 2: As many more companies and orga-
nities for researchers to improve methods for identifying nizations are now considered to be part of the critical
problematic content. Sentiment analysis is one of the core infrastructure than before, these affected organizations
technologies addressing this challenge by interpreting need consulting and guidance on assessing their security
subjective information such as sentiments, opinions, and maturity and prioritizing cyber defense measures. Most of
emotions in user-generated content (Ligthart et al. 2021; these companies are SMEs, which means that they suffer
Nandwani and Verma 2021). Techniques in sentiment from a lack of resources. They need clear priorities on how
analysis range from lexicon-based methods, which use to approach the topic of cyber security, how to do a risk
predefined word lists to assess sentiment, to machine assessment, and how to act to ensure the security – and as a
learning-based approaches, such as supervised and unsu- logical consequence also the safety – of their operations.
pervised learning, which train models to classify senti- Therefore, maturity models and frameworks or guidelines
ments. Deep learning-based approaches, including CNNs, are needed that can help to determine the current status and
LSTMs, and transformers, have significantly enhanced outline a clear path to getting more secure. Surveys that
sentiment detection by automatically learning intricate cover questions from which the current level of security
patterns from large datasets. Transformers, such as BERT can be deduced are one possible approach here.
and DistilBERT, are particularly relevant due to their The same holds true for auditors who have the task of
ability to capture long-range dependencies and contextual assessing the level of security in a given company. The
meanings in text, offering more accurate sentiment analy- process of auditing is cumbersome and is handled different
sis, especially in complex cases, but also requiring sub- by each individual auditor. Based on personal experience
stantial computational resources (Acheampong et al. 2021). and expertise, an auditor can make exceptions to defined
Researchers can continue to refine these models to detect security requirements. Streamlined auditing processes will
more subtle forms of problematic language, such as sar- become increasingly important as the number of companies
casm or implicit hate speech, or explore hybrid approaches requiring audits grows due to the expanded definition of
that combine the strengths of lexicon-based, machine critical infrastructure. When a cyberattack occurs, organi-
learning, and deep learning techniques. Additionally, zations must quickly mobilize their cyber defense capa-
engaging users in content moderation through gamification bilities. This requires well-defined roles, systems, and
or nudging mechanisms can encourage participation, processes to manage threats efficiently. Developing a
enhancing both user engagement and the platform’s ability robust incident reporting mechanism is key to a successful
to manage content effectively. defense. BISE researchers can contribute by leveraging
The Digital Services Act (DSA) also mandates that their experience from enterprise architecture management,
providers of intermediary services publish detailed reports offering guidance on how to come up with new capabili-
on their content moderation practices. These reports must ties, and providing the enterprise architecture information
include data on the number of content removals and the necessary to assess the impact of an attack. For smaller
accuracy rates of their automated content moderation sys- organizations, outsourcing certain cyber defense functions
tems. To ensure this information is both accessible and to specialized partners may also be a viable option, high-
transparent to users, there is a growing need to research lighting the importance of effective partner management in
effective designs for conveying these metrics. Clear and this context. The relationship between AI and cyber secu-
intuitive designs will help users understand how content is rity is twofold and there have been publications about both
managed on these platforms and promote trust in the directions – AI can be a new threat, for example when it is
system. asked to program a new encryption virus, and AI can be
used to protect against cyber threats, for example when AI

123
J. Pfeiffer et al.: New Laws and Regulation, Bus Inf Syst Eng

is used to detect unusual network traffic (Becklines 2024; Furthermore, with the growing severity of penalties for
Shanbhag et al. 2024; Sinha and Muktevi 2024). As a non-compliance, the financial and operational impact on
result, companies have to be on the lookout for new organizations can be significant. Some companies have
challenges to their cyber security as well as their technical already started to implement Chief Regulation Officers that
defenses continuously, and could be supported by auto- monitor laws and regulations and try to intervene when
mated mechanisms that inform them about current devel- new laws emerge. As with other CxOs, their roles,
opments. One research topic could be to identify relevant responsibilities, and impact should be evaluated. Other
information demand to keep informed about ongoing forms of institutionalization include competence centers
developments and suitable sources to cover the demand. within companies or specialized consulting services that
Dashboards could be designed based on this information to could be offered by industry associations.
display threat levels can help security experts manage risks In any case, we need to educate more people on these
more effectively. Another related research topic might be topics due to their relevance and impact on multiple job
how to provide the most effective security training to profiles, such as security consultants and data scientists.
employees, as the continuous education of employees will The law-making process and opportunities to influence
be increasingly important in safeguarding organizations. these processes should be incorporated into the study
Research topics arising from the complete set of new programs of BISE students. Conversely, we should also
regulations: Analyzing the law-making process is crucial aim to educate law students on BISE-related topics. To
for improving the efficiency of future legislation, enabling achieve the best outcomes, collaboration with legal spe-
timelier implementation of necessary changes. Here, we cialists is essential. Additionally, we should strengthen the
could apply process mining to determine bottlenecks or connections between BISE researchers and legislators to
unstructured parts in the processes. One example of such a contribute our insights on these critical topics that have
project that provides access into the engine room of Ger- extensive consequences.
man legislation is Open Discourse (Richter et al. 2020), These consequences are sometimes unintended as we
which is providing the data foundation for analytics have seen with the browser cookies based on GDPR
regarding the progress of law-making and regarding the (Johnson et al. 2023). To avoid such issues in the future,
political debate. Besides Open Discourse, which relies on BISE researchers are asked to develop methods to predict
protocols from debates, it would also be possible to collect these unintended consequences. This could be achieved –
statements from different interest groups and see how the at least in some cases – by involving experts from the BISE
draft of a law is changing over time to reflect demands by community in the legislative process. Also, to further
specific groups. An example is the transparently docu- reduce unintended consequences and to ensure compliance
mented progress of the German NIS 2 implementation as of digital products and services with current laws, third
published by the state (Bundesministerium des Inneren und parties that inspect and certify products could be involved.
für Heimat 2024). Such a document analysis involving Finally, we could investigate how companies subject to
multiple European member states could also help to answer new laws are performing in comparison to companies
the question of why and how the implementations of operating outside of the EU. Can they leverage the
directives are different from each other in each member potential benefits of regulations, or are these regulations
state. hampering innovation? This may become apparent when
In addition, the general use of tools, especially genera- we consider start-ups and their chances of success, which
tive AI-based tools, which could either help identifying are influenced by the balance between innovation potential
problematic or contracting regulations during the process and regulatory barriers, such as the administrative overhead
or legislation, or help documenting how the legal require- they must address. The same is true at the societal level –
ments are addressed by the individual company, should be how are political debates progressing in regions that
leveraged. Top-down, generative AI can be used to write a embrace measures against misinformation compared to
template for a company’s cyber security policy but must those that do not, and how is technology usage and
then be fitted to the individual company and needs to be acceptance impacted by the regulations?
binding for all parts of the company. Bottom-up, we can These new regulations provide diverse and exciting
use tools to document the IT landscape and the business opportunities for BISE research. We are eager to see
architecture or tools for penetration testing to identify developments in the coming years and recommend initi-
vulnerable parts of the infrastructure. ating the respective research projects now to assess the
The increasing number of regulations has to be handled impact of these regulations before they come into full
on the company level. This is especially important when effect. Based on these insights, we can in turn become even
operating in an international context, which requires more valuable partners to legislators and policymakers in
adherence to even more laws than the ones discussed so far. broadening the impact of BISE research and developing

123
 J. Pfeiffer et al.: New Laws and Regulation, Bus Inf Syst Eng

effective regulations that strengthen our businesses, and Benlian A, Kettinger WJ, Sunyaev A, Winkler TJ (2018) Special
improve the cohesion of our society. section: the transformative value of cloud computing: a decou-
pling, platformization, and recombination theoretical framework.
J Manag Inf Syst 35(3):719–739. https://doi.org/10.1080/
07421222.2018.1481634
Funding Open Access funding enabled and organized by Projekt Buhl HU, Fridgen G, Müller G, Röglinger M (2012) On dinosaurs,
DEAL. measurement ideologists, separatists, and happy souls: proposing
and justifying a way to make the global IS/BISE community
happy. Bus Inf Syst Eng 4(6):307–315. https://doi.org/10.1007/
Open Access This article is licensed under a Creative Commons s12599-012-0239-z
Attribution 4.0 International License, which permits use, sharing, Bundesministerium des Inneren und für Heimat (2024) Entwurf eines
adaptation, distribution and reproduction in any medium or format, as Gesetzes zur Umsetzung der NIS-2-Richtlinie und zur Regelung
long as you give appropriate credit to the original author(s) and the wesentlicher Grundzüge des Informationssicherheitsmanage-
source, provide a link to the Creative Commons licence, and indicate ments in der Bundesverwaltung. https://www.bmi.bund.de/Share
if changes were made. The images or other third party material in this dDocs/gesetzgebungsverfahren/DE/CI1/nis2umsucg.html.
article are included in the article’s Creative Commons licence, unless Accessed 17.09.2024
indicated otherwise in a credit line to the material. If material is not Burrell G, Morgan G (1979) Sociological paradigms and organisa-
included in the article’s Creative Commons licence and your intended tional analysis – elements of the sociology of corporate life.
use is not permitted by statutory regulation or exceeds the permitted Ashgate, Hants
use, you will need to obtain permission directly from the copyright Castelo N, Bos MW, Lehmann DR (2019) Task-dependent algorithm
holder. To view a copy of this licence, visit http://creativecommons. aversion. J Mark Res 56(5):809–825. https://doi.org/10.1177/
org/licenses/by/4.0/. 0022243719851788
Cauderay V, Haskamp T, Sebastian IM, Uebernickel F (2024)
Talking about the elephant in the room: Findings from a
literature review on leveraging information systems for reducing
References scope 3 emissions. In: ECIS Proceedings, Paphos
Chandan A, Potdar V, Rosano M (2019) How blockchain can help in
Acheampong FA, Nunoo-Mensah H, Chen W (2021) Transformer supply chain sustainability. In: ACIS Proceedings, Perth,
models for text-based emotion detection: a review of BERT- pp. 953–960
based approaches. Artif Intell Rev 54(8):5789–5829. https://doi. Darwish A, Lindman J, Hjertqvist J, Tona O (2023) Design principles
org/10.1007/s10462-021-09958-2 for blockchain-based applications in green bond reporting. In:
Aueamnuay C, Berjón C, Galehr S, Graf L, Heinemann A (2024) HICSS Proceedings, Lahaina, pp. 5186–5195
Digital regulation in the European Union. EuZ Z Europarecht. European Commission (2024a) 2030 Digital decade - Annex 1.
https://doi.org/10.36862/eiz-euz2024-03 https://doi.org/10.2759/635
Baars H, Weber P, Tank A (2022) Institutionalizing analytic data European Commission (2024b) Better regulation: why and how.
sharing in SME ecosystems – A role-based perspective. In: https://commission.europa.eu/law/law-making-process/planning-
HICSS Proceedings, pp. 6135–6144 http://hdl.handle.net/10125/ and-proposing-law/better-regulation_en. Accessed 17 Sep 2024
80084 European Commission (2024c) Europe’s Digital Decade: digital
Baskerville RL, Kaul M, Storey VC (2015) Genres of inquiry in targets for 2030. https://commission.europa.eu/strategy-and-pol
design-science research. MISQ 39(3):541–564 icy/priorities-2019-2024/europe-fit-digital-age/europes-digital-
Baskerville RL (1999) Investigating information systems with action decade-digital-targets-2030_en. Accessed 17 Sep 2024
research. Commun Assoc Inf Syst. https://doi.org/10.17705/ Farkas M, Matolay R (2024) Designing the CSRD system: insights
1CAIS.00219 from management systems to advance a strategic approach.
Bauer K, von Zahn M, Hinz O (2023) Expl (AI) ned: the impact of J Decis Syst. https://doi.org/10.1080/12460125.2024.2354614
explainable artificial intelligence on users’ information process- Fedorowicz J, Bjørn-Andersen N, Olbrich S, Tarafdar M, Te’eni D
ing. Inf Syst Res 34(4):1582–1602. https://doi.org/10.1287/isre. (2019) Politics and AIS: where do we draw the line? Commun
2023.1199 Assoc Inf Syst 44(1):247–261. https://doi.org/10.17705/1CAIS.
Bauer K, Heigl R, Hinz O, Kosfeld M (2024) Feedback loops in 04416
machine learning: a study on the interplay of continuous Feuerriegel S, Hartmann J, Janiesch C, Zschech P (2024) Generative
updating and human discrimination. J Assoc Inf Syst AI. Bus Inf Syst Eng 66(1):111–126. https://doi.org/10.1007/
25(4):804–866. https://doi.org/10.17705/1jais.00853 s12599-023-00834-7
Beck EE (2002) P for political: participation is not enough. Scand J Gorry GA, Morton MSS (1989) A framework for management
Inf Syst 14(1):77–92 information systems. MIT Sloan Manag Rev 30(3):49–61
Beck R, Avital M, Rossi M, Thatcher JB (2017) Blockchain Gregor S (2006) The nature of theory in information systems. MIS Q
technology in business and information systems research. Bus 30(3):611–642
Inf Syst Eng 59(6):381–384. https://doi.org/10.1007/s12599- Guggenmos F, Lockl J, Rieger A, Wenninger A, Fridgen G (2020)
017-0505-1 How to develop a GDPR-compliant blockchain solution for
Becklines L (2024) FAIDS: artificial intelligence developmental cross-organizational workflow management: evidence from the
systems framework for predicting and preventing cyberattacks in German asylum procedure. In: HICSS Proceedings, Wailea,
supply chain networks. In: AMCIS Proceedings, Salt Lake City pp. 4023–4032
Benbasat I, Wang W (2005) Trust in and adoption of online Hariharan A, Adam MT, Dorner V, Lux E, Mueller MB, Pfeiffer J,
recommendation agents. J Assoc Inf Syst 6(3):72–101. https:// Weinhardt C (2017) Brownie: a platform for conducting NeuroIS
doi.org/10.17705/1jais.00065 experiments. J Assoc Inf Syst 18(4):264–296. https://doi.org/10.
Benbasat I, Zmud RW (1999) Empirical research in information 17705/1jais.00457
systems: the practice of relevance. MISQ 23(1):3–16. https://doi.
org/10.2307/249403

123
J. Pfeiffer et al.: New Laws and Regulation, Bus Inf Syst Eng

Heimburg V, Schmitt J, Wiesche M (2023) The future of digital systems research. J Manag Inf Syst 32(3):10–47. https://doi.org/
platform design – The case of the EU platform regulation 10.1080/07421222.2015.1094961
discourse. In: ECIS Proceedings, Kristiansand Orlikowski WJ, Iacono CS (2001) Research commentary: desperately
Heßler PO, Pfeiffer J, Hafenbrädl S (2022) When self-humanization seeking the ‘‘IT’’ in IT research – a call to theorizing the IT
leads to algorithm aversion: what users want from decision artifact. Inf Syst Res 12(2):121–134
support systems on prosocial microlending platforms. Bus Inf Österle H, Becker J, Frank U, Hess T, Karagiannis D, Krcmar H, Loos
Syst Eng 64(3):275–292. https://doi.org/10.1007/s12599-022- P, Mertens P, Oberweis A, Sinz EJ (2011) Memorandum on
00754-y design-oriented information systems research. Eur J Inf Syst
Hevner A, Chatterjee S (2010) Design research in information 20(1):7–10. https://doi.org/10.1057/ejis.2010.55
systems: theory and practice. Springer US, Boston, MA Peffers K, Tuunanen T, Rothenberger MA, Chatterjee S (2007) A
Hutterer A (2023) Introduction of data spaces – status and recom- design science research methodology for information systems
mendations for action. In: ICEB Proceedings, Chiayi, research. J Manag Inf Syst 24(3):45–77. https://doi.org/10.2753/
pp. 377–390 MIS0742-1222240302
Iivari J, Hirschheim R, Klein HK (1998) A paradigmatic analysis Peukert C, Weinhardt C, Hinz O, van der Aalst WM (2022)
contrasting information systems development approaches and Metaverse: how to approach its challenges from a BISE
methodologies. Inf Syst Res 9(2):164–193. https://doi.org/10. perspective. Bus Inf Syst Eng 64(4):401–406. https://doi.org/
1287/isre.9.2.164 10.1007/s12599-022-00765-9
Johnson GA, Shriver SK, Goldberg SG (2023) Privacy and market Pfeiffer J, Duzevik D, Rothlauf F, Bonabeau E, Yamamoto K (2015)
concentration: intended and unintended consequences of the An optimized design of choice experiments: a new approach for
GDPR. Manag Sci 69(10):5695–5721. https://doi.org/10.1287/ studying decision behavior in choice task experiments. J Behav
mnsc.2023.4709 Decis Mak 28(3):262–280. https://doi.org/10.1002/bdm.1847
Krasikov P, Legner C (2023) Introducing a data perspective to Pfeiffer J, Pfeiffer T, Meißner M, Weiß E (2020) Eye-tracking-based
sustainability: how companies develop data sourcing practices classification of information search behavior using machine
for sustainability initiatives. Commun Assoc Inf Syst learning: evidence from experiments in physical shops and
53(1):162–188. https://doi.org/10.17705/1CAIS.05307 virtual reality shopping environments. Inf Syst Res
Kumar A, Liu R, Shan Z (2020) Is blockchain a silver bullet for 31(3):675–691. https://doi.org/10.1287/isre.2019.0907
supply chain management? Technical challenges and research Pfeiffer J, Gutschow J, Haas C, Möslein F, Maspfuhl O, Borgers F,
opportunities. Decis Sci 51(1):8–37. https://doi.org/10.1111/ Alpsancar S (2023) Algorithmic fairness in AI: an interdisci-
deci.12396 plinary view. Bus Inf Syst Eng 65(2):209–222. https://doi.org/
Le KB, Sajtos L, Kunz WH, Fernandez KV (2024) The future of 10.1007/s12599-023-00787-x
work: understanding the effectiveness of collaboration between Plachkinova M, Faddoul G (2022) Using design science research to
human and digital employees in service. J Service Res. https:// develop a secure social platform for complementary and
doi.org/10.1177/10946705241229419 alternative medicine. In: HICSS Proceedings, pp. 4157–4165.
Lee JK, Park J, Gregor S, Yoon V (2021) Axiomatic theories and http://hdl.handle.net/10125/79843
improving the relevance of information systems research. Inf Richter F, Koch P, Franke O, Kraus J, Kuruc F, Thiem A, Högerl J,
Syst Res 32(1):147–171. https://doi.org/10.1287/isre.2020.0958 Heine S, Schöps K (2020) Open discourse, V4 edn. Harvard
Lemnitzer JM (2022) The implementation of the NIS 2 Directive: Dataverse. https://doi.org/10.7910/DVN/FIKIBO
challenges and solutions. https://www.cbs.dk/files/cbs.dk/nis_2_ Romm C, Rice R, Cecez-Kecmanovic D, Jordan E, Pliskin N,
implementation_supply_chains_report_7_september_2022.pdf. Sudweeks F, Bjoern-Andersen N (1997) Panel 9 playing politics
Accessed 22 Sep 2024 with information technology: a global perspective. In: ICIS
Ligthart A, Catal C, Tekinerdogan B (2021) Systematic reviews in Proceedings, Atlanta, pp. 522–524
sentiment analysis: a tertiary study. Artif Intell Rev Rupp C (2024) Navigating the EU cybersecurity policy ecosystem –
54:4997–5053. https://doi.org/10.1007/s10462-021-09973-3 A comprehensive overview of legislation, policies and actors.
Loebbecke C, Picot A, de Marco M, Newell S, Majchrzak A (2012) interface Tech analysis and policy ideas for Europe e.V. https://
Information systems academicians supporting political decision www.interface-eu.org/publications/navigating-the-eu-cybersecur
making: towards expanding impact and relevance? In: ECIS ity-policy-ecosystem. Accessed 27 Sep 2024
Proceedings, Barcelona Saunders M, Lewis P, Thornhill A (2016) Research methods for
Loomis JM, Blascovich JJ, Beall AC (1999) Immersive virtual business students, 8th edn. Pearson
environment technology as a basic research tool in psychology. Shanbhag N, Dawson M, Etori N (2024) Artificial intelligence’s role
Behav Res Meth Instrum Comput 31(4):557–564. https://doi.org/ in cybersecurity and global dynamics. In: MWAIS Proceedings,
10.3758/BF03200735 Peoria
Meißner M, Pfeiffer J, Pfeiffer T, Oppewal H (2019) Combining Shekhar S, Petropoulos G, van Alstyne MW, Parker G (2022)
virtual reality and mobile eye tracking to provide a naturalistic Mandated platform compatibility: competition and welfare
experimental environment for shopper research. J Bus Res effects. In: ICIS Proceedings, Copenhagen
100:445–458. https://doi.org/10.1016/j.jbusres.2017.09.028 Sinha U, Muktevi LP (2024) Artificial intelligence in cybersecurity: a
Mohajeri K, Leidner D (2017) Towards a typology of relevance. In: new paradigm revolutionizing threat intelligence and defense
HICSS Proceedings, Waikoloa Village, pp. 5783–5792 mechanism. In: AMCIS Proceedings, Salt Lake City
Monteiro J, Barata J (2024) The circular digital twin: climate-smart Spiekermann S, Krasnova H, Hinz O, Baumann A, Benlian A, Gimpel
soils as a use case. In: ISD Proceedings. https://doi.org/10. H, Heimbach I, Köster A, Maedche A, Niehaves B (2022)
62036/ISD.2024.107 Values and ethics in information systems: a state-of-the-art
Nandwani P, Verma R (2021) A review on sentiment analysis and analysis and avenues for future research. Bus Inf Syst Eng
emotion detection from text. Soc Netw Anal Mining 11:1–19. 64(2):247–264. https://doi.org/10.1007/s12599-021-00734-8
https://doi.org/10.1007/s13278-021-00776-6 Straub DW, Ang S (2011) Rigor and relevance in IS research:
Nunamaker JF Jr, Briggs RO, Derrick DC, Schwabe G (2015) The last redefining the debate and a call for future research. MIS Q
research mile: achieving both rigor and relevance in information 35(1):iii–xi. https://doi.org/10.2307/23043485

123
 J. Pfeiffer et al.: New Laws and Regulation, Bus Inf Syst Eng

European Union (2024) Digital Europe programme (2021–2027). Weigl L, Barbereau TJ, Sedlmeir J, Zavolokina L (2023) Mediating
https://eur-lex.europa.eu/EN/legal-content/summary/digital-eur the tension between data sharing and privacy: The case of DMA
ope-programme-2021-2027.html. Accessed 17 Sep 2024 and GDPR. In: ECIS Proceedings, Kristiansand
Vainionpää F, Väyrynen K, Lanamaki A, Bhandari A (2023) A Weinhardt C, Fegert J, Hinz O, van der Aalst WM (2024) Digital
review of challenges and critiques of the European Artificial democracy: a wake-up call – how IS research can contribute to
Intelligence Act (AIA). In: ICIS Proceedings, Hyderabad strengthening the resilience of modern democracies. Bus Inf Syst
van der Aalst W, Bichler M, Heinzl A (2016) Open research in Eng 66(2):127–134. https://doi.org/10.1007/s12599-024-00862-
business and information systems engineering. Behav Res Meth x
Instrum Comput 58(6):375–379. https://doi.org/10.1007/s12599- Werling M, Lachenmaier J, Renken S, Lasi H (2022) Ver-
016-0454-0 trauenswürdiger Datenaustausch in Ökosystemen – Entwicklung
van der Aalst W, Hinz O, Weinhardt C (2020) Impact of COVID-19 eines Metamodells zur Trennung von Daten und Kontext. In:
on BISE research and education. Bus Inf Syst Eng Wirtschaftsinformatik Proceedings, Nürnberg. https://aisel.ais
62(6):463–466. https://doi.org/10.1007/s12599-020-00666-9 net.org/wi2022/design_science/design_science/2
Venkatesh V, Morris MG, Davis GB, Davis FD (2003) User Wu SP-J, Straub DW, Liang T-P (2015) How information technology
acceptance of information technology: toward a unified view. governance mechanisms and strategic alignment influence
MISQ 27(3):425–478. https://doi.org/10.2307/30036540 organizational performance. MISQ 39(2):497–518. https://doi.
Weber P, Werling M, Baars H (2023) Design principles for org/10.25300/MISQ/2015/39.2.10
institutionalized data ecosystems–results from a series of case
studies. In: Wirtschaftsinformatik Proceedings, Paderborn

123