Editorial

Journal of Information Technology

2023, Vol. 38(2) 86–107
The regulation of and through information © Association for Information
Technology Trust 2023
technology: Towards a conceptual ontology Article reuse guidelines:
sagepub.com/journals-permissions
DOI: 10.1177/02683962231181147
for IS research Journals.sagepub.com/jinf

Tom Butler1, Daniel Gozman2  and Kalle Lyytinen3

Abstract
This special issue addresses a largely neglected area of Information Systems (IS) research – the regulation of and through
Information Technology (IT). As with other human technologies, IT artefacts present risks and can harm individuals, groups,
organisations, economies, and society: However, this remains a largely unexplored topic in IS research. Nevertheless,
regulators, social commentators, the media, and the public have voiced their concerns about such risks, particularly those
related to artificial intelligence (AI), cybersecurity, privacy, digital assets (e.g. cryptocurrencies), and the market dominance
of digital platforms. Accordingly, regulations have been instituted or proposed to regulate IT artefacts in and across several
business sectors. Additionally, in response to the informational challenges posed by a complex web of laws and regulations,
regulators and business organisations have implemented IT artefacts to transform regulatory and supervisory processes or
to enhance organisational risk management and compliance reporting capabilities. This special issue addresses the research
challenges related to emergent issues surrounding the regulation of and through IT. In this editorial, we take stock of where
the field currently stands. We advance a conceptual ontology of IT regulation to guide future research by specifying several
taken-for-granted core concepts. By rendering the concepts, categories, and their relationships explicit, the model and its
related research questions provide a firm foundation to generate a cumulative body of research on the regulation of and
through IT.

Keywords
Information technology, information systems, regulations, risk, compliance, ontology

Introduction relationships between digital technologies, their uses, and

Innovative digital technologies are commonly promoted
with the promise of significant rewards for individuals,
organisations, and society. However, experience and re-
search indicate that innovations have a dark side (Tarafdar,
Gupta, and Turel, 2013). Generally, IT artefacts and their
multifaceted, growing combinations and layering into
platforms and digital infrastructures come with negative
affordances (Scarantino, 2003; Mikalef et al., 2022), car-
rying significant risks to organisational stakeholders
(Ciborra, 2006) and society (World Economic Forum,
2022). While such unintended negative uses are exten-
sive and commonplace (Kirby, 2009; Parent and Reich,
2009; Paech et al., 2019), and their effects have become
pervasive and essential at the systemic level, there is little
research on such effects and ways to cope with them. Since
Ciborra’s (2006 p. 1339) call ‘to characterize the multiple
links between risk and digital technologies in organiza-
tions’, IS researchers failed to focus systematically on
risks.
The regulation – IT artefact – risk nexus has, with a few
exceptions (cf. Bamberger, 2009; Butler, 2011, 2012, 2017;
Butler and McGovern, 2012; Butler and O’Brien, 2019;
Clarke, 2022; Clemons and Wilson, 2018; Currie, Gozman
and Seddon, 2018; de Vaujany et al., 2018; Gozman and
Currie 2019; 2014; Gozman et al., 2020; Gozman and
Willcocks, 2019), eluded the focus of a majority of IS
1
Depratment of Business Information Systems, University College Cork,
Cork City, Ireland
2
University of Sydney Business School, University of Sydney Business
School, Sydney, NSW, AU
3
Case Western Reserve University Weatherhead School of Management,
Cleveland, Ohio, USA
Corresponding author:
Daniel Gozman, The University of Sydney Business School, University of
Sydney, NSW 2006, AU.
Email: daniel.gozman@sydney.edu.au
Butler et al.
scholars. At the same time, and often despite such neglect,
regulators have grown increasingly concerned about the
threats, hazards, and vulnerabilities of IT artefacts and the
downside risks they pose (Bosschaerts and Lio, 2022;
Butler and Brooks, 2021; Wessel, 2019; Kosseff, 2019). For
example, while the use of IT artefacts in the pharmaceutical
and healthcare industries has been well-regulated due to
concern for health and population risks, the uses of IT
systems continue to threaten the integrity of processes and
products across related sectors (Dickson, 2003; Papp, 2006;
Theisen and Neill, 2004; Shuren, Patel, and Gottlieb, 2018).
In other industries, the regulation of IT artefacts and their
uses can be traced to the introduction of the Sarbanes-Oxley
Act (SOX) (Parent and Reich, 2009). Recently, as this
special issue demonstrates, the growing dominance of
digital platforms has given birth to novel risks which am-
plify the negative affordances of IT artefacts across most
industries and society. Another area of concern highlighted
in this special issue is the reliance on complex national and
global digital infrastructures (DI) which pose novel risks to
individuals, markets, and societies (Gleiss et al.,2023;
Henningsson and Eaton, 2023; Karanasios et al., 2023;
Lindman et al., 2023; Schnurr et al., 2023).
One reason for this lacuna in IS research is that the
regulation-IT artefact – risk nexus is a complex and dynamic
social phenomenon which evades the typical IT scholar’s
focus on the positive, static intended consequences of IT
artefacts on specific stakeholders such as users, managers,
or consumers. Thus, IS researchers generally fail to in-
vestigate (1) digital technology risks and effects, which lie
at the root of the call for the regulation of IT – this is the
first theme of the special issue – and (2) the use of digital
technologies to identify and mitigate risks through regu-
latory compliance imposed by various regulators based on
diligent assessments of the risks that IT poses to individuals,
organisations, and society – thus, regulation through IT is
the second theme of this special issue.
The six articles included in this special issue and some to
follow in regular issues offer a significant starting point for
future research in the area. The Regulation and digital
innovation: From applications to digital infrastructures,
algorithms to digital platforms, therefore, synthesises the
six contributions and their findings. However, this growing
stream of research needs to be integrated into a research
framework to enable a cumulative research program.
Without such an integrated program, research will remain
disconnected and siloed. Therefore, The Towards an On-
tology for Research on Regulation of and Through IT Ar-
tefacts of this editorial presents a conceptual ontology and
theoretical lens to guide future research. We develop this
over to provide a conceptual foundation and lens such that
researchers can (1) Identify and make sense of legal and
regulatory concepts institutionalised and applied in gov-
ernment policy-making and frontline regulatory actions
87
across organisational fields concerned with the regulation of
IT; (2) understand institutional responses to regulatory
principles and rules in terms of the design, development,
implementation and use of compliant IT artefacts, digital
infrastructures and platforms through which regulatory
compliance is performed – this informs institutional and
organisational responses for addressing regulation through
IT; and (3) comprehend frontline regulatory actions in-
volving the application of IT artefacts and digital infra-
structures for the supervision, compliance management, and
risk assessment of regulated entities – the supervisory di-
mension of regulation through IT. The final section offers
concluding observations and direction while challenging IS
researchers to address the risk IT artefacts pose to society.
Regulation and digital innovation: From
applications to digital infrastructures,
algorithms to digital platforms
We received 31 papers, of which six will be published in this
special issue.1 Overall, the papers were heterogenous in
topics, methods, and theoretical frames. This heterogeneity
is also reflected in the accepted six articles summarised in
Table 1, which reports for each article the IT artefact being
regulated and the regulatory goal (of or through), the level of
regulatory intervention, the theoretical approach, and the
research design. We next present and review the papers’
contributions and offer some observations of their
significance.
The first paper, ‘Investigating IT-based Regulation of
Personal Health: Nudging, Mobile Health Apps and Per-
sonal Health Data’ studies micro-level regulation through
an IT artefact implemented as a smartphone app (Davidson
et al.,2023). In the context of this study, the concept of self-
regulation involves an individual’s compliance with norms
and standards related to health-preserving behaviours that
are induced using a health app on a smartphone. The app
gathers data on chronic illness conditions (diabetes) and
diagnostic and personal data for individual behaviour
monitoring towards better health outcomes. The authors
note the tension between the public socio-economic goal of
minimising an individual’s health risks and new demands on
and risks related to new healthcare services which uses
individual health data for behavioural control. This raises
the need to protect individual privacy while at the same time
encouraging innovation in healthcare services. The authors
apply a conceptual lens from De Vaujany et al. (2018),
which posits that assemblages of rules, IT artefacts, and
practices form an IT-based regulatory system or regime. The
lens enables the authors to explain how nudging is enabled
by an IT artefact’s affordances of predicting and monitoring
personal health states and actions. The study impressed both
reviewers and editors through its in-depth case study, which
88 Journal of Information Technology 38(2)

Table 1. Special issue papers, technology, regulatory intervention, theory and method.

Digital Technology
and its Role in Level of regulatory
Special Issue Paper Regulation intervention Theoretical Approach Research Design

Investigating IT-based
Regulation of Personal
Health: Nudging, Mobile
Apps and Data
Governmental Regulation and
Digital Infrastructure
Innovation: The Mediating
Role of Modular
Architecture
Big Tech’s power, political,
corporate social
responsibility, and regulation
To regulate or not to regulate:
unravelling institutional
tussles around regulating
algorithmic control of digital
platforms.
Identifying the Patterns:
Towards a Systematic
Approach to Digital Platform
Regulation
Regulation of Data-driven
Market Power in the Digital
Economy: Business Value
Creation and Competitive
Advantages from Big Data
Mobile health Experiences of Behavioural nudging and Vignette and secondary data
applications through mobile health Vaujany et al.’s (2018) analysis (e.g. discussion
IT application users theory of IT based boards and policy docs)
(micro) Regulation
Digital infrastructures Embedding Modular systems theory Conceptual development
of IT regulation into from case studies
technology design
(macro/meso)
Digital platforms of Regulation of Corporate social Philosophical Essay
IT/through platforms responsibility (political
(macro) philosophy)
Digital platforms of Regulation of Institutional Theory, Longitudinal discourse
IT/through IT content on news Institutional work analysis of two cases (news
and social media and counterterrorism)
platforms (meso)
Digital platforms of IT Regulation of Digital platforms, Qualitative meta-analysis of
platforms ecosystems case studies
(macro)
Digital platforms, Data-driven market Resource-based View Literature review of
Business value from power (macro) (RBV) as applied to academic work; Research
big data of IT/ digital platforms, big questions, theory, and
through IT data, business value, framework development
market power

involves the interpretation of several qualitative vignettes of
use situations experienced by two health app users as
self-regulation. The article theorises how (1) IT artefacts
increasingly underpin seemingly innocent (and often vol-
untary) regulatory practices towards positive individual and
population outcomes; (2) Data gathered by IT artefacts
create systems of regulatory feedback loops; and (3) net-
works of individual, or organisational and technological
actors will over time institutionalise IT-based regulatory
regimes at macro-, meso-, and micro-levels. The authors
recognise negative affordances or the dark side of using IT
artefacts in that two regulatory affordances (predicting and
surveillance) are treated as double-edged swords. The study
highlights how a micro-level self-regulatory practice can be
interweaved with broader organisational and regulatory
processes and circumstances that enhance or diminish their
effectiveness for individuals and organisations.
The paper titled ‘Governmental Regulation and Digital
Infrastructure Innovation: The Mediating Role of Modular
Architecture’ by Henningsson and Eaton (2023) focuses on
digital infrastructures (DI) consisting of autonomous AI
machine learning models etc. They analyse how regulations
may impact DI innovation in such a setting. Regulatory
concerns focus on the risks of misuse or abuse of DI for
surveillance, control and manipulation of consumers,
workers, and society-at-large. There is also a concern about
cyber risks and digital resilience. Modular systems theory is
applied to explain the relationship between regulatory ac-
tions and DI innovation. Extant case studies and constructs
are used for theoretical development and corroboration. The
authors identify that regulation of DI involves applying
regulatory provisions – that is, coercive mechanisms such as
obligations, prohibitions, and permissions – as command-
and-control signals to firms to channel their product/service
innovation. Such mechanisms share two characteristics in
that they focus on performance targets and activity speci-
fication, both of which are posited to influence design rules
and modularity, respectively. Consequently, they illustrate
how DI components may be designed and combined to
produce desired outputs and behaviours.
The paper suitably titled ‘Big Tech’s Power, Political
Corporate Social Responsibility, and Regulation’ by
Lindman, Makinen and Kasanen (2023) is an essay on the
rising political power of digital platforms (often called
FAANG or GAFAM2). The article analyses the sources and
types of political power that come with the rise of platforms
Butler et al.
and the new types of institutional logics at play in orga-
nisations. The authors posit that BigTech (FAANG/GA-
FAM) now wields significant political power in our society.
This poses a serious challenge in regulating their business
and societal activities and the ways they use and leverage IT
artefacts to achieve their business objectives at the expense
of consumers and citizens. We interpret this as a twisting of
what is presented as a manifest positive affordance to a
latent negative affordance that comes with IT artefacts. The
authors draw on the theories from political philosophy and
the literature on Corporate Social Responsibility to question
the traditional assumption that platform firms are pure
economic actors. They are also political actors posing risks
to citizenship rights, civic society, and related democratic
processes. The paper focuses on the role of regulation while
mitigating such risks. It argues that there is a classic division
of moral labour between institutional actors – government
and public administration and private business interests in a
market economy, which needs to be re-framed in the era of
Big Tech. The authors draw on political philosophy theories
to develop a research agenda that sensitises IS researchers to
issues of civic ethics. Future directions for IS research into
the regulation of and through IT focus on the following
themes: (1) Business versus Politics, (2) Democratic
Government. (3) Institutions of market economy; (4)
Companies, (5) Civil Society, and (6) Citizens. This paper
builds a necessary philosophical framing to think about the
conditions and principles to regulate digital platforms at the
societal level and provides essential additions to the earlier
agenda paper by De Reuver, Sørensen and Basole (2018).
Investigative journalism and book authors will continue to
uncover corporate malfeasance beyond lobbying (see Hari,
2022; Ward, 2022): BigTech Platforms such as Uber and
Airbnb will continue to engage in political activities in-
volving questionable ethics, highlighting how governments
fail to regulate corporate misconduct and control corporate
power (Culpepper and Thelen, 2020).
The paper by Karanasios, Kokshaguna and Reinecke
(2023) titled ‘To Regulate or Not to Regulate: Unravelling
Institutional Tussles Around the Regulation of Algorithmic
Control of Digital Platforms’ poses the research question,
‘How does the institutional work… unfold in the devel-
opment of regulation of the use of algorithmic control of
content by digital platforms?’ The authors draw on insti-
tutional theory’s concept of institutional work to develop a
process model of the institutional work required to regulate
algorithmic control on digital platforms. Institutional work
is, by necessity, pluralistic and conducted by multiple
stakeholders. The analysis of institutional work shows how
regulations governing the algorithms for news curation and
content moderation were instituted in Australia. The authors
employ discourse analysis on two regulatory cases by
drawing on sampled data from media and policy and in-
dustry documents in Australia. They interpret the content
89
and evolution of discourses and negotiations (institutional
tussles) that constitute the institutional work that leads to the
creation of regulations that address the risks that algorithmic
controls impose over news curation and content moderation.
The model captures how regulating algorithmic control on
digital platforms is formulated and justified. The analysis
reveals that the process is iterative and involves negotiations
between the government, digital platforms, third parties and
civic stakeholders. The authors conclude that regulators
‘use strategies of collaboration and deliberation to reallocate
responsibilities, support self-regulation, leverage expertise
of the field and compensate for their lack of knowledge on
regulating algorithmic content display’. Digital platform
firms are found to use strategic resources and power to curb
the instalment of new regulations when a regulation
threatens their business model. Institutional work involves
not only lobbying but bribery and agency capture (Hawley,
2021). Furthermore, we note that although algorithms can
be made transparent, firms keep their operations black
boxed to avoid litigation (Ward, 2022). This business ap-
proach identifies the need for IS researchers to adopt a
critical perspective which recognises the power of digital
platform operators and the information asymmetries that
exist between regulators and platforms, and the need for
increased openness and transparency of regulating algo-
rithms (cf. Lindman et al., 2023; Mikalef et al., 2022; Ward,
2022).
The paper by Gleiss et al., (2023) is titled ‘Identifying the
Patterns: Towards a Systematic Approach to Digital
Platform Regulation’. The article focuses again on the
power and influence of large digital platforms (FAANG/
GAFAM). The study incorporates several perspectives on
digital platforms and regulation. It conducts a qualitative
meta-analysis of 128 data sources gathered from newspaper
articles, policy reports, and academic literature that report
on platforms and their operations. Content analysis and
coding of this data corpus results in a conceptual model,
which offers an ontology of digital platform regulation with
four taxonomic dimensions: (1) Regulation Type, which
institutes (2) Controls, that mitigate (3) Risk Class, which
impacts (4) Societal Actors. The regulatory concerns are
expressed in strategies focussing on the risks that Digital
Platforms impose on society. These are found in the af-
fordances of digital platforms and their potential for mo-
nopolistic market dominance. The paper synthesises
emerging research on digital platform regulation by fo-
cussing on the risks the platforms pose on the economy and
society and articulating a comprehensive interdisciplinary
view of the topic grounded in empirical data. We observe
that future research needs to unpack the digital infra-
structure components on platforms such that regulators can
respond with accurate and feasible regulatory measures
which address the needs for interoperability, resource
sharing, and transparency. The conclusions invited us to
90
reflect on the current EU’s approach of using principle-
based regulation that is essentially technology neutral. It
imposes sanctions of the scale of those in GDPR for those
who do not apply such principles. This, we feel, offers an
optimal path to mitigate the risks facing society: However,
the risks posed by monopolistic digital platforms also need
to be addressed if societal actors are to be protected.
Regulation of Data-driven Market Power in the Digital
Economy: Business Value Creation and Competitive Ad-
vantages from Big Data by Schnurr et al., (2023) is the last
paper in this special issue. This paper examines the regu-
lation of digital platforms that create natural monopolies by
creating big data resources that generate business value
similar to monopoly rents. The authors draw on the
resource-based view (RBV) as a lens to examine how digital
platforms create value from big data, on the one hand, which
leads to unfair practices and consumer, market, and societal
domination on the other. The authors pose three research
questions illustrating how market power based on valuable
and inimitable big data resources and associated IT artefacts
influence regulatory requirements and enable technology-
based regulation to be implemented and enforced. The first
two questions ask whether and why data-driven value
creation requires regulation and market supervision. The
answer to the third question on technology-based regulation
provides the main contribution to this special issue and
analyses how to regulate through IT data platforms. The first
contribution of the article is an integrated research frame-
work on how relationships between digital platforms, big
data, market power, and IT regulation are formed. They
posit three roles for IT artefacts in the implementation of
regulation through IT: (1) IT renders novel approaches to
the regulation through its ability to provide consumers with
transparency and control; (2) IT lowers the cost of regu-
latory compliance; and (3) and IT artefacts provide regu-
lators with enhanced supervisory mechanisms to enforce
regulatory rules. The findings corroborate the findings of
several field studies in the UK, US, and EU financial in-
dustry on RegTech and supervisory technologies or Sup-
Tech in the financial industry. Frontline regulators and
supervisory agencies can now access, curate, analyse, audit,
and risk assess firm-specific data at scale using varying IT
artefacts (see Butler, 2017; Broeders and Prenio, 2018;
Butler and O’Brien, 2019; Gasparri, 2019).
We conclude with some critical notes concerning the
scope and topics of the submitted articles concerning
regulation through and of IT:
1. There is a need for empirical (design science) studies
of regulating through technology.
2. There is a currently (understandable) focus on digital
platforms (GAFAM/FAANG) and their regulation
(such as privacy issues), but other fields, such as AI,
IoT and others posing new challenges, remain
Journal of Information Technology 38(2)
understudied (see below our review of emerging
technologies)
3. Methodologies rely heavily on secondary data (e.g.
from news outlets) and literature reviews; experi-
ments and or/action research is nearly non-existent.
4. Theoretical perspectives remain diverse, but given
the diversity, there is a need for a more coherent
theoretical grounding and integration, especially of
the role and impact of IT artefacts. We will examine
this next.
Towards an ontology for research on
regulation of and through IT artefacts
Given The Regulation and digital innovation: From ap-
plications to digital infrastructures, algorithms to digital
platforms’s critical notes concerning the state of research,
we felt that to guide research in the regulation of and
through IT, a conceptual framework is required. Thus, the
objective of this section is to develop a conceptual ontology
that meets this requirement. Therefore, delineate the core
concepts of regulation and risk and discuss how IT artefacts
relate to regulatory processes and activities. Institutional
theory offers a versatile conceptual foundation to study
regulatory processes and outcomes as a form of institutional
work. In this regard, we were pleased to find one paper
(Henningsson and Eaton, 2023) that qualified for inclusion
in the special issue which applied this perspective. This
section now presents and defines the core concepts relevant
to research on the regulation of and through IT that con-
stitute the ontology presented.
Unpacking the complex concept of regulation
Regulation is a complex phenomenon typically conceived
as ‘government intervention in the private domain or a legal
rule that implements such intervention’ (Orbach, 2012,
p. 6). Citing John Stuart Mill, Orbach (ibid. p. 10) states that
regulation is required because ‘things that have “useful
purposes” can turn “poisonous” when abused’ due to ‘our
imperfect reality and human limitations’. Baldwin, Cave,
and Lodge (2011) advanced a generally accepted framing of
this area and summarised the essential features of
regulation:
· Governments regulate in the public interest and
follow several rationales (justifications) for such
activity.
· Several regulatory strategies will be employed, in-
cluding viz. command-and-control, incentives,
competition laws, franchising, disclosure regulation,
direct action, rights, and liabilities.
Butler et al.
· Where technologies are concerned, governments ei-
ther regulate positively by providing economic in-
centives for their adoption and use or by regulating
and mitigating the risks of their use to individuals,
groups, sectors, society, and the environment (cf.
Wiener, 2004). In the regulation of technology:
(a) Regulators can regulate technologies for private
or public interests.
(b) Technology risk is defined in terms of hazards or
losses posed to social and institutional entities if
a technology-related threat-vulnerability com-
bination produces a hazard or loss (cf. Kates and
Kasperson, 1983).
· As a regulatory strategy, risk regulation focuses on
the hazards and risks imposed on individuals and
society, the legitimation of related interventions,
conducting risk assessments and scoring techniques,
and coordinating operations for enforcement and
compliance.
· Regulation occurs at multiple levels: For example,
Federal to State (e.g. US), Unions of Member States
(EU), and Central to Local Government. The power
to regulate may be delegated to statutory and other
bodies, agencies, authorities and so on (e.g. frontline
regulators Ford (2008)).
While this conceptualisation highlights the anatomy of
regulatory approaches, regulation in practice is more nu-
anced. Weiner (2004, p. 495) argues that the ‘influence of
regulation on technology is complex and depends on the
technology of regulation—the design and instrument choice
of the regulatory intervention’. Regulators, therefore, need
to design regulatory instruments to manage the complexity
and, at the same time, endeavour to avoid stifling inno-
vation. The European Commission’s Regulatory Obstacles
to Financial Innovation Expert Group report advising the
Commission policymakers on Fintech is one example of
how regulators approach this dilemma or trade-off (see
Paech and Butler, 2019).
Depending on the institutional, economic, and su-
pervisory context, regulators have a rich palette to
choose from when proposing regulatory solutions.
Generally, as Burgemeestre, Hulstijn and Tan (2009)
point out, regulation can be principle-based, rule-
based, or a hybrid of principles and rules (see also
Tarbert, 2019). The difference between the rules and
principles is that ‘a rule generally entails an advance
determination of what conduct is permissible, leaving
only factual issues to be determined by the frontline
regulator or decision maker. A principle may entail
leaving both specification of what conduct is permis-
sible and factual issues to the frontline regulator’. (Ford
2008, p. 6–7). Moreover, regulatory rules may have
qualifications and exceptions and become thus more
91
like principles. In contrast, principles may be linked
with normative standards and practices and become
more rule-like, creating regulatory hybrids.
In the EU, risk-based regulation of IT generally
emphasises self- and co-regulation by applying prin-
ciples while simultaneously mandating compliance
with normative standards and industry codes of conduct
as evidence of adherence to regulatory principles
(Ullrich, 2018; Colangelo et al., 2021). Most IT arte-
facts and digital infrastructure components such as AI
(Gupta, 2022) and how data is processed and stored on
platforms are now being subjected to growing regula-
tion in the EU (Feld, 2019; Flew and Gillett, 2021;
Mansell, 2021; Bennett, 2021; Nitzberg and Zysman,
2022). While analysing the EU’s approach to the reg-
ulation of IT, Mantelero et al. (2020) identify the use of
(1) principles-based provisions and technical rules; (2)
standards-based technologies perceived as necessary in
achieving data protection and security objectives; and
(3) mechanisms such as risk assessment, compliance
by-design, compliance reporting obligations, digital
resilience, and the use of certification schemes to
demonstrate compliance. While the financial industry is
often in the cross-hairs with governments concerning
regulatory principles and rules, it engages in what is
called ‘institutional tussles’ to ensure a favourable
regulatory climate for the industry (Karanasios et al.,
2023; Colangelo et al., 2021).
All these developments have significant implications for
IS research on the regulation of and through IT. First, re-
searchers need to have a nuanced understanding of regu-
latory provisions governing IT artefacts and data assets and
whether they are principles-based, rules-based, or contain
both principles and rules. As part of this, they need to
understand the role and impact of IT artefacts in conducting
either principle-based or rule-based regulation (de Vayjanay
et al., 2018). Second, they need to identify the consequences
of institutional responses within regulated sectors and
whether and how they impact organisations, consumers,
citizens, and society. That is not an easy task, but necessary.
Table 2 presents essential properties of principle- and rules-
based regimes related to IT-based regulation. As most
regulatory responses are hybrid, they sit on a continuum:
Thus, research on the regulation of and through IT must be
sensitive to such differences and their effects on regulatory
processes.
Public awareness of the necessity to regulate IT-related
matters began with the accounting malfeasance within
Enron, WorldCom, and Global Crossing in 2005. However,
Europe had at this time its own issues with corporate
governance and accounting (Sama and Shoaf, 2005). In
terms of accounting standards enacted in IT artefacts, the US
GAAP is rules-based, and the IFRS is principles-based
(Prather-Kinsey, Boyar, and Hood, 2018): The regulatory
92
Table 2. A characterisation of principles and rules (adapted from Burgemeestre, Hulstijn, and Tan, (2009) and Wiener, 2004).
Regulatory Mode
Regulatory Dimension Principles
Temporal Ex-post
Conceptual General / universal / abstract
Functional Large discretionary power
Representation Declarative (what)
Requirements Performance standards
Knowledge High
Exception handling Allows for exceptions (defeasible)
Conflict resolution By weight (trade-off)
responses to financial scandals followed similar lines. The
US-based response in the form of the SOX Act was rule-
based, while the European Commission’s response was to
recommend the modernisation of company law based on
principles and leave any rulemaking, if required, to member
states (European Commission, 2003). Fast forward a de-
cade, and the EU’s decision on GDPR has a different tone.
Now regulators in EU member states acknowledge that
‘Principles – broad rules about conduct or desired
outcomes – are an important part of data protection law, and
are, in fact, at the core of the General Data Protection
Regulation (GDPR)’.3 However, GDPR now provides for
stricter rules to cover, for example, data processing and
consent, as well as mandatory legal requirements and
sanctions (Jasmontaite et al., 2018). Indeed, the regulatory
principles of data protection by design and related legal
obligations have had significant implications for the de-
velopment of information systems that hold personal data.
In consequence, GDPR’s Article 25 ‘suffers from multiple
flaws, in particular a lack of clarity over the parameters and
methodologies for achieving its goals, a failure to com-
municate clearly and directly with those engaged in the
engineering of information systems, and a failure to provide
the necessary incentives to spur the “hardwiring” of
privacy-related interests. Taken together, these flaws will
likely hinder the traction of Article 25 requirements on
information systems development’ (Bygrave, 2017, p. 105).
Significantly, according to Mantelero et al. (2020), the EU’s
regulatory approach sees principles set out in one regulation
and rules in another: There, general principles and provi-
sions find detailed expression and application in sector-
specific instruments, such as the cybersecurity NIS Direc-
tive, payments PSD2 Directive and electronic ID eIDAS
regulation. Overall, the EU’s approach now provides ‘a
balance between principles-based provisions and technical
rules, a variety of technological solutions seen by law as
crucial to achieving the EU objectives in data protection and
data security, and a clustering of the entire legal framework
around five core elements (risk assessment, by-design
Journal of Information Technology 38(2)
Rules
Ex ante
Specific / particular / concrete
Little discretionary power
Procedural (how)
Command-and-control
Low
All or nothing (strict)
No conflicts possible
approach, reporting obligations, resilience, and certification
schemes)’ (Mantelero et al., 2020, p. 328).
To formulate effective rules, regulators now must have
comprehensive knowledge about regulated entities (see
Table 2). Otherwise, organisations will engage in regulatory
arbitrage and rule evasion. As Omarova (2010, p. 411)
states: ‘Given the complexity and global nature of the
modern financial market, any government’s attempt to
regulate it in a purely unilateral command-and-control
manner will inevitably encounter the fundamental prob-
lem of regulatory arbitrage, whereby financial institutions
find new ways to get around government rules, thus creating
a never-ending spiral of rulemaking and rule evading’. The
use of principles, specific or targeted rules, sanctions, and
the courts to adjudicate breaches of regulatory compliance
works well in jurisdictions and avoids constraining tech-
nological innovation. This approach is optimal when
considering the fundamental type of IT risk most organi-
zations now face – operational risk.
The risk concept and its temporal dimensions
Risk can be defined in many ways depending on the context
(see; Aven and Renn, 2009; Crouhy, Galai, and Mark, 2006;
Renn, 2017; Aven et al., 2018). The Society of Risk
Analysis holds that risk is the consequence of an activity
and associated uncertainty (Aven et al., 2018). Thus, the
consequences (C) of the effect of a risk event (A) on an
activity (α) may have different manifestations and may be
present at different levels: Uncertainty (U) refers to the
‘deficiency of information related to, understanding or
knowledge of, an event [A], its consequence [C], or like-
lihood’.4 Thus, if regulators perceive that there is uncer-
tainty regarding the risks IT artefacts pose such a risk event
materialise they will need to act.
Building on Aven (2011, 2015, 2019) and Logan et al.
(2021), we next conceptualise risk as it relates to IT-based
regulation in a way that incorporates temporal dimensions.
We conceptualise risk thus as
Butler et al.
Risk ¼ ðC, U Þ ατ , η (1)
If we consider an activity α in the context of digital
operations, that activity will, in whole or part, be digitised
and performed by one or more IT artefacts. What this risk
definition means is that risk is a function of the Conse-
quences (C) and Uncertainty (U) surrounding the threats
and vulnerabilities of using IT artefacts within an activity (α)
over a time interval (τ) and the time over which the con-
sequences will materialise (η). The above conceptualisation
(1.0) incorporates two temporal dimensions: (1) The length
of time IT-enabled digital activities are assessed for risk
events (A); and (2) The time horizon over which the con-
sequences (C) materialise, that is C given A (C | A). We now
attend to uncertainty U as it forms a core concept in ex-
plaining any IT-related risk.
A typical regulatory or organisational assessment of
possible IT artefact risk events includes gathering infor-
mation on the threats to, vulnerabilities of, and conse-
quences for digitised activities (α), their outputs (e.g.
services to consumers), and related IT assets. Aven et al.
(2018, p. 4) propose that, inter alia, risk may also be further
defined: First, rewrite U as ‘[t]he pair (Q, K), where Q is a
measure of uncertainty and K the background knowledge
that supports Q’: Thus, actors need to consider risk in terms
of the ‘[t]he triplet (C’, Q, K), where C’ is some specified
consequences [e.g. a data loss], Q a measure of uncertainty
[of an IT failure or cyber threat], associated with C’ (typ-
ically probability), and K the background knowledge that
supports [understanding of] C’ and Q (which includes a
judgment of the strength of this knowledge)’. Regulators’ or
organisational actors’ estimation of Q will, depending on
circumstances, involve a combination of heuristics, in-
ductive reasoning, and deductive modelling and related
combinations of knowledge that help measure uncertainty
surrounding the threats to, vulnerabilities of and conse-
quences of risk events to IT artefacts (cf. Volz and
Gigerenzer, 2012; Mousavi and Gigerenzer, 2014). Aven
(2019) argues further that estimates of Q usually are treated
as probabilities based on historical events, such as the
practice of estimating operational risk in financial institu-
tions. Alas, these are often of little value when risk analysis
needs to be thorough and synthesise contextual knowledge
(K), and measures of uncertainty (Q) of aggregates and
specific risk events (A) related to general or specific IT-
enabled digital activity(ies) (α) over a time interval τ, and
were η specifies the period over which the consequences C
of risk event A is considered.
One additional dimension that needs to be often ad-
dressed in the conceptualisation of risk is risk aggregation,
which regulators and organisations need to perform while
estimating systemic risks and total system-level risk ex-
posures. Integrating Bjørnsen and Aven’s (2019) con-
ceptualisation on risk aggregation and adopting the
93
nomenclature by Logan et al. provides a way to estimate the
total combined risk of a set of activities α1, α2. Bjørnsen and
Aven argue that the uncertainty measure Q should therefore
include an assessment of the strength of the knowledge
(SoK) on the probability measure (P) (whether based on
objective or subjective probability assessments) of each risk
(Aven, 2017). Hence, we can rewrite the above to capture
these and the temporal dimensions posited by Logan et al.
(2021)
R’α1 þ α2 ¼ ððC’α1 C’α2 Þ, ððPα1, Pα2 Þ, ðSoKα1 , SoKα2 ÞÞ,
ðKα1, Kα2, KAG ÞÞα1τ, ηþα2τ, η (2)
where KAG represents knowledge of the independence or
dependence of activities and their consequences.
Since regulators conduct risk assessments and draft
regulations to address risk in terms of the consequences and
uncertainty associated with, for example, technologies in
human activity systems, then such a complex con-
ceptualisation of risk is required to reach empirical fidelity.
Furthermore, such conceptualisation is necessary to un-
derstand whether the institutional work around the social
construction of the regulation of IT artefacts involves
considerations of all the elements required to understand
risk and how to mitigate it. In addition, the design of in-
formation systems that regulate through IT will involve, by
necessity, the integration and application of all the above
elements necessary to reduce uncertainty and increase
knowledge of the consequences of IT risk events. Clearly,
IT-based regulation can increase the reliability of the op-
erations, information concerning uncertainties and depen-
dencies, or knowledge that backs the aggregation and
integration of uncertainties. Regulatory IS can also influ-
ence the time frame in which risks are assessed and in which
they are assumed to realise and generate consequences.
On the need to regulate risk in IT artefacts
In the past, information technology risk was simply un-
derstood in terms of threats to and vulnerabilities of in-
formation systems operations in specific organisational
settings (Rainer, Snyder, and Carr, 1991). Some studies
recognised also process failures while IT/IS systems were
being developed and implemented (Lyytinen et al. 1998;
Lyytinen and Robey, 1999). The financial industry has been
traditionally the most IT and data-intensive industry (Butler
and Abi Lahoud, 2014) and engaged in evaluating related
operational risks. For example, the Committee of Spon-
soring Organizations of the Treadway Commission (COSO)
developed business guidelines for risk management and
control. Already in 1991, COSO proposed operational risk
as a generic concept. However, the Basel Committee on
Banking Supervision (BCBS), which is an international
committee of national banking regulators and supervisors,
94
focused on operational risk in its report on Risks in Com-
puter and Telecommunication Systems (BCBS, 1989). In
2001, the Basel Committee on Banking Supervision re-
defined operational risk as ‘[t]he risk of loss resulting from
inadequate or failed internal processes, people and systems
or from external events’ (BCBS, 2001; Power, 2005). The
later BCBS Basel2 Accord (BCBS, 2004) recognised
capital requirements for operational risks related to losses
arising from errors in processes, internal frauds, and in-
formation technology (IT) (Penikas, 2015).
Operational risks arose in a broader awareness with the
Enron, WorldCom, and Global Crossing scandals, as fi-
nancial crime was made possible through IT-based IS. This
led to instituting the Sarbanes-Oxley Act (SOX) as a
regulatory response to mitigate the financial risks of using
IS by organizations (Parent and Reich, 2009). Since then,
governments have broadened their focus on IT risks, as
information systems have become ubiquitous across in-
dustries with the aim to automate and informate activities
(Zuboff, 1985). IT-enabled digital innovation and trans-
formation now provide novel mechanisms to deliver
products and services to consumers while also gathering a
wealth of data about them. The IT artefacts in digital in-
frastructures create a host of new risks affecting also other
stakeholders, including the risk of data loss and infor-
mation privacy (Kirby, 2009; Parent and Reich, 2009;
Zuboff 2020). The aftermath of the financial crisis in
2008 led to the introduction of a raft of stringent new
regulations for operations within global financial institu-
tions (Butler and O’Brien, 2019; Currie and Seddon, 2017;
Mattli, 2019). The growth of such measures continues to
this day, with an increasing focus on the risks posed by the
digital transformation of all facets of banking as new forms
of banking services have emerged, including crypto-
currencies and other FinTech innovations (European
Commission, 2020). However, in all these efforts, as
Clark-Ginsberg and Slayton (2019) note, novel risks posed
by critical infrastructures when strictly regulated will lead
to increasingly complex socio-technical systems with new
‘recursive’ risks. Regulators’ influence is, therefore, best
viewed as emergent arising from the interaction between
regulators and the regulated and through various forms of
institutional work that justify specific forms of interven-
tions as legitimate.
States, federations, and political unions regulate now
positively to leverage IT innovations that confer new af-
fordances to promote economic, social, and environmental
well-being (Lundvall and Borrás, 2005; Kim and Yoo,
2019; Cheng et al., 2021). However, in retrospect, states
and regulatory agencies mostly recognise that the adoption,
implementation, and use of IT brings a range of socio-
economic risks for individual citizens, groups, and for
society and humanity (Clark and Claffy, 2015): The EU has
been particularly sensitive in this regard as it has attempted
Journal of Information Technology 38(2)
to identify obstacles to innovation and institutionalise so-
lutions ex-post (Troitiño and Kerikmäe, 2021).
It is recognised increasingly that there is a need to
identify and categorise IT artefacts on the regulatory radar
across industry sectors and how they are perceived in terms
of their positive (benefits, rewards) and negative affor-
dances (hazards, downside risks, threats, vulnerabilities)
(Scarantino, 2003). Alas, the papers in this special issue
were quite limited in how they identified and categorised
negative affordances and related risks in IT artefacts (mostly
data-related risks). This is an issue we next address.
An example of institutional work to bring balance to the
regulation of IT and innovation is the European Commis-
sion’s Regulatory Obstacles to Financial Innovation Expert
Group (ROFIEG). This group’s final report presents a
taxonomy of the IT artefacts identified, categorised, and
conceptualised as being innovative technologies (FinTech)
whose positive affordances can bring economic and busi-
ness benefits to the financial industry, on one hand while
posing significant risks to individuals, groups, organisa-
tions, and the overall financial system through negative
affordances, on the other (see Paech, Butler et al., 2019).
This list is reproduced and extended in Table 3. The table
categorises IT Artefacts deemed innovative by a panel of
regulators and financial industry practitioners (Paech, Butler
et al., 2019). The positive affordances they identified are
listed: However, they also identified negative affordances,
which are presented as risk types along with their interpreted
hazard level in Table 3.
The technologies listed above touch the lives and live-
lihoods of all individuals and societies. However, the World
Economic Forum (2022), in its Global Risks Report, notes
the failure of governments to adequately regulate the
negative affordances of these emerging technologies across
industries. Exceptions here are the pharmaceutical industry
and the healthcare sector, which are well-regulated already
(Dickson, 2003; Papp, 2006; Theisen and Neill, 2004;
Bendale et al., 2011; Shuren, Patel, and Gottlieb, 2018;
Schueler and Ostler, 2016).
Regulation through IT: From GRC, regtech, suptech
and social justice and control
eGovernment is defined as the use of IT by governments and
related agencies to inform and engage with state citizens and
business entities (Cordelia, 2007). IT in the public sector
focuses on applying digital systems ‘to improve the quality,
performance, and responsiveness of public sector institu-
tions, thereby potentially improving trust’ (Smith, 2011,
p. 78). However, in the digital society, citizens are provided
with various government systems that informate and au-
tomate (Zuboff, 1985) public service processes and incor-
porate and apply regulatory rules in taxation, social welfare,
 Butler et al.

Table 3. Identifying risk levels in innovative IT artefacts and infrastructures.

IT Artefact Description Positive Affordances Risk Type and Level

Artificial Intelligence - Robotic Process Automation for office

1. Knowledge representation (KR, capturing semantics in models such
as ‘ontologies’), automation, Including authentication.
2. Natural language processing (NLP), - Risk alerts and compliance monitoring.
- Automated speech and writing.
3. Machine learning (ML) and deep learning (DL), which is a form of ML
using artificial neural networks (ANN). The growth and power of- Descriptive analytics for regulation
machine learning algorithms, natural language processing, and summarisation.
artificial neural networks made weak AI or perceptual computing- Predictive analytics for investment
possible. modelling and to assess insurance risk.
- Diagnostic Analytics for fraud detection.
- Prescriptive Analytics to assess credit and
risk underwriting.
- RoboAdvice regarding products and
services in the form of Chatbots and
Virtual Assistants.
- Digital Process Automation.
Blockchain/ Store tamper-proof, time-stamped transactions or records on a - Shared recordkeeping
Distributed Ledger distributed data store. May share public or private records of - Multi-party consensus, independent
Technologies transactions among parties in a process or transaction. validation, Tamper-proof evidence
- Resilience provides a platform for digital
currencies and assets and supply chain
management.
Smart Contracts Algorithms are designed to execute automatically specific - Loans and financing.
programmatically defined contractual duties upon the occurrence - Mortgages.
of a trigger event. Complementary with DLT. - OTC (over-the-counter) trading of
currencies (inc. crypto), commodities, and
securities.
- Derivative trading
- Derivatives marketplace
- Insurance policies
- B2C.
- B2B.
- Regulatory reporting
High
- Employment displacement
- Unexplainable decisions.
- Discrimination in loans, mortgages,
and health/life insurance.
- Bias in decisions
- Misinformation.
- Breach of privacy.
- Market flash crashes and contagion.
Medium-High
- Misapplication to unsuitable use
cases.
- Poor transaction speeds.
- High impact on GHG emissions
- High energy usage.
Medium-High
- Same as Blockchain/DLT if used to
host Smart Contracts.
- Market flash crashes and contagion
due to automated settlement
- Immutability and inflexibility to
change.
- Costly errors and hardcoded
loopholes
- Problem of translation of legalese and
regulatory ambiguity.

(continued)
95
Table 3. (continued)
IT Artefact Description Positive Affordances
Quantum computing Enables faster computation over highly complex problems, which may - Help solve currently intractable problems
be intractable for traditional computer platforms and applications in AI, for example, machine and deep
due to the need for massive computing power or where solving learning
problems involves a high degree of uncertainty and incomplete - cryptography (e.g. make blockchain/DLT
knowledge. environmentally sustainable
- enhance high-frequency trading)
- Develop new medicines and vaccines
- Pose significant risks to current
cybersecurity technologies and heightens
systemic risk.
Internet of Things Enhanced (Smart) ubiquitous consumer data gathering and control - Enable Smart or autonomous homes,
(IoT) technologies. buildings, and transport.
- Enhanced services with personalised
messages
- Increase cross-selling opportunities.
- Enhanced health risk data.
- Increase cybersecurity risk
Cloud Private, Public, and Local, with Infrastructure-, Platform-, and - Increased efficiency in application
Software-as-a-Service models. deployment.
- Lower Total Cost of Ownership (ToC) for
applications and computing and network
infrastructure.
- Increased Cybersecurity capabilities.
Depending on the model and provider.
96
Risk Type and Level
High
- May make many existing
cybersecurity approaches, tools,
and standards obsolete.
- Amplifies cybersecurity and AI risks.
- Amplifies the possibility of flash
crashes and contagion.
High
- Increases surveillance risk.
- Decreases data and personal privacy.
- Increases conduct risk and
discrimination in financial services.
- Amplifies cybersecurity and AI risks.
- Increases systemic cyber risk.
Low-Medium (depending on third-
party provider)
- Third-party risk may increase
- May increase the risk of business
interruption, data loss, and
cybersecurity.
Journal of Information Technology 38(2)
Butler et al.
criminal justice, and so on – thus, IT artefacts used in
eGovernment systems also regulate. Research by Akhigbe
et al. (2015, 2017, 2021) outlines the use of IT for regulatory
compliance in business activities across sectors involving
health, public safety, natural resources, the environment,
fisheries, and the ocean, as well as banking and finance.
Akhigbe et al. (2015, pp. 90–91) indicate that IT artefacts
that support regulation through IT in business for ‘regu-
latory compliance aim to meet desired goals such as
identifying respective legal requirements from laws and
regulations, checking and enforcing business process
compliance, and reporting on the state of compliance or
addressing any change in the process or identified re-
quirements’. However, as Akhigbe et al. (2017) posit, there
is a paucity of IS research on using IT by the state for
regulatory compliance. This dearth of research is reflected in
the papers submitted to this special issue.
There is, nevertheless, a growing body of literature on
the application of IT by businesses to address a range of
regulatory business and supervisory problems. The gov-
ernance risk and compliance (GRC) sector and associated
GRC IS grew out of the regulatory demands of the
Sarbanes-Oxley Act (SOX), Basel II, and a raft of envi-
ronmental regulations (Butler, 2011; Butler and McGovern,
2012; Papazafeiropoulou and Spanaki, 2016). However, an
increase in the volume, velocity, and variety of regulations
since the financial crisis has led to a new type of information
system called regulatory technology (RegTech). RegTech
‘(a) helps firms manage regulatory requirements and
compliance imperatives by identifying the impacts of
regulatory provisions on business models, products and
services, functional activities, policies, operational proce-
dures and controls; (b) enables compliant business systems
and data; (c) helps control and manage regulatory, financial
and non-financial risks; (d) performs regulatory compliance
reporting’ Butler and O’Brien (2019, p. 85). Regulators
across the globe have recently implemented IT systems that
monitor, control, and enforce compliance among financial
institutions (Broeders and Prenio, 2018). They also intro-
duce IT for supervisory purposes, which is referred to as
supervisory technology (SupTech). However, several
challenges and issues in this field need to be addressed
(Monkiewicz, 2022), as SupTech and RegTech bring ad-
ditional risks and opportunities (Gasparri, 2019). SupTech
IT artefacts perform two activities: (1) Data Collection,
involving (a) data reporting (Automated reporting Real-time
monitoring) and (b) data management (Consolidation,
Validation, and Visualisation)); and (2) Data Analytics,
which perform (a) Market surveillance (manipulation, in-
sider trading), (b) Misconduct analysis (AML/CFT, Fraud,
Mis-selling), (c) Micro-prudential (Credit risk, Liquidity
risk), and (d) Macro-prudential (Forecasting, Emerging risk
signalling, Financial stability, Policy evaluation). Data
collection approaches include using APIs, Data input
97
approaches, Data pull approaches, Machine-readable reg-
ulation, Cloud computing, and Chatbots. The new tech-
nologies involved in Data Analytics include Big Data
(Hadoop etc.), AI, involving the application of Knowledge
Representation (KR) ontologies, Natural Language Pro-
cessing (NLP), and Machine Learning (ML) technologies
covering Supervised learning, Unsupervised learning, Topic
modelling, Random Forest, Image recognition, and Neural
networks (Broeders and Prenio, 2018).
In a broader societal context, the use of IT by gov-
ernments and organisations to monitor citizens is of
concern (Norris, 2005; Zuboff, 2015). AI-based tech-
niques, such as automated facial recognition, predictive
algorithms, and biometrics, are increasingly being viewed
as pervasive policing tools (Bacalu, 2021). Also of societal
concern is the increased use of predictive sentencing al-
gorithms in the justice system, such as the COMPAS
system (Washington, 2018). Predictive algorithms,
whether biometric or behavioural, being used by gov-
ernments and businesses are argued to incur bias risks
(Drozdowski et al., 2020). All of the aforementioned IT
artefacts enable regulation through IT. Again, such matters
appear not to enjoy the attention of IS researchers and are
lacunae that require attention.
A framework of institutional work on regulating of
and through IT
A review of the IS literature suggests that institutional
theory provides a rich framing opportunity for IS re-
searchers studying how IT interacts with regulative, nor-
mative, and cultural-cognitive processes and activities
(Orlikowski and Barley, 2001; Mignerat and Rivard, 2009;
Hinings, Gegenhuber, and Greenwood, 2018; Butler and
Hackney, 2021). Several salient concepts from institutional
theory can thus enrich our understanding of how regulation
of and through IT can be created, maintained, or disrupted.
This happens through micro-level behaviours called insti-
tutional work (Lawrence and Suddaby, 2006; Gozman and
Currie 2014; Henningsson and Eaton, 2023).
The concepts of institutional environment (Scott, 2005)
and organisational field (DiMaggio and Powell, 1983)
provide an essential macro-level lens for identifying sets
of actors that engage in and populate institutional pro-
cesses, activities, and structures. DiMaggio and Powell
(1983, p. 143) define an organisational field as consisting
of ‘[t]hose organisations that, in the aggregate, constitute a
recognized area of institutional life: [These include] key
suppliers, resource and product consumers, regulatory
agencies, and other organisations that produce similar
services or products’. Other institutional actors, such as
policymakers, governments, NGOs, and social move-
ments, populate the broader institutional environment
98
(Senyo et al., 2022a; Senyo et al., 2022b). This is not an
exhaustive list of actors.
In the context of the regulation of IT artefacts, the in-
stitutional environment and organisational field of the IT
industry are created, maintained, and disrupted (1) by co-
ercive mechanisms (legislative and regulatory principles
and rules) originating in government policy-making, reg-
ulatory agencies, the judiciary, and so on; (2) through
normative mechanisms (from professional bodies and
industry/trade standards bodies/associations, suppliers,
consulting organisations, distributors, and so on); and
cultural-cognitive/mimetic mechanisms that originate in
and shape and influence logics and decisions of organisa-
tions, their competitors, shareholders, non-government
organisations (NGOs), and society-at-large.
It is clear from our review of the literature on regulation
and extant theorising on institutional work that a complex
interplay of coercive mechanisms (lobbying, conflict, and
economic pressures from dominant actors), normative
(professional assessments, industry standards) and cultural-
cognitive/mimetic mechanisms (framing, translation) is at
play and constantly shapes the social construction of pol-
icies, legislation, regulations etc. We need also to consider
the multiple categories of activity involved in institutional
work, as identified by Lawrence and Suddaby (2006). Such
activities may be conceptualised as a network of mecha-
nisms, applied by institutional actors that socially construct
and produce institutional outcomes. The outcomes of in-
stitutional work on IT artefacts are regulations in the form of
principles, rules, standards/guidelines and so on that the
design and operation of such IT artefacts must comply with.
Following Lounsbury et al. (2021), we note that actors
participating in institutional work typically operate under di-
vergent and conflicting institutional logics, which are defined as:
‘the socially constructed, historical pattern of material practices,
assumptions, values, beliefs, and rules by which individuals
produce and reproduce their material subsistence, organize time
and space and provide meaning to their social reality’ (Thornton
and Ocasio 1999, p. 804). Thus, institutional logics inform
actors’ choices and the use of the mechanisms that create, bring
about change to or maintain, or disrupt institutions and policies
(Gozman and Currie, 2013). Take, for example, in discussing AI
technologies, Büthe et al. (2022, p. 12) state: ‘Laws, regulations
and other measures to govern AI thus do not so much reflect
inherent characteristics or objective truths about the technology
but reflect political actors’ perceptions given those actors’
predisposition – and in the process of framing what needs to be
addressed, they construct the technology’.
Regulations and laws are not objective facts but always
involve social interpretation (Edelman and Suchman, 1997;
Currie et al., 2018). IT-enabled IS underpin many such internal
controls: Furthermore, compliance efforts by necessity call for
interpretations of rules, norms and logics encapsulated within IT
artefacts (Orlikowski and Iacono, 2001; de Vayjanay et al.,
Journal of Information Technology 38(2)
2018). Regulatory technologies, correspondingly, are not solely
objective ‘artefacts’ (Bamberger, 2009; Callon and Muniesa,
2005; Itami and Numagami, 1992; Muniesa et al., 2007; Preda,
2007; Zaloom, 2003). They create and circumscribe a particular
worldview that alters the decision-maker’s perceptions of the
system designed to inform them (Heidegger, 1954). Indeed,
various scholars have recognised the performativity of IT ar-
tefacts and, correspondingly, the technological constitution of
regulated ‘objective’ markets. IT artefacts ‘might authorize,
allow, afford, encourage, permit, suggest influence, block,
render possible, forbid…’ actions and thereby implement in-
ternal controls (Latour, 2005, p. 72). In this way, ITartefacts play
a salient role in underpinning compliance and control practices
by affording and constraining actions (Gibson, 1986; Majchrzak
and Markus, 2013; Zammuto et al., 2007; de Vayjanay et al.,
2018). Such constraints and affordances are composites of
intertwined human agency, ‘the ability to form and realise
goals’, and material agency, ‘the capacity for non-human sys-
tems to act on their own apart from human intervention’
(Leonardi, 2011, p. 147–148).
Conceptual Ontology and Research Lens for
Future Studies
In the field of knowledge engineering, ‘[a]n ontology is a
formal, explicit specification of a shared conceptualization’
(Studer et al., 1998, p. 184): Figure 1 presents a proposed
ontology that captures and represents the concepts and
relationships salient to the regulation of and through IT. The
ontology semantics and relationship types are here captured
in a UML Class Diagram. The legend explains the meaning
of the relationship symbols for those unfamiliar with UML
notation. The ontology elements were specified in The
Unpacking the Complex Concept of Regulation, The The
Risk Concept and its Temporal Dimensions, The On
the Need to Regulate Risk in IT Artefacts, The Regulation
through IT: From GRC, RegTech, The SupTech and Social
Justice and Control, The A Framework of Institutional Work
on Regulating of and through IT above. They represent
related legal, regulatory, industry, standards and organisa-
tional sub-domains and capture the governance, business
model, functional and operational activity dimensions.
The operational activity concept forms the nexus of the
model, as operational activities (1) deliver value propositions
by achieving business objectives; (2) generate operational
and other risks by imposing threats to and vulnerabilities in
people, processes, and IT systems; (3) are the targets of
business policies, standards and procedures and controls that
implement business and regulatory compliance goals. The
example is industry specific to financial services but can be
generalised to other sectors with minor adjustments.
We can start with the regulatory domain, where we see
the role of the Basel Committee on Banking Supervision.
Their members are drawn from regulatory and
Butler et al.
Figure 1. Conceptual ontology for regulation of and through IT.
supervisory authorities across the globe, producing
principles and accords, such as the Principles for the
Sound Management of Operational Risk (BCBS, 2011,
2020). These principles are next transposed into regu-
latory provisions with some requirements formulated as
regulatory rules. The influence of regulated entities,
banks, and other financial entities is not shown. However,
this process shapes principles and accords and their
adoption and application by regulators (Hughes, 2021).
Regulations have multiple impacts on business organi-
sations, affecting business governance, business models,
business strategies, and business objectives and leading
to the formation of business policies, standards and
procedures, and controls. The latter is essential as they are
formal prescriptions on how operational risks, including
IT risks, are to be mitigated. The standards, procedures,
and controls are embedded in rules and processes, which
may be analogue (manual) or digital. If digitised, they are
types of regulation through IT (de Vaujanay et al. 2018).
They may be directly embedded in business applications,
GRC IS or RegTech applications.
At the core of the model is the concept of operational activity.
The people, process, IT artefacts (systems), and third-party
(external events) dimensions specified by BCBS (2001,
2011, 2020) are included. The link to risk and control di-
mensions, which are inherent in an operational activity and its
99
components, is captured as a transitive relationship via the
operational activity to the people, process (analogue and digital),
rules, IT artefact and its software, hardware/networking, and
data components, as are the threats, vulnerability dimensions
and consequences. Regulatory organisations also have opera-
tional activities that include people, processes, and IT artefacts.
Inter alia, these focus on drafting regulations, risk assessment,
data collection, data analytics, and supervising compliance.
Thus, the central elements of the conceptual ontology could be
applied in research on regulatory organisations in their use of IT
artefacts for regulation through IT.
In studying the regulation of IT, it is essential to note that the
type – principles (requirement standards) or rules (command
and control) – will determine the related policies, standards and
procedures and controls that will be put in place. All these
elements will be documented and captured in a GRC system or,
in many organisations, Excel spreadsheets. In the financial
sector, the minimum regulators demand is a risk management
framework with a risk taxonomy and a risk register mapped to
controls. It may be difficult to understand, but risk management
and compliance reporting processes have yet to be properly
digitised. Across the industry, there is an over-reliance on
manual risk control self-assessment (RCSA) (Hughes, 2021).
Compliance reporting is another area where financial
institutions fail to transform digitally with unreliable,
labour-intensive approaches to financial, risk and
100 Journal of Information Technology 38(2)

compliance reporting. Take, for example, the ‘Dear CEO’
letter in September 2021 from the UK’s Prudential Regu-
latory Authority, which questioned the quality and reli-
ability of regulatory compliance reporting.5 In 2022,
another ‘Dear CEO’ letter pointed towards the same issues
causing significant financial and operational risk problems.6
In this regard, the model also provides a valuable framework
for studying regulation through IT.
Table 4 draws on The Unpacking the Complex Concept
of Regulation, The The Risk Concept and its Temporal
Dimensions, The On the Need to Regulate Risk in IT Ar-
tefacts, The Regulation through IT: From GRC, RegTech,

Table 4. Regulatory and business domain research questions on the regulation of and through IT.

Regulatory domain research questions business domain research questions

Institutional Work on Regulation of and through IT Governance

• What type of institutional work produced a particular
regulation(s) (or guiding principles/standards/accords)?
• Who participated in the social construction of the regulations? Risk Management and Compliance Reporting
• Who participated in the social construction of the regulations? • Have critical business activities, related people, processes, and IT
• What was the level of public and industry consultation?
• What institutional logics were identified in and across
institutional groups and networks?
• What institutional mechanisms were employed?
Regulation of IT
• Was the regulation rule-based, principal-based or hybrid? Why? • Is risk control self-assessment (RCSA) in the organisation?
• Were the impact and implications on governance, business
models, strategies and objectives considered?
• Was there a balance between innovation, intended and
unintended consequences, and negative affordances?
• Were the business activities within the scope of regulatory
provisions identified?
Risk
• Were the risk-generating people, processes and IT systems
identified?
• As IT artefact risk is a category of operational risk, were the • Are multiple IT artefacts from different vendors employed for
threats, vulnerabilities, and consequences identified by
regulators? How?
• How strong was the regulatory knowledge (inverse of
uncertainty) of the IT artefacts under consideration?
• Was a risk assessment carried out?
Principles, Rules and Standards
• Are the instituted rules enforceable? Can they lead to regulatory
arbitrage?
• Which industry standards and guidelines were specified for
adoption in proving compliance with regulatory principles?
• Was a regulatory impact assessment conducted?
Regulation through IT
• What digitalisation (SupTech) level is in evidence among
regulatory and supervisory agencies?
• What type of IT artefacts are being used for SupTech systems?
• What policies, standards and procedures, and controls were or
needed to be implemented in an organisation to comply with
regulatory requirements?
systems (to software, data, and computer network infrastructure)
been identified, risk assessed, and their relationships mapped?
• Do the IT artefacts and their affordances map onto the policies,
standards and procedures and controls? Can this be
demonstrated?
• Have these dimensions been mapped to third-parties service
providers, whether enabling processes or through SaaS, PaaS, or
IaaS, in the cloud?
• Are the risk and control functions integrated or siloed?
• How are risks and controls assessed and audited?
• What industry standards are in place to perform IT governance,
risk management, and control?
Regulation through IT
• Are the risk management and regulatory compliance activities
digitised in an organisation (e.g. using RegTech/GRC)?
• What is the level of digital automation and information of risk
assessment, control, and compliance reporting in the
organisation?
• Are key risk indicators (KRI) and key control indicators (KCI)
identified, employed, and digitised?
this, or does the organisation have an enterprise-wide IT artefact
to perform GRC?
• Are control rules digitised in operational applications and
management systems?
• Has digital transformation been leveraged to ensure the
digitalisation of risk and compliance management and reporting
processes?
Butler et al.
The SupTech and Social Justice and Control, The A
Framework of Institutional Work on Regulating of and
through IT and the conceptual ontology to identify the
category, type, and scope of research questions that future
research on the regulation of and through IT should answer
to build a cumulative body of rigorous and relevant re-
search. The questions are not exhaustive: Rather, they il-
lustrate the type of inquiries that researchers should make
when exploring the phenomena of interest at whatever level
of analysis they are operating. Furthermore, it must be noted
that the two groups of regulatory and business domain
questions are related and comprehending both domains and
how they interact is vital for achieving an overall under-
standing. Ultimately, the strength of a conceptual ontology
such as this is the way in which it provides a common
language (i.e. conceptual semantics) and maps the complex
web of relationships between concepts.
Conclusions
While SOX, GDPR, Cybersecurity, digital services, and
markets regulations cut across all the industry sectors in
terms of the need to regulate IT, specific organisational
fields, such as the financial industry, the pharmaceutical
industry (including the biopharmaceutical sector), the ICT
sector (covering all forms of digital innovation, products
and services), the electrical and electronics (ICT
manufacturing) industry, and the Medical and Healthcare
industries have a considerable level of field-specific regu-
lation focused on IT artefacts and their design and use. The
papers in this special issue cover just the tip of the iceberg in
this socially significant IS research area.
The first paper in this special issue focused on regulation
through IT by investigating the experiences of mobile health
application users (Davidson et al., 2023). In a broader
context, regulators are concerned about the increased use of
software in medical devices, particularly software that
collects sensitive data and employs AI. The US Food and
Drug Administration recently proposed a regulatory
framework for the use of AI and ML algorithms in IT ar-
tefacts classified as Software as a Medical Device or SaMD
(FDA, 2019; Chhaya and Khambholja, 2021); However,
‘regulators, such as the US FDA, the European Medicines
Agency (EMA), and national competent authorities for
medical devices are working to figure out how to interpret,
apply, or modify their existing regulatory frameworks’
(Minssen et al., 2020, p. 1; cf. European Commission,
2021). The FDA and the EU’s European Medical
Agency (EMA) currently address the need to account for
negative affordances and risks that SaMD presents (Ibid.).
However, concerns have been raised as to the ability of
regulators to address risks to data privacy, cybersecurity and
accuracy or bias in AI-based SaMD (Cohen et al., 2020). In
2022, researchers concluded that: ‘Insufficient public
101
information on validation datasets in several FDA-regulated
AI/ML algorithms makes it difficult to justify clinical ap-
plications since their generalizability and presence of bias
cannot be inferred’ (Ebrahimian et al., 2022, p. 559; cf.
Gerke et al., 2020). We believe this is an important study
area worthy of IS researchers’ attention.
The remaining papers in this special issue focus on
various aspects of digital infrastructures and platforms. As
with regulatory concerns surrounding the use of AI there is
a growing concern across society regarding the use of ML-
and NLP-based IT artefacts in digital infrastructures and
platforms (Blauth, Gstrein, and Zwitter, 2022; Büthe et al.,
2022; Chang, 2022; Korngiebel and Mooney, 2021;
Mikalef et al., 2022; Wright, 2021). Two books published
in 2022, the first titled The Loop by a science and tech-
nology journalist for NBC (Ward, 2022), and the second,
Stolen Focus by a British investigative journalist (Hari,
2022), present extensive evidence that designers of digital
infrastructures deliberately leveraged negative affordances
of ML-based AI algorithms to exploit known psycho-
logical weaknesses in humans. Both authors point to Nir
Eyal, author of Hooked: How to Build Habit-Forming
Products, among other sources, to illustrate why AI al-
gorithms require regulation. This has only recently been
touched by IS researchers, viz. Tomalin (2022, p. 3) states
that ‘certain online platforms have been specifically de-
signed to induce addiction’ (see also Moqbel and Kock,
2018). Some of those responsible for designing the IT
artefacts in question have called for their regulation and a
change in digital platform business models (Hari, 2022).
The recent special issue of the European Journal of In-
formation Systems focused on differentiating between
‘responsible AI and “dark side” of AI’, and briefly on the
need for laws and regulation (Mikalef et al., 2022):
However, while the special issue noted AI’s ‘negative or
unintended consequences’ (Ibid., p. 258), the existence of,
or regulatory and business responses to, intended negative
consequences (i.e. as overt or covert business objectives)
were not recognised.
It is notable that with a few exceptions, IS research has
heeded little to the negative affordances of IT artefacts
posing rising risks to individuals and societal systems
(Mikalef et al., 2022). Take, for example, a recent paper by
Malhotra, Majchrzak, and Lyytinen (2021), which points
out the dearth of research on negative or constraining af-
fordances of IS and the interdependencies and interactions
between affordances. One may conclude that if the affor-
dances are negative, and intentionally leveraged in pursuit
of business objectives, then such affordances may magnify
the risks – the whole being more than the sum of the parts. In
considering Table 3, the interactions of negative affordances
between the different categories of IT artefacts, AI, quantum
computing, and IoT are likely to pose significantly higher
systemic risks (Paech, Butler et al. 2019).
102
Drawing on the findings of the papers in this issue and
our research, we posit that regulators and supervisory
agencies across most industry sectors operate predomi-
nantly in reactive mode and fail to anticipate the risks and
negative consequences of IT artefacts. As with the financial
industry, we wonder if there exists not only an information
asymmetry between regulators and the regulated but also an
expertise asymmetry concerning the understanding of the
risks and rewards of IT artefacts, particularly in the boards
of corporations (Paech, Butler et al. 2019). Evidence also
suggests that policymakers are subject to techno-
fundamentalism and a pro-IT innovation and business
bias (Orr, 1994, 1998). Accordingly, we believe that too
much emphasis is paid to the positive affordances touted by
the IT industry for their offerings and not enough consid-
eration to their negative affordances and their consequences
for society and the environment. These factors present
significant barriers that impede comprehensive, competent,
and effective institutional work to ensure that regulations
adequately protect individuals and society. Finally, due to its
multidisciplinary nature and unique socio-technical axis of
cohesion in research perspectives, the IS field is uniquely
placed to help regulators, the regulated, and other stake-
holders understand and address the critical issues and risks
they and society face. The road ahead is complex and
challenging, but if IS research seeks to remain relevant to all
stakeholders, it must critically challenge the taken-for-
granted assumptions regarding the negative affordances
and risks of the current and future generations of IT arte-
facts. We ask: Are IS researchers and IS journal editors
willing to take up this challenge?
Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with re-
spect to the research, authorship, and/or publication of this article.
Funding
The author(s) received no financial support for the research, au-
thorship, and/or publication of this article.
ORCID iD
Daniel Gozman  https://orcid.org/0000-0002-7399-9201
Notes
1. We are grateful to the following colleagues who acted as re-
viewers: Stefan Haefliger, Jonas Hedman, Uri Gal, Silvia
Masiero, Eric Lim, Barney Tan, Roman Beck, Eva Micheler,
Jonathan Liebenau, Ganna Pogrebna, Michelle Kaarst-Brown,
Wendy Currie, Christian Kurtz, Michel Avital , Chris Parker,
Stan Karanasios, Vladislav Fomin, Nicholas Berente, Sean
Hansen, Carsten Sørensen, Donna Iaculano, Francois de
Vaujany, John King, Matti Rossi, Charlie McElroy, Thomas
Journal of Information Technology 38(2)
Jensen, Pierangelo Rosati, Susan Winter, Ping Wang, Rudy
Hirschheim, M. Lynne Markus, David Tilson, Ben Eaton,
Michael zur Muehlen, Jing Tang, Mikhail Oet, Theo Lynn,
Heiko Gewald, Selja Seppalla, Frantz Rowe, Pierangelo Rosati,
Shazia Sadiq.
2. FAANG is an acronym from Facebook (Meta), Apple, Amazon,
Netflix, and Alphabet (formerly Google). GAFAM of Google,
Apple, Facebook, Amazon, Microsoft, a group of major
computing companies.
3. https://www.dataprotection.ie/sites/default/files/uploads/2019-
11/Guidance_on_the_Principles_of_Data_Protection_Oct19.pdf
4. https://www.iso.org/obp/ui/#iso:std:iso:guide:73:ed-1:v1:en
5. https://www.bankofengland.co.uk/-/media/boe/files/
prudential-regulation/letter/2021/september/thematic-findings-
on-the-reliability-of-regulatory-returns.pdf
6. https://www.bankofengland.co.uk/-/media/boe/files/
prudential-regulation/letter/2022/january/artis-2022-priorities.
pdf. [Accessed: 2022-11-06].
References
Akhigbe O, Amyot D and Richards G (2015) Information tech-
nology artifacts in the regulatory compliance of business
processes: a meta-analysis. In: International Conference on
E-Technologies. Cham: Springer, pp. 89–104.
Akhigbe O, Amyot D, Mylopoulos J, et al. (2017) What can in-
formation systems do for regulators? A review of the state-of-
practice in Canada. In: 2017 11th International Conference on
Research Challenges in Information Science (RCIS). IEEE,
pp. 57–65.
Akhigbe O, Amyot D, Richards G, et al. (2021) GoRIM: a model-
driven method for enhancing regulatory intelligence. Soft-
ware and Systems Modeling, pp. 1–29.
Aven T (2011) On some recent definitions and analysis frame-
works for risk, vulnerability and resilience. Risk Analysis
31(4): 515–522.
Aven T (2015) The concept of antifragility and its implications for
the practice of risk analysis. Risk analysis 35(3): 476–483.
Aven T (2017) How some types of risk assessments can support
resilience analysis and management. Reliability Engineering
& System Safety 167: 536–543.
Aven T (2019) The call for a shift from risk to resilience: What
does it mean? Risk Analysis 39(6): 1196–1203.
Aven T and Renn O (2009) On risk defined as an event where the
outcome is uncertain. Journal of risk research 12(1): 1–11.
Aven T, Ben-Haim Y, Boje Andersen H, et al. (2018) Society for
risk analysis glossary. In: Society for Risk Analysis. https://
www.sra.org/wp-content/uploads/2020/04/SRA-Glossary-
FINAL.pdf
Bacalu F (2021) Digital policing tools as social control technol-
ogies: data-driven predictive algorithms, automated facial
recognition surveillance, and law enforcement Biometrics.
Analysis and Metaphysics 20: 74–88.
Butler et al.
Baldwin R, Cave M and Lodge M (2011) Understanding reg-
ulation: theory, strategy, and practice. Oxford university
press.
Bamberger KA (2009) Technologies of compliance: risk and
regulation in a digital age. Tex. L. Rev 88: 669.
BCBS (1989) Risks in Computer and Telecommunication Systems.
https://www.bis.org/publ/bcbsc136.htm
BCBS (2001) Basel Committee on Banking Supervision. Working
Paper on the Regulatory Treatment of Operational Risk.
Available at www.bis.org
BCBS (2011) Principles for the Sound Management of Opera-
tional Risk. Bank for International Settlements. https://www.
bis.org/publ/bcbs195.pdf
BCBS (2020) Revisions to the principles for the sound manage-
ment of operational risk. https://www.bis.org/bcbs/publ/
d508.pdf
BCBS (2004) Basel II Revised International Capital Framework.
https://www.bis.org/publ/bcbsca.htm
Bendale A, Patel N, Damahe DP, et al. (2011) Computer software
validation in pharmaceuticals. Asian Journal of Pharma-
ceutical Sciences and Clinical Research 1(2): 27–39.
Bennett WL (2021) Killing the golden goose? A framework for
regulating disruptive technologies. Information, Communi-
cation & Society, pp. 1–21.
Bjørnsen K and Aven T (2019) Risk aggregation: What does it
really mean? Reliability Engineering & System Safety 191:
106524.
Blauth TF, Gstrein OJ and Zwitter A (2022) Artificial intelligence
crime: an overview of malicious use and abuse of AI. IEEE
Access 10: 77110–77122.
Bosschaerts A and Lio G (2022) Increased focus on operational
resilience. Journal of Securities Operations & Custody 14(4):
319–328.
Broeders D and Prenio J (2018) Innovative technology in financial
supervision (SupTech): the experience of early users. In: FSI
Insights on policy implementation. Financial Stability Insti-
tute, Bank for International Settlements.
Burgemeestre B, Hulstijn J and Tan YH (2009) Rule-based versus
principle-based regulatory compliance. In: Legal Knowledge
and Information Systems. IOS Press, pp. 37–46.
Büthe T, Djeffal C, Lütge C, et al. (2022) Governing AI–at-
tempting to herd cats? Introduction to the special issue on the
governance of artificial intelligence. Journal of European
Public Policy 29(11): 1–32.
Butler T (2011) Compliance with institutional imperatives on
environmental sustainability: building theory on the role of
Green IS. The Journal of Strategic Information Systems
20(1): 6–26.
Butler T (2012) Regulating green IT: laws, standards, and pro-
tocols. In: San M and Gangadharan GR (eds), Harnessing
green IT: Principles and Practices. Wiley, pp. 297–341.
Butler T (2017) Towards a standards-based technology architec-
ture for RegTech. Journal of Financial Transformation 45(1):
49–59.
103
Butler T and Abi-Lahoud E (2014) A mechanism-based expla-
nation of the institutionalization of semantic technologies in
the financial industry. In: International Working Conference
on Transfer and Diffusion of IT. Berlin, Heidelberg: Springer,
pp. 277–294.
Butler T and Brooks R (2021) Achieving operational resilience in
the financial industry: Insights from complex adaptive sys-
tems theory and implications for risk management. Journal of
Risk Management in Financial Institutions 14(4): 395–407.
Butler T and McGovern D (2012) A conceptual model and IS
framework for the design and adoption of environmental
compliance management systems. Information Systems
Frontiers 14(2): 221–235.
Butler T and O’Brien L (2019) Understanding RegTech for digital
regulatory compliance. In: Disrupting Finance. Cham: Pal-
grave Pivot, pp. 85–102.
Butler T and Hackney R (2021) The role of informational
mechanisms in the adoption of Green IS to achieve eco-
sustainability in municipalities. Information & Management
58(3): 103320.
Bygrave LA (2017) Data protection by design and by default:
deciphering the EU’s legislative requirements. Oslo Law
Review 4(2): 105–120.
Callon M and Muniesa F (2005) Peripheral vision economic
markets as calculative collective devices. Organization
Studies 26(8): 1229–1250.
Chang SY (2022). Towards detection of AI-generated texts and
misinformation. In Socio-Technical Aspects in Security: 11th
International Workshop, STAST 2021, Virtual Event. (p. 194).
Springer Nature.
Cheng CY, Chien MS and Lee CC (2021) ICT diffusion, financial
development, and economic growth: an international cross-
country analysis. Economic modelling 94: 662–671.
Chhaya V and Khambholja K (2021) The SaMD regulatory
landscape in the US and Europe. Regulatory Focus. Regu-
latory Focus, Regulatory Affairs Professionals Society: 1–10.
Ciborra C (2006) Imbrication of representations: risk and digital
technologies. Journal of Management Studies 43(6):
1339–1356.
Clark DD and Claffy KC (2015) Anchoring policy development
around stable points: an approach to regulating the co-evolving
ICT ecosystem. Telecommunications Policy 39(10): 848–860.
Clarke R (2022) Research opportunities in the regulatory aspects of
electronic markets. Electronic Markets 32(1): 179–200.
Clark-Ginsberg A and Slayton R (2019) Regulating risks within
complex sociotechnical systems: evidence from critical in-
frastructure cybersecurity standards. Science and Public
Policy 46(3): 339–346.
Clemons EK and Wilson J (2018) The future of academic research
in information systems economics: from information systems
and strategy to innovative business models, social impacts,
public policy, regulation, and the law. In: Proceedings of the
51st Hawaii International Conference on System Sciences,
Waikoloa Village, Hawaii, pp. 5232–5241.
104
Cohen IG, Evgeniou T, Gerke S, et al. (2020) The European
artificial intelligence strategy: implications and challenges
for digital health. The Lancet Digital Health 2(7):
e376–e379.
Colangelo A, Gross F and Schuster F (2021) Effective measure-
ment of the economy in the emerging digital age. In Pro-
ceedings 63rd ISI World Statistics Congress (p. 16).
Cordelia A (2007) E-government: towards the e-bureaucratic
form? Journal of Information Technology 22(3): 265–274.
Crouhy M, Galai D and Mark R (2006) The essentials of risk
management. New York: McGraw-Hill.
Culpepper PD and Thelen K (2020) Are we all Amazon primed?
Consumers and the politics of platform power. Comparative
Political Studies 53(2): 288–318.
Currie WL, Gozman DP and Seddon JJ (2018) Dialectic tensions
in the financial markets: a longitudinal study of pre-and post-
crisis regulatory technology. Journal of Information Tech-
nology 33(4): 304–325.
Currie WL and Seddon JJM (2017) The regulatory, technology and
market ‘dark arts trilogy’ of high frequency trading: a research
agenda. Journal of Information Technology 32(2): 111–126.
Davidson E, Winter J and Chiasson M (2023) Investigating IT-
based Regulation of Personal Health: Nudging, Mobile Apps
and Data. Forthcoming: Journal of Information Technology.
De Reuver M, Sørensen C and Basole RC (2018) The digital
platform: a research agenda. Journal of information tech-
nology 33(2): 124–135.
De Vaujany FX, Fomin VV, Haefliger S, et al. (2018) Rules,
practices, and information technology: a trifecta of organi-
zational regulation. Information Systems Research 29(3):
755–773.
Dickson J (2003) Configuring software for compliance with
21 CFR Part 11 audit trail requirements. Pharmaceutical
Technology Europe 15(11).
DiMaggio PJ and Powell WW (1983) The iron cage revisited:
institutional isomorphism and collective rationality in orga-
nizational fields. American sociological review: 147–160.
Drozdowski P, Rathgeb C, Dantcheva A, et al. (2020) Demo-
graphic bias in biometrics: a survey on an emerging chal-
lenge. IEEE Transactions on Technology and Society 1(2):
89–103.
Ebrahimian S, Kalra MK, Agarwal S, et al. (2022) FDA-
regulated AI algorithms: Trends, strengths, and gaps of
validation studies. Academic Radiology 29(4): 559–566.
Edelman LB and Suchman MC (1997) The legal environments of
organizations. Annual review of sociology: 479–515.
European Commission (2020) Proposal for a REGULATION
OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL on digital operational resilience for the fi-
nancial sector and amending Regulations (EC) No 1060/
2009. https://eur-lex.europa.eu/legal-content/EN/TXT/
PDF/?uri=CELEX:52020PC0595&from=EN
European Commission (2021) European commission white paper
on artificial intelligence–a European approach to excellence
Journal of Information Technology 38(2)
and trust. https://ec.europa.eu/info/sites/info/files/
commissionwhitepaper-artificial-intelligence-feb2020_en.
pdf
European Commission (2003) Communication from the Com-
mission to the Council and the European Parliament -
Modernising Company Law and Enhancing Corporate
Governance in the European Union - A Plan to Move For-
ward. https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=
celex%3A52003DC0284
Eyal N (2014) Hooked: How to build habit-forming products.
Penguin.
FDA (2019) Proposed regulatory framework for modifications to
artificial intelligence/machine learning (AI/ML)-based soft-
ware as a medical device (SaMD). Food and Drug
Administration.
Feld H (2019) The case for the Digital Platform Act: Market
structure and regulation of digital platforms. Roosevelt
Institute.
Flew T and Gillett R (2021) Platform policy: evaluating different
responses to the challenges of platform power. Journal of
Digital Media & Policy 12(2): 231–246.
Ford CL (2008) New governance, compliance, and principles-
based securities regulation. Am. Bus. LJ 45: 1.
Gasparri G (2019) Risks and opportunities of RegTech and
SupTech developments. Frontiers in Artificial Intelligence 2:
1–4.
Gerke S, Babic B, Evgeniou T, et al. (2020) The need for a
system view to regulate artificial intelligence/machine
learning-based software as medical device. NPJ digital
medicine 3(1): 1–4.
Gibson JJ (1986). The ecological approach to visual perception
(Kindle edition). Hillsdale, NJ: Lawrence Erlbaum Associates.
Gleiss A, Pousttchi K and Degan K (2023) Identifying the
patterns: towards a systematic approach to digital plat-
form regulation.
Gozman D and Currie W (2013) Building post crisis watchtowers:
investment management systems and new institutional logics
for regulatory compliance.
Gozman D and Currie W (2014) The role of investment man-
agement systems in regulatory compliance: a post-financial
crisis study of displacement mechanisms. Journal of Infor-
mation Technology 29(1): 44–58.
Gozman D and Willcocks L (2019) The emerging cloud dilemma:
balancing innovation with cross-border privacy and out-
sourcing regulations. Journal of Business Research 97:
235–256.
Gozman D, Liebenau J and Aste T (2020) A case study of using
blockchain technology in regulatory technology. MIS
Quarterly Executive 19(1): 19–37.
Gupta S (2022) The interaction between technology, business
environment, society, and regulation in ICT industries. IIMB
Management Review.
Hari J (2022) Stolen Focus: Why You Can’t Pay Attention–and
How to Think Deeply Again. Crown.
Butler et al.
Hawley J (2021) The Tyranny of Big Tech. Simon and Schuster.
Heidegger M (1954) The question concerning technology. Tech-
nology and values: Essential readings 99: 113.
Henningsson S and Eaton B (2023) Governmental Regulation and
Digital Infrastructure Innovation: The Mediating Role of
Modular Architecture. Forthcoming: Journal of Information
Technology.
Hinings B, Gegenhuber T and Greenwood R (2018) Digital in-
novation and transformation: an institutional perspective.
Information and Organization 28(1): 52–61.
Hughes PJ (2021) Where Next for Operational Risk? A Guide for
Risk Managers and Accountants. Grosvenor House Pub-
lishing Ltd.
Itami H and Numagami T (1992) Dynamic interaction between
strategy and technology. Strategic Management Journal
13(S2): 119–135.
Jasmontaite L, Kamara I, Zanfir-Fortuna G, et al. (2018) Data
protection by design and by default: Framing guiding prin-
ciples into legal obligations in the GDPR. European. Data
Protection Law Review 4: 168.
Karanasios S, Kokshaguna O and Reinecke P (2023) To Regulate
or Not to Regulate: Unravelling Institutional Tussles Around
the Regulation of Algorithmic Control of Digital Platforms.
Forthcoming: Journal of Information Technology.
Kates RW and Kasperson JX (1983) Comparative risk analysis of
technological hazards (a review). Proceedings of the National
Academy of Sciences 80(22): 7027–7038.
Kim J and Yoo J (2019) Science and technology policy research in
the EU: from Framework Programme to HORIZON 2020.
Social Sciences 8(5): 153.
Kirby M (2009) The fundamental problem of regulating tech-
nology. Indian Journal of Law and Technology 5(1): 1–25.
Korngiebel DM and Mooney SD (2021) Considering the possi-
bilities and pitfalls of Generative Pre-trained Transformer 3
(GPT-3) in healthcare delivery. NPJ Digital Medicine 4(1): 1–3.
Kosseff J (2019) Cybersecurity law. John Wiley & Sons.
Latour B (2005) Reassembling the Social-An Introduction to
Actor-Network-Theory. Oxford: Oxford University Press.
Lawrence TB and Suddaby R (2006) Institutions and institutional
work. In: Clegg R, Hardy C, Lawrence TB, et al. (eds),
Handbook of organization studies. 2nd edn. London: Sage,
pp. 21–254.
Leonardi PM (2011) When flexible routines meet flexible tech-
nologies: affordance, constraint, and the imbrication of hu-
man and material agencies. MIS Quarterly 35(1): 147–167.
Lindman J, Makinen J and Kasanen E (2023) Big Tech’s Power,
Political Corporate Social Responsibility, and Regulation.
Forthcoming: Journal of Information Technology.
Logan TM, Aven T, Guikema S, et al. (2021) The role of time in
risk and risk analysis: implications for resilience, sustain-
ability, and management. Risk Analysis: 1–12.
Lounsbury M, Steele CW, Wang MS, et al. (2021) New directions
in the study of institutional logics: From tools to phenomena.
Annual Review of Sociology 47: 261–280.
105
Lundvall BÅ and Borrás S (2005) Science, technology, and in-
novation policy. In: Fagerberg J, Mowery DC and Nelson RR
(2005) (eds), The Oxford handbook of innovation, Oxford
University Press, 599-631.
Lyytinen K and Robey D (1999) Learning failure in information
systems development. Information Systems Journal 9(2):
85–101.
Lyytinen K, Mathiassen L and Ropponen J (1998) Attention
shaping and software risk—a categorical analysis of four
classical risk management approaches. Information Systems
Research 9(3): 233–255.
Majchrzak A and Markus M (2013) Technology Affordances and
Constraints Theory (of MIS). Thousand Oaks, CA: Sage
Publications.
Malhotra A, Majchrzak A and Lyytinen K (2021) Socio-technical
affordances for large-scale collaborations: introduction to a
virtual special issue. Organization Science 32(5): 1371–1390.
Mansell R (2021) European responses to (US) digital platform
dominance. In: The Routledge handbook of digital media and
globalization. Routledge, pp. 141–149.
Mantelero A, Vaciago G, Samantha Esposito M, et al. (2020) The
common EU approach to personal data and cybersecurity
regulation. International Journal of Law and Information
Technology 28(4): 297–328.
Mattli W (2019) Darkness by Design. Princeton: Princeton Uni-
versity Press.
Mignerat M and Rivard S (2009) Positioning the institutional
perspective in information systems research. Journal of In-
formation Technology: Special Issue on Institutional Theory
in Information 24(4): 369–391.
Mikalef P, Conboy K, Lundström JE and Popovič A (2022)
Thinking responsibly about responsible AI and ‘the dark
side’of AI. European Journal of Information Systems 31(3):
257–268.
Minssen T, Gerke S, Aboy M, et al. (2020) Regulatory responses to
medical machine learning. Journal of Law and the Biosci-
ences 7(1): lsaa002.
Monkiewicz J (2022). Financial supervision in digital age: in-
novations and data abundance. In: Ga˛ siorkiewicz L and Jan
M. (eds.), Digital Finance and the Future of the Global
Financial System (pp. 213-225). Routledge.
Moqbel M and Kock N (2018) Unveiling the dark side of social
networking sites: personal and work-related consequences of
social networking site addiction. Information and Manage-
ment 55(1): 109–119.
Mousavi S and Gigerenzer G (2014) Risk, uncertainty, and heu-
ristics. Journal of Business Research 67(8): 1671–1678.
Muniesa F, Millo Y and Callon M (2007) An Introduction to
market devices. The Sociological Review 55(s2): 1–12.
Nitzberg M and Zysman J (2022) Algorithms, data, and platforms:
the diverse challenges of governing AI. Journal of European
Public Policy: 1–26.
Norris C (2005) From personal to digital: CCTV, the panopticon,
and the technological mediation of suspicion and social
106
control. In: Surveillance as Social Sorting. Routledge,
pp. 263–295.
Omarova ST (2010) Wall street as community of fate: toward
financial industry self-regulation. U. Pa. L. Rev 159: 411.
Orbach B (2012) What is regulation? Yale Journal on Regulation
Online 30(1): 1–10.
Orlikowski WJ and Iacono CS (2001) Research commentary:
desperately seeking the “IT” in IT research—A call to the-
orizing the IT artifact. Information systems research 12(2):
121–134.
Orlikowski WJ and Barley SR (2001) Technology and institutions:
what can research on information technology and research on
organisations learn from each other. MIS Quarterly 25(2):
145–166.
Orr DW (1994) Technological fundamentalism. Conservation
Biology 8(2): 335–337.
Orr DW (1998) Technological fundamentalism. The Ecologist
28(6): 329–333.
Paech PT and Butler T (2019). Thirty recommendations on
regulation, innovation and finance. In: Expert Group on
Regulatory Obstacles to Financial Innovation (ROFIEG).
Available from: https://ec.europa.eu/info/publications/
191113-report-expert-group-regulatory-obstacles-financial-
innovation_en. (Accessed: 2022-01-08).
Papazafeiropoulou A and Spanaki K (2016) Understanding gov-
ernance, risk, and compliance information systems (GRC IS):
The expert’s view. Information Systems Frontiers 18(6):
1251–1263.
Papp R (2006) Information technology & FDA compliance in the
pharmaceutical industry. In: Cases on Telecommunications
and Networking. IGI Global, pp. 280–291.
Parent M and Reich BH (2009) Governing information technology
risk. California Management Review 51(3): 134–152.
Penikas H (2015) History of banking regulation as developed by
the Basel Committee on Banking Supervision 1974-2014.
Estabilidad financiera, pp. 9–47.
Power M (2005) The invention of operational risk. Review of
International Political Economy 12(4): 577–599.
Prather-Kinsey J, Boyar S and Hood AC (2018) Implications for
IFRS principles-based and US GAAP rules-based applica-
tions: are accountants’ decisions affected by work location
and core self-evaluations? Journal of International Ac-
counting, Auditing and Taxation 32: 61–69.
Preda A. (2007) The sociological approach to financial markets.
Journal of Economic Surveys 21(3): 506–533.
Rainer RK, Snyder CA and Carr HH (1991) Risk analysis for
information technology. Journal of Management information
systems 8(1): 129–147.
Renn O (2017) Risk governance: coping with uncertainty in a
complex world. Routledge.
Sama LM and Shoaf V (2005) Reconciling rules and principles: an
ethics-based approach to corporate governance. Journal of
Business Ethics 58(1): 177–185.
Journal of Information Technology 38(2)
Scarantino A (2003) Affordances explained. Philosophy of science
70(5): 949–961.
Schnurr D, Fast V and Wholfarth M (2023) Regulation of Data-
driven Market Power in the Digital Economy: Business Value
Creation and Competitive Advantages from Big Data.
Forthcoming: Journal of Information Technology.
Schueler J and Ostler T (2016) Biopharmaceutical startup’s need of
regulatory intelligence. Journal of Commercial Biotechnol-
ogy 22(1).
Scott WR (2005) Institutional theory: Contributing to a theoretical
research program. Great minds in management: The process
of theory development 37(2): 460–484.
Senyo PK, Gozman D, Karanasios S, et al. (2022a) Moving away
from trading on the margins: economic empowerment of
informal businesses through FinTech. Information Systems
Journal.
Senyo PK, Karanasios S, Gozman D, et al. (2022b) FinTech
ecosystem practices shaping financial inclusion: the case of
mobile money in Ghana. European Journal of Information
Systems 31(1): 112–127.
Shuren J, Patel B and Gottlieb S (2018) FDA regulation of mobile
medical apps. Jama 320(4): 337–338.
Smith ML (2011) Limitations to building institutional trustwor-
thiness through e-government: a comparative study of two
e-services in Chile. Journal of Information Technology 26(1):
78–93.
Studer R, Benjamins VR and Fensel D (1998) Knowledge engi-
neering: principles and methods. Data & knowledge engi-
neering 25(1-2): 161–197.
Tarafdar M, Gupta A and Turel O (2013) The dark side of in-
formation technology use. Information Systems Journal
23(3): 269–275.
Tarbert HP (2019) Rules for Principles and Principles for Rules:
Tools for Crafting Sound Financial Regulation. Harvard
Bussiness Law Review Online, 10, 1.
Theisen TW and Neill CJ (2004) FDA regulations and auditing
practices for software suppliers at a pharmaceutical manu-
facturer. Software Quality Professional 6(4): 14.
Thornton PH and Ocasio W (1999) Institutional logics and the
historical contingency of power in organizations: executive
succession in the higher education publishing industry, 1958–
1990. American journal of Sociology 105(3): 801–843.
Tomalin M (2022) Rethinking online friction in the information society.
Journal of Information Technology: 02683962211067812.
Troitiño DR and Kerikmäe T (2021) Europe facing the digital
challenge: obstacles and solutions. IDP. Revista de Internet,
Derecho y Polı́tica, (34), 1–3.
Ullrich C (2018) A risk-based approach towards infringement
prevention on the internet: adopting the anti-money laun-
dering framework to online platforms. International Journal
of Law and Information Technology 26(3): 226–251.
Volz KG and Gigerenzer G (2012) Cognitive processes in deci-
sions under risk are not the same as in decisions under un-
certainty. Frontiers in Neuroscience 6: 105.
Butler et al.
Ward J (2022) The Loop: How Technology is Creating a World
Without Choices and How to Fight Back. Hachette Books.
Washington AL (2018) How to argue with an algorithm: lessons
from the COMPAS-ProPublica debate. Colo. Tech. LJ 17:
131.
Wessel RA (2019) Cybersecurity in the European Union: Resil-
ience through regulation? In: The Routledge Handbook of
European Security Law and Policy. Routledge, pp. 283–300.
Wiener JB (2004) The regulation of technology, and the tech-
nology of regulation. Technology in Society 26(2-3):
483–500.
World Economic Forum (2022) The Global Risks Report 2022.
17th edn. Cologny, Switzerland: World Economic Forum.
Wright J (2021) Suspect AI: Vibraimage, emotion recognition technology
and algorithmic opacity. Science, Technology and Society 1: 20.
Zaloom C (2003) Ambiguous numbers: trading technologies and
interpretation in financial markets. American Ethnologist
30(2): 258–272.
Zammuto RF, Griffith TL, Majchrzak A, et al. (2007) Information
Technology and the Changing Fabric of Organization. Or-
ganization Science 18(5): 749–762.
Zuboff S (2020) You are now remotely controlled. New York
Times, p. 24.
Zuboff S (1985) Automate/informate: the two faces of intelligent
technology. Organizational Dynamics 14(2): 5–18.
Zuboff S (2015) Big other: surveillance capitalism and the
prospects of an information civilization. Journal of infor-
mation technology 30(1): 75–89.
Author biography
Dr Tom Butler is Professor of Information Systems and
Regulatory Technologies at the Department of Business
Information Systems, Cork University Business School,
UCC. As Principal Investigator of Ireland's Governance
Risk and Compliance Technology Centre (GRCTC), Tom
led a multidisciplinary team of knowledge engineers, in-
formation systems and legal researchers conducting re-
search and development (R&D) on AI-based technologies
to enable global financial institutions to manage better
regulatory compliance and operational risk. As a member of
the Expert Group on Regulatory Obstacles Financial In-
novation (ROFIEG) at the European Commission's DG
FISMA, he helped guide EU policy on the regulation of IT
in the financial industry. In a broader context, Tom's
107
research focuses on risks that technologies pose to society,
particularly operational and cybersecurity risks in business
organisations. Tom was awarded over €8.7m in research
funding and authored 226 publications, which include 81
full papers, 84 conference papers, and 11 inventions.
Dr. Daniel Gozman is an Associate Professor at the Uni-
versity of Sydney Business School and an Honorary Fellow
at Henley Business School at the University of Reading,
UK. Daniel received his PhD from the London School of
Economics. He is a Research Fellow at UCL’s Centre for
Blockchain Technologies and a member of the Worshipful
Company of Information Technologists (Livery Company
of the City of London). He has previously published in the
Journal of Management Information Systems, Management
Information Systems Quarterly Executive, Journal of
Business Research and Small Business Economics. Daniel is
a Senior Editor for the Journal of Information Technology
and an Associate Editor for European Journal of Infor-
mation Systems, Information Systems Journal and Elec-
tronic Commerce and Research Applications. Currently, his
work focuses on the intersection between policy, emergent
technology and innovation. Daniel has acted as an academic
advisor to international law firms, analyst groups and global
technology firms. Prior to academia, Daniel worked for
Accenture, Deloitte and various banks providing consulting
advice.
Kalle Lyytinen (PhD, Computer Science, University of
Jyvaskylä; Dr. h.c. mult) is Distinguished University Pro-
fessor at Case Western Reserve University and a distin-
guished visiting professor at Aalto University, Finland. He
is among the top five IS scholars in terms of his h-index
(96); he has the highest network centrality among the IS
scholars. He AIS Fellow (2004) and the LEO Award re-
cipient (2013), and the former chair of IFIP WG 8.2 “In-
formation systems and organizations”. He has published
over 400 refereed articles and edited or written over 30
books or special issues. He has won best paper awards from
AoM, AIS/ICIS and other societies and served as SE or
editor to all IS journals and several leading organization
theory and innovation journals. He conducts research on
digital innovation and its dynamics and organizing, com-
plex design work, requirements in large systems, and
emergence and growth of digital infrastructures.