German authorities are preparing to significantly expand their powers to combat cyber attacks originating abroad, according to a draft law reviewed by Reuters.
Under the proposed legislation, Germany would allow law enforcement and security agencies to intervene directly in digital infrastructure used for cyber attacks. This includes the authority to redirect internet traffic, shut down IT systems and, in extreme cases, delete or alter data — even when that data is stored on servers outside Germany.
The move reflects a broader shift in security policy since Russia’s full-scale invasion of Ukraine in 2022. Jolted by the war, Germany has been strengthening its armed forces and seeking expanded powers for intelligence agencies to counter so-called hybrid threats. Such steps remain politically sensitive in a country deeply conscious of its Nazi past.
Interior Minister Alexander Dobrindt has repeatedly warned that Germany must be better equipped to defend itself against cyber threats from abroad. German security services believe many such attacks originate in Russia, an allegation Moscow denies, rejecting claims that it conducts hybrid attacks against Europe.
“Prevention of threats does not stop at national borders when it comes to combating cyberattacks,” the draft law states.
While the legislation would stop short of authorising large-scale cyber counter-attacks, it would still mark a major expansion of state power. Authorities could intervene rapidly to disrupt malicious activity, with court approval generally required for intrusions into private systems. In cases of imminent danger, judges could grant approval up to three days after the intervention has already taken place.
The bill also foresees a significant staffing boost, with hundreds of new personnel to be hired.
Germany’s cyber watchdog, the Federal Office for Information Security (BSI), would gain new “threat hunting” powers. This would allow it to proactively search for signs of an impending cyber attack and neutralise threats before damage is done, rather than reacting after the fact.
Digital service providers and internet service providers would be legally required to cooperate with authorities. Companies that fail to comply could face fines of up to €20 million (about $23 million), according to the draft. Photo by jaydeep_, Wikimedia commons.