Skip to Content
Client Payment

Events In the News

World-Wide Cyber Laws: Germany

on Wednesday, 27 May 2026 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

Cybersecurity and Data Protection in Germany

During a tour of the German Reisgstach I had a chance to discuss German laws with a local attorney. This article summarizes his comment. 

Germany has always been a proponent of data protection and cybersecurity. In the 1970s the federal state of Hesse became the first to pass a data protection law. Most recently Germany has introduced several new laws and amendments to strengthen its cyber legal framework. These changes aim to address emerging threats, align with European Union regulations, and provide greater protection for citizens and organizations against cybercrime.

The IT Security Act 2.0

One of the most impactful changes in German cyber law is the IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0, the “Act”),[1]which came into force in 2021. This legislation builds upon the original IT Security Act of 2015, expanding the scope and requirements for operators of critical infrastructures. The Act now covers more sectors, including waste management, and introduces stricter reporting obligations for security incidents. Companies designated as critical infrastructure operators must implement advanced security measures, such as state-of-the-art monitoring, or face penalties for non-compliance. Additionally, the Act grants the Federal Office for Information Security (BSI) more authority to monitor such companies, and the power to intervene in IT security matters in both public and private sectors. 

Expansion of Critical Infrastructure Definitions

Under the Act, the definition of critical infrastructure has been broadened. This includes not only energy, water, and telecommunication sectors, but also healthcare, finance, and waste management. The law requires organizations in these critical sectors to regularly report cyber incidents and implement robust security protocols. Failure to comply can result in significant fines or operational restrictions. The expansion of the sectors reflects Germany’s growing concern about protecting essential services from cyberattacks.

Increased Focus on Supply Chain Security

Germany has introduced regulations targeting supply chain security, especially information and communications technology (ICT) products. The new rules require manufacturers and vendors to provide transparency about their products’ security features and potential vulnerabilities. Companies are obligated to conduct risk assessments, identify potential supply vulnerabilities, and implement protections to ensure that their supply chains are resilient against cyber threats. This move comes in response to increasing global concerns about the risks posed by foreign technology providers and the potential for supply chain attacks.

Data Protection and GDPR Alignment

Germany continues to enhance its data protection laws in alignment with the European Union’s General Data Protection Regulation (GDPR). Recent amendments to the Federal Data Protection Act (Bundesdatenschutzgesetz) have clarified requirements for data processing, cross-border data transfers, and the role of Data Protection Officers. Notably, German regulators have increased enforcement actions, imposing higher fines for GDPR violations and providing clearer guidance on lawful data processing practices.

Cybercrime and Law Enforcement Enhancements

Legislative changes have also strengthened law enforcement capabilities to combat cybercrime. The German Criminal Code (Strafgesetzbuch) has been amended to include new cyber offenses, such as unauthorized access to IT systems, ransomware attacks, and digital identity theft. Police and prosecutors now have expanded powers to investigate and prosecute cybercriminals, including access to digital evidence and enhanced cooperation with international agencies. 

One part of the discussion I found most interesting is the German government’s consideration of a proposal for law enforcement to have the ability to “hack back.” The proposal would allow, for example, the Federal Police (BPol), the Federal Criminal Police Office (BKA), and the Federal Office for Information Security (BSI) to target and attack hackers. Its aim is to improve authorities’ ability to detect and respond to cyberattacks, especially as German politicians have seen a rise in political attacks from China and Russia, and an increased risk from AI generated attacks. German law enforcement would have the power to proactively target hackers and their tools and infrastructure even if outside of Germany!

Conclusion

Germany’s cyber laws are undergoing significant transformation, reflecting the nation’s commitment to safeguarding digital infrastructure and personal data. With stricter regulations for critical infrastructure, enhanced supply chain security, robust data protection, and expanded law enforcement powers, Germany is adapting to the challenges of the digital age. As technology and threats evolve, further changes are expected, ensuring that German industry remains secure from cybersecurity attacks, and data privacy legislation protects personal information.

Robert L. Kardell

[1] There is currently a discussion about a new law, the and the KRITIS (Critical Infrastructure) Law, which would supersede this law and add physical security components to IT security.

back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design