Germany is on the verge of its most significant intelligence overhaul since the aftermath of World War II, preparing to dismantle decades-old legal guardrails that have historically kept its security services strictly on the defensive.
According to a draft law prepared by the Interior Ministry and circulated in early July 2026, Berlin plans to grant its foreign intelligence service, the Bundesnachrichtendienst (BND), and its domestic security agency, the Bundesamt für Verfassungsschutz (BfV), unprecedented powers to actively "hack back," disrupt, and deceive foreign cyber threat actors.
The draft legislation, which represents a profound departure from Germany’s post-war security posture, marks a transition from a doctrine of passive monitoring to one of active cyber deterrence. For nearly eighty years, Germany's intelligence apparatus has been muzzled by strict constitutional limits designed to prevent any single security organ from gaining excessive centralized power—a direct legacy of the abuses committed under the Nazi regime and later by the East German Stasi.
However, a relentless wave of state-sponsored cyber sabotage, industrial espionage, and hybrid warfare campaigns—principally attributed to Russian and Chinese state actors—has convinced the coalition government of Chancellor Friedrich Merz that "watching and reporting" is no longer enough to protect the state.
The proposed overhaul would create a single, unified legal framework for online covert operations, allowing German spies to break into attackers’ IT systems, destroy malicious server infrastructure, delete stolen data, and even intentionally spread targeted false information to disrupt adversarial operations.
This bold move is forcing a quiet but radical rewrite of German cyber espionage laws, introducing aggressive technical and operational capabilities that will redefine how Europe's largest economy defends itself in the digital age.
The Ghost of the Gestapo: Why Germany Muzzled its Spies
To understand why this week’s legislative draft is so monumental, one must look at the historical foundations of modern German statehood.
When the Allied powers oversaw the drafting of Germany's Basic Law (Grundgesetz) in 1949, they built an intricate network of constitutional checks and balances. The absolute core of this architecture is the Trennungsgebot—the separation principle.
THE TRENNUNGSGEBOT
┌──────────────────────────────────────┐
│ GERMAN POST-WAR SECURITY SYSTEM │
└──────────────────┬───────────────────┘
│
┌───────────────────────┴───────────────────────┐
▼ ▼
┌────────────────────────┐ ┌────────────────────────┐
│ POLICE & LAW ENFORCEMENT│ │ INTELLIGENCE SERVICES │
│ (BKA, Bundespolizei)│ │ (BND, BfV) │
├────────────────────────┤ ├────────────────────────┤
│ • Executive powers │ │ • Surveillance/Gathering│
│ • Search & seizure │ │ • No arrest powers │
│ • Strict domestic limits│ │ • No executive force │
└────────────────────────┘ └────────────────────────┘
│ │
└───────────────────────┬───────────────────────┘
▼
┌──────────────────────────────────────┐
│ Strictly prohibited from merging │
│ or sharing core operational tools │
└──────────────────────────────────────┘
The Trennungsgebot dictates a strict separation between police forces and intelligence services. The police have executive powers—the authority to arrest, search, seize, and use physical force—but their investigative powers are bound by strict criminal law thresholds.
Conversely, intelligence agencies like the BND and BfV are permitted to gather information covertly to warn the government of impending threats, but they are constitutionally barred from possessing executive police powers. They cannot arrest citizens, they cannot conduct police raids, and they cannot wield executive force.
For decades, German cyber espionage laws matched this cautious design. German intelligence services were structurally optimized to act as passive observers. If the BND detected a foreign cyberattack targeting German industry from a server in St. Petersburg, its only legal recourse was to write a report, notify the relevant ministries, and coordinate with international partners who possessed more robust operational mandates.
This defensive paralysis led two former BND chiefs to warn that the country's foreign spy agency had been turned into a "toothless watchdog... muzzled with an iron chain". Security officials argued that Germany was outsourcing its defense, relying on the intelligence capabilities of allies like the United States and the United Kingdom to intercept threats that Berlin’s own services were legally barred from touching.
This week’s legislative draft dismantles these historical limits. By allowing spy agencies to directly intervene and disable infrastructure, Germany is effectively granting its intelligence services a form of digital executive force, fundamentally blurring the boundaries of the Trennungsgebot.
The Geopolitical Pressure Cooker: Why 2026 is the Breaking Point
The sudden political will to rewrite these foundational principles is driven by a stark deterioration in Germany’s national security environment.
By mid-2026, the hybrid threat landscape has reached an unprecedented level of intensity. Government and private sector databases show that the German economy is suffering catastrophic damage from state-aligned cyber campaigns.
Annual economic damage from cybercrime and intellectual property theft in Germany has soared to an estimated €267 billion. The country’s highly specialized, export-driven Mittelstand (small and medium-sized enterprises), alongside its world-class research institutions and political parties, have become primary targets for state-sponsored espionage.
Beyond intellectual property theft, Germany is facing a systematic campaign of hybrid sabotage. Following the geopolitical ruptures of recent years, Russian intelligence agencies have shifted away from traditional diplomatic-cover operations—especially after hundreds of Russian diplomats were expelled from European capitals.
Instead, European security services have documented the rapid rise of the "third-country recruitment doctrine". Agencies like the Russian GRU and FSB are now using Telegram channels and encrypted digital networks to recruit low-level, local actors—often young individuals or third-country nationals—paying them in cryptocurrency to conduct physical acts of sabotage, arson, and surveillance against critical European infrastructure, logistics networks, and military bases.
FOREIGN STATE CYBER/HYBRID OPERATIONS
│
┌───────────────────────┴───────────────────────┐
▼ ▼
┌─────────────────────────────────┐ ┌─────────────────────────────────┐
│ TECHNICAL INTEL OPERATIONS │ │ HYBRID SABOTAGE PIPELINES │
├─────────────────────────────────┤ ├─────────────────────────────────┤
│ • Advanced Persistent Threats │ │ • Telegram-recruited proxies │
│ • Industrial IP theft (€267B/yr)│ │ • Crypto-financed actors │
│ • Critical infrastructure probes│ │ • Arson, physical surveillance │
└─────────────────────────────────┘ └─────────────────────────────────┘
│ │
└───────────────────────┬───────────────────────┘
▼
┌──────────────────────────────────┐
│ NEED FOR ACTIVE SYSTEMIC RESPONSE│
│ (Beyond passive monitoring) │
└──────────────────────────────────┘
To counter these highly distributed, digitally coordinated threats, Berlin’s security agencies argue they must be able to target the adversary's digital command-and-control (C2) apparatus directly. If a hybrid sabotage operation is being run out of a specific server or coordinated via a specific digital channel, the BND and BfV need the legal authority to hack into those networks, disrupt the communications, and disable the tools before physical damage occurs on German soil.
Behind the Tech: What Does it Actually Mean to "Hack Back"?
To understand the controversy surrounding the new draft, it is essential to unpack the complex computer science and network engineering behind "active cyber defense" and "hackbacks".
In classical network security, defense is passive and reactive. A network administrator installs firewalls, configures intrusion detection systems, and patches software vulnerabilities. If an attacker breaches the perimeter, the defender’s job is to isolate the infected systems, clean the malware, and restore data from backups.
Active cyber defense, however, goes beyond the defender's own network boundary. It involves executing technical operations directly against the attacker's IT infrastructure. In the context of the new German draft law, this active posture is divided into three distinct technical operations: hacking, disruption, and deception.
1. Hacking (Intrusive Penetration)
When a foreign intelligence agency or state-backed hacking group (known as an Advanced Persistent Threat, or APT) launches a campaign, they route their traffic through a series of intermediate staging points. Under the new draft law, German intelligence would be authorized to use custom exploits to penetrate these external systems.
This is not a simple defensive scan; it involves utilizing zero-day vulnerabilities or stolen credentials to gain administrative access to the attacker's command-and-control servers, mapping out their network, identifying their operational tools, and copying or deleting their exfiltrated data.
2. Disruption (Active Invalidation)
Once inside the attacker's system, spies can perform actions designed to neutralize the threat. These technical measures include:
- BGP Hijacking / Route Redirection: Altering Border Gateway Protocol routing tables to redirect the malicious traffic away from German infrastructure into a digital dead-end.
- Command-and-Control (C2) Takeover: Sending cryptographic commands to the attacker's malware agents to instruct them to uninstall themselves from victim computers.
- Infrastructure Destruction: Purging the hard drives, disabling the virtualization hypervisors, or corrupting the firmware of the remote servers being used to coordinate the attack.
3. Deception (Digital Disinformation)
Unique to the July 2026 intelligence reform is the explicit authority to "deliberately spread targeted false information". Technically, this involves accessing the communication systems, forums, or databases used by hostile threat actors and injecting manipulated data.
By fabricating intelligence, seeding false configuration files, or masquerading as fellow attackers, German spies can sow distrust within adversarial networks, degrade the reliability of their tools, and disrupt their operational planning from the inside out.
┌─────────────────────────────────────────────────────────────────────────┐
│ ANATOMY OF A CYBER DISRUPTIVE OPERATION │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ [Hostile State APT] ────► [Compromised C2 Server] ────► [German Target]│
│ ▲ │
│ │ (1) Penetrate & Hack │
│ │ │
│ [German BND / BfV Spies] │
│ │ │
│ ├─► (2) Deception: Inject false data│
│ └─► (3) Disruption: Destroy system │
│ │
└─────────────────────────────────────────────────────────────────────────┘
While these capabilities are technically potent, they carry immense operational risks. In the real world, hackers rarely use their own servers to launch attacks. Instead, they hijack legitimate infrastructure—such as the servers of a hospital, a university, or a small business located in a neutral third-party country.
If German intelligence "hacks back" and destroys the server infrastructure, they risk destroying the data of an innocent third party, potentially causing severe collateral damage and violating the sovereignty of a friendly nation.
Inside the New Draft Law: The Legal Anatomy of "Active Deception"
The draft legislation seen this week seeks to codify these highly intrusive technical operations into structured, legal frameworks. The bill proposes a complete overhaul of the statutory foundations of both the BND and the BfV, introducing several highly controversial mechanisms:
Graduated Threat Categories
To satisfy constitutional proportionality requirements, the draft law does not grant blanket hacking powers. Instead, it establishes graduated threat categories that unlock specific, highly regulated state responses:
- Significantly Requiring Observation (erheblich beobachtungsbedürftig): This category permits basic digital monitoring, intelligence gathering, and tracking of threat actors.
- Particularly Significantly Requiring Observation (besonders erheblich beobachtungsbedürftig): Reserved for gravity threats, this classification unlocks the most intrusive powers, enabling active cyber defense, network penetration, infrastructure disruption, and the spreading of deceptive information.
Regulated "State Trojans" (Staatstrojaner)
The law establishes clear legal baselines for the deployment of state-developed malware designed to perform online searches (Onlinedurchsuchung) and source telecommunications surveillance (Quellen-TKÜ).
These "state trojans" bypass end-to-end encryption by compromising a target’s device (such as a smartphone or computer) at the operating system level, allowing spies to read messages, record audio, and extract data before it is encrypted for transmission.
Mandatory Corporate Cooperation under Penalty
The draft places a heavy compliance burden on the private sector. Telecommunications companies, major digital platforms, transport operators, and financial intermediaries will be subject to binding, secret disclosure orders.
These firms must hand over security-relevant technical data, threat indicators, and communication logs. Non-compliance with these secret orders will carry severe financial penalties, including fines of up to €1 million and mandatory on-site physical inspections by federal authorities.
Minor Informants
In a move that has stunned domestic human rights advocates, the draft law refines the rules governing confidential informants (V-Leute). Under strict thresholds and in cases involving the gravest threats to national security—such as impending terrorist attacks or systemic state sabotage—the law would permit German intelligence services to deploy confidential informants as young as 16 years old.
Proponents argue this is necessary because modern extremist groups, radical networks, and cyber gangs frequently recruit teenagers who communicate on highly insular, youth-dominated platforms where older undercover agents cannot easily infiltrate.
The Dual-Track Strategy: How Spy Reform Ties to May’s Cybersecurity Act
The leaked intelligence draft is the second phase of a massive, coordinated legislative push by the Merz government to rebuild Germany's cyber defense architecture.
In late May 2026, the federal cabinet approved the companion Gesetz zur Stärkung der Cybersicherheit (Act to Strengthen Cybersecurity). While this week's draft law targets the covert intelligence agencies (BND and BfV), the May legislation focused on empowering Germany’s executive and law enforcement agencies: the Federal Office for Information Security (BSI), the Federal Criminal Police Office (BKA), and the Federal Police (Bundespolizei).
| Agency / Entity | Primary Role | Core Cyber Powers under 2026 Reforms | Legal Constraints |
|---|---|---|---|
| BSI (Federal Office for Information Security) | Cybersecurity authority & civilian defense | Broad data collection; analyzing threat preparation; issuing binding warnings directly to users via platforms. | Primarily passive and defensive; acts as central info clearinghouse. |
| BKA (Federal Criminal Police Office) | Federal law enforcement & police coordination | Disrupting attacker software/servers; blocking malicious infrastructure (including overseas) during ongoing crimes. | Bound by code of criminal procedure; requires specific criminal offense thresholds. |
| Bundespolizei (Federal Police) | Border protection & federal security | Direct intervention to block/disrupt cyber threats targeting transport or borders. | Limited to federal police jurisdiction and border security threats. |
| BND (Federal Intelligence Service) | Foreign intelligence | Offensive cyber operations, hacking foreign IT systems, deleting exfiltrated data, active deception. | Covert foreign operations; subject to judicial pre-approval by the new Independent Control Council. |
| BfV (Federal Office for the Protection of the Constitution) | Domestic intelligence | Deploying "state trojans"; domestic covert cyber ops; managing minor informants (16+). | Domestically bound; subject to strict oversight; no executive police arrest powers. |
This dual-track strategy creates a multi-layered shield. The BSI, BKA, and Federal Police operate in the light, leveraging criminal law to dismantle malicious servers and secure domestic corporate networks.
Meanwhile, the BND and BfV operate in the shadows, using their newly updated statutory powers to execute covert cyber operations directly against adversarial state actors. Together, these pieces represent a total modernization of the country's security architecture.
The Constitutional Tightrope and the UN Charter
Navigating the rewrite of German cyber espionage laws requires walking a highly complex constitutional and international legal tightrope. Legal scholars and opposition politicians have raised serious alarms, pointing out two major areas of legal friction:
Domestic Constitutional Law (The Basic Law)
The German Federal Constitutional Court (Bundesverfassungsgericht) has historically maintained a protective stance on digital privacy. In landmark rulings, the court established a fundamental "right to the confidentiality and integrity of information technology systems".
This basic right severely limits the state's ability to hack private devices. Furthermore, the court has consistently ruled that intelligence operations must have highly precise statutory boundaries and rigorous, independent oversight.
Opponents argue that by giving the BND and BfV the authority to disrupt systems, delete data, and spread deceptive information, the government is violating these constitutional protections, making a future showdown in the Karlsruhe court almost inevitable.
THE DIGITAL STATE-OF-WAR DILEMMA
│
┌───────────────────────┴───────────────────────┐
▼ ▼
┌─────────────────────────────────┐ ┌─────────────────────────────────┐
│ DOMESTIC BASIC LAW (GG) │ │ INTERNATIONAL LAW │
├─────────────────────────────────┤ ├─────────────────────────────────┤
│ • Article 87a GG: Bundeswehr │ │ • UN Charter Article 2(4): │
│ may only act defensively. │ │ Prohibits use of force. │
│ • No constitutional basis for │ │ • UN Charter Article 51: │
│ covert peacetime cyber │ │ Self-defense requires an │
│ offensives by spies. │ │ "armed attack." │
└─────────────────────────────────┘ └─────────────────────────────────┘
│ │
└───────────────────────┬───────────────────────┘
▼
┌──────────────────────────────────┐
│ LEGAL GRAY ZONE OF THE "HACKBACK"│
│ (How to act without declaring war)│
└──────────────────────────────────┘
International Law and the UN Charter
Under Article 2, Paragraph 4 of the UN Charter, the threat or use of force in international relations is strictly prohibited. While this norm was written for kinetic warfare, international consensus holds that it applies to cyberspace.
A state-executed hackback that physically damages hardware or permanently disables critical systems in another country could be construed as an unlawful use of force.
The only primary exception is the right to self-defense under Article 51 of the UN Charter, which requires an ongoing "armed attack". Because most cyberattacks do not cross the high threshold of an "armed attack," offensive cyber operations occupy a deeply controversial international gray zone.
By incorporating these aggressive tools directly into German cyber espionage laws, Berlin is signaling its willingness to push the boundaries of international legal norms to secure its sovereignty.
To minimize these international disputes, Interior Minister Alexander Dobrindt and other defense officials have avoided using the term "hackback" in public statements, preferring the term "active cyber defense".
During a press conference, Dobrindt emphasized that Germany would not engage in offensive, retaliatory cyber strikes for the sake of vengeance. Instead, operations will be strictly tailored to "neutralizing the threat when we are attacked," adding, "We act directly against the attacker. We switch off their ability to attack."
The New Guard: The Independent Control Council (UKRat)
To counterbalance this expansion of intelligence powers and insulate the legislation against constitutional challenges, the Merz government is introducing a powerful, newly designed oversight mechanism: the Independent Control Council (Unabhängiges Kontrollrat, abbreviated as UKRat).
The UKRat will be established as the highest independent federal authority, absorbing the functions of the legacy G10 Commission—the parliamentary body previously responsible for approving wiretapping and communication intercepts.
OVERSIGHT ARCHITECTURE
┌──────────────────────────────┐
│ INDEPENDENT CONTROL COUNCIL │
│ (UKRat) │
└──────────────┬───────────────┘
│
┌───────────────────────┴───────────────────────┐
▼ ▼
┌───────────────────────┐ ┌───────────────────────┐
│ JUDICIAL PANEL │ │ DATA PROTECTION & │
│ │ │ OPERATIONAL AUDITS │
├───────────────────────┤ ├───────────────────────┤
│ • Consists of federal │ │ • Continuous audit of │
│ judges. │ │ BND & BfV databases │
│ • Must grant binding │ │ and active files. │
│ PRE-APPROVAL for │ │ • Monitors systemic │
│ intrusive hacks │ │ compliance with │
│ and trojans.│ │ privacy laws. │
└───────────────────────┘ └───────────────────────┘
Unlike the G10 Commission, which was often criticized for its slow, highly politicized processes, the UKRat is built to operate at the speed of modern digital conflict. Its centerpiece is a specialized Judicial Panel composed of independent federal judges.
Under the new statutory rules, any highly intrusive cyber operation—such as deploying a state trojan or executing an active cyber disruption operation against a foreign system—must receive binding pre-approval from this judicial panel.
Additionally, the UKRat will have direct, real-time data protection and technical audit access to the active systems of both the BND and BfV, ensuring that the agencies do not exceed the narrow legal thresholds established by the graduated threat levels.
By positioning the UKRat as an independent, judge-led firewall, the German government hopes to satisfy the strict requirements of the Federal Constitutional Court, demonstrating that its newly empowered spies remain under robust, democratic rule-of-law controls.
Looking Ahead: The Digital Arms Race and Europe’s Security Architecture
The draft intelligence law is expected to trigger a fierce and highly charged debate as it moves to the floor of the German Bundestag.
Critics, led by opposition parties like the Left Party and the far-right AfD—which was recently classified by the BfV as a "proven extremist" organization, making its own communications subject to heightened intelligence monitoring—have warned that the legislation represents a dangerous drift toward a surveillance state.
"Expanding these highly intrusive state powers while systematically reducing real-time parliamentary oversight threatens the very foundations of our liberal democracy," warned Left Party lawmaker Clara Bünger.
On the other hand, Germany's NATO and European Union partners are quietly welcoming the shift. For years, intelligence sharing within the "Five Eyes" and European security networks has been asymmetrical.
Allies have routinely passed critical security alerts to Berlin, but have received limited operational cyber intelligence in return due to Germany's restrictive domestic laws. A more active, digitally capable BND will allow Germany to pull its weight within the Western alliance's collective cyber defense shield.
As the legislative process unfolds in the coming months, several critical issues remain unresolved:
- The Collateral Damage Framework: How will the German government handle cases where active disruption operations accidentally damage innocent civilian infrastructure in friendly nations?
- The Sourcing of Exploits: To execute hackbacks, German agencies will need a continuous supply of zero-day vulnerabilities. Will the German state begin stockpiling these vulnerabilities, leaving civilian networks exposed to security flaws to preserve its offensive tools?
- The Escalation Threshold: If a German "active defense" operation successfully dismantles a server run by the Russian GRU, how will Moscow retaliate? Will this trigger an escalating cycle of digital attacks targeting Germany's power grid, financial systems, or healthcare infrastructure?
By moving to rewrite its post-war laws, Germany is acknowledging that the digital world has permanently altered the nature of national sovereignty. The legal boundaries that kept the peace in the physical world of the twentieth century are proving inadequate against the borderless, asymmetric threats of the twenty-first.
For the BND and the BfV, the era of merely watching and reporting is coming to an end; the era of active cyber engagement has begun.
Reference:
- https://www.streetinsider.com/Reuters/Germany+seeks+powers+for+spies+to+hack+and+disrupt+attackers/26724126.html
- https://cybernews.com/security/german-spies-hack-attackers/
- https://scouts.yutori.com/inbox/cdcdd337-c16d-42f0-afcc-f5f4b0bd598b
- https://moderndiplomacy.eu/2026/02/04/to-counter-sabotage-and-disinformation-germany-seeks-new-spy-powers/
- https://www.interface-eu.org/publications/written-statement-on-germanys-new-active-cyber-defense-law
- https://www.dirittoue.info/changes-to-germanys-intelligence-system-in-2025/
- https://www.ferner-alsdorf.com/current-overview-of-hackbacks-in-germany-political-debates-legal-status-and-planned-legislation/
- https://www.upday.com/uk/germany-proposes-granting-spy-agencies-unprecedented-power-to-disrupt-attackers-and/e8t86dk
- https://dig.watch/updates/germany-approves-draft-law-expanding-cyber-defense-powers-for-federal-authorities
- https://medium.com/@Forensic-Archive/germany-arrested-a-kazakh-in-berlin-in-april-2026-his-handler-wanted-german-defense-sites-and-nato-2448bbca8d95
- https://www.gleisslutz.com/en/know-how/cybersecurity-focus-new-ministerial-draft-proposes-heightened-resilience-requirements
- https://dig.watch/updates/germany-approves-draft-law-expanding-cyber-defense-powers-for-federal-authorities
- https://www.timesofisrael.com/german-spy-agency-brands-far-right-afd-as-extremist-opens-way-for-closer-surveillance/