Germany’s cybersecurity regulatory framework is set to receive further reinforcement. On 27 February 2026, the Federal Ministry of the Interior (Bundesministerium des Innern) presented its draft Act to Strengthen Cybersecurity (Gesetz zur Stärkung der Cybersicherheit). In particular, the draft provides for changes to the Federal Police Act (Bundespolizeigesetz, “BPolG”), the Federal Criminal Police Office Act (Bundeskriminalamtgesetz, “BKAG”) and the Act on the Federal Office for Information Security (BSI-Gesetz, “BSIG”) and aims to strengthen state cyber defence capabilities. It foresees much stronger involvement of the private sector in national cyber defence. For business – especially digital services providers, telecommunications companies and operators of IT systems – that means another expansion of “resilience compliance” requirements. The draft expands the BSIG’s already extensive obligations and introduces additional duties to cooperate and provide information in the BPolG and BKAG. Breaches may incur fines of up to EUR 20 million or 2% of worldwide annual turnover. As cybersecurity compliance requirements grow and the risk of penalties for violations looms, businesses will need to implement structural changes.
Background and objectives
Amid the increasing scale and sophistication of cyberattacks in Germany, the Federal Ministry of the Interior presented a new ministerial draft Act to Strengthen Cybersecurity on 27 February 2026. The draft seeks to ensure the reliable and secure operation of information technology and supporting communications infrastructure, and to that end proposes to expand the powers of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnologie, “BSI”), the Federal Criminal Police Office (Bundeskriminalamt, “BKA”) and the Federal Police (Bundespolizei) to detect and defend against cyberattacks. It therefore contains amendments to the BPolG, the BKAG, and the BSIG.
Beyond expanding state intervention powers, the ministerial draft also provides for significantly greater integration of private-sector entities in state-led cyber defence. For operators of IT systems, digital services providers, and telecommunications services providers, the draft introduces obligations to cooperate and provide information during state-led cyber defence operations, with fines for non-compliance. For companies impacted, that means a further increase in cybersecurity compliance requirements. The draft places greater responsibility on all actors throughout the digital value chain. It represents another legal instrument that integrates companies into national cyber defence and resilience efforts, aligning with an increasingly dense framework of resilience compliance requirements (see our article).
The following outlines the supervisory powers envisaged in the draft, the resulting obligations for affected companies, and the sanctions mechanisms proposed.
Changes to the BPolG and BKAG
The changes to the BKAG and the BPolG will establish clear and far-reaching cyber defence powers for the BKA and the Federal Police. The BKA’s remit is also to be expanded to include cyber defence in matters of international cooperation and of foreign and security policy significance.
New cyber defence measures: The draft bill creates new legal powers for the BKA and the Federal Police to defend against cyberattacks. These include in particular:
Prohibiting the operation of an IT system (section 41a(2), no. 1 BPolG (draft), section 62c BKAG (draft))
Rerouting, restricting and blocking data traffic (section 41a(2), no. 2 BPolG (draft), section 62d BKAG (draft))
Collecting, deleting and modifying data (section 41a(2), no. 3 BPolG (draft), section 62e BKAG (draft))
In certain circumstances, the measures can be carried out without the knowledge of the affected party.
Obligations for IT operators, telecommunications providers and digital services providers to cooperate and provide information: To enable the federal authorities to effectively exercise their new powers, the draft bill obligates a variety of private-sector entities to cooperate and provide information. This incorporates them into state-led cyber defence.
Duty to cooperate and provide information: If ordered to do so by the Federal Police or the BKA, telecommunications services providers pursuant to section 170(1) and (2) Telecommunications Act (Telekommunikationsgesetz) and digital services providers pursuant to section 1(4), no. 5 German Digital Services Act (Digitale-Dienste-Gesetz) must cooperate without delay in cyber defence measures by the authorities and must provide necessary information (section 41a(9) BPolG (draft), section 62d(2) BKAG (draft)).
Prohibition on disclosure: The Federal Police and the BKA can also order that the IT systems operator or party obliged to restrict, reroute or block data traffic must not disclose the measure to the parties affected (section 41a(10) BPolG (draft) or section 62g BKAG (draft)). A non-disclosure order can be issued if disclosure of the measure would defeat the aim of averting the danger.
Administrative fines: The draft bill includes severe penalties for failure to comply with these obligations:
Fines of up to EUR 20 million may be imposed for violation of a non-disclosure order issued by the Federal Police or the BKA (section 104(1), no. 3, (2) BPolG (draft), section 87a(1), no. 2, (2) BKAG (draft)).
Fines of up to EUR 10 million may be imposed for violation of a prohibition on operating an IT system (section 104(1), no. 1, (2) BPolG (draft), section 87a(1), no. 1, (2) BKAG (draft)).
Fines of up to EUR 10 million may be imposed for non-, incomplete or late fulfilment of duties to cooperate and provide information (section 104(1) no. 2, (2) BPolG (draft), section 87a(1) no. 1, (2) BKAG (draft)).
Changes to the BSIG
The principal purpose of the changes to the BSIG is to significantly boost the BSI’s ability and powers to collect and analyse data. The changes seek to strengthen resilience in cyberspace by bringing further ser vice providers into the scope of the BSI’s existing powers to order such providers to take particular measures, and secondly, by giving the BSI new powers to request technical information. The ministerial draft also aims to improve end-user protection against malicious domains. Until now, only telecommunications providers were obliged to pass BSI information regarding specific risks on to their customers. This obligation will now be extended to providers of digital services. The new obligations to provide information and cooperate with the BSI impact operators of critical facilities, domain name service (DNS) providers, and top-level domain registries and registrars. Specifically:
Obligation to provide security-relevant technical information: The draft BSIG places a new obligation on providers of public telecommunications services and commercial providers of digital services to disclose information. These providers are required to give the BSI, upon request, security-relevant technical information known to them that permits inferences to be drawn regarding malicious activities, vulnerabilities or active threats where this is technically possible and economically reasonable for such providers (section 15(6) draft BSIG). Security-relevant technical information includes data about internet traffic, control data and technical information that providers evaluate when analysing traffic for their own quality assurance as well as for the technical precautions required by section 12(1) and section 19(4) Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz) and section 165(2) TKG.
Obligation to provide customers with DNS-based protection: Under the draft BSIG, DNS service providers with at least 50 employees or annual turnover and total assets both exceeding EUR 10 million will be obliged to offer their customers DNS-based protection against attacks connected to domains from which IT security risks originate (section 16(6) draft BSIG). This protection is to be based on information the BSI publishes regarding malicious domains.
Obligation to modify NS records: The BSI will be allowed to require that providers of top-level domain name registries and domain name registry service providers modify a domain’s name server records or add new records to avert major risks to the interests protected under section 16(3) BSIG (such as the availability, integrity and confidentiality of information and communication services). This obligation exists only where it is technically possible and economically reasonable for the service provider to do so (section 16a(1) draft BSIG).
Obligation to connect attack detection systems to the BSI: Under the draft BSIG, operators of critical infrastructure will be required not only to deploy attack detection systems – an obligation that already exists under current law – but also to connect these systems directly to the BSI. They will also be required to continuously and automatically stream parameters and availability metrics to the BSI. The BSI will define the technical and organisational specifications for both the connection and data-forwarding rules to facilitate compliant rollout (section 31(2) draft BSIG). The BSI will use the information provided for real-time attack and risk detection and to act immediately where availability is interrupted.
Administrative fines: The draft BSIG also introduces a new administrative offence. Operators of critical infrastructure who do not use attack detection systems or do not connect them to the BSI may face administrative fines (section 65(2), no. 3a draft BSIG). Because the draft does not contain its own fine schedule, the existing provisions of section 65(5), sentence 1, no. 1 and section 65(6) and (7) BSIG apply, allowing for fines of up to EUR 7 million and up to EUR 10 million, and in more serious cases up to 1.4% or 2% of worldwide annual turnover.
Conclusion
The ministerial draft is now due to be discussed by the German Federal Cabinet, which may amend it before bringing it before the Bundestag as a government bill. The Act will take effect the day after it is promulgated, subject to deferred effective dates for specific provider obligations.
Companies affected should track the legislation as it proceeds through these stages, because the new compliance requirements the Act will place on telecommunications services providers, digital services providers, IT systems operators and others are backed up by tough penalties. With new fines for revealing official cybersecurity measures, violating the prohibition of the operation of an IT system, failing to cooperate with authorities, failing to disclose information to them or failing to use attack detection systems as required, the draft BSIG shows that the German legislature is serious about getting business to cooperate on cyber defence. Companies face potential fines of up to EUR 20 million or 2% of worldwide annual turnover.
Companies should now review whether they fall within the scope of these new rules and establish processes to meet their cooperation and disclosure obligations. They will also need to be proactive about ensuring they meet their obligations to notify customers of known security risks and connect attack detection systems to the BSI.
Forward
