On 22 December 2025, Germany’s Federal Ministry of Justice and Consumer Protection (Bundesministerium der Justiz und für Verbraucherschutz) published a draft bill for an Act to Introduce IP Address Retention and Expand Data Collection Powers in Criminal Proceedings (Gesetz zur Einführung einer IP-Adressspeicherung und zur Weiterentwicklung der Befugnisse zur Datenerhebung im Strafverfahren). The draft bill obliges internet access providers to retain technical connection data for a specified period to facilitate official information requests and ensure the effective investigation of cyber-related offences.
Background and objectives
Digital crime is on the rise, creating ever more complex challenges for law enforcement. Many investigations fail because internet access providers only retain IP address data for a short time and are then unable to make this information available to law enforcement authorities when required. The Ministry now wants to remedy this situation and ensure that IP addresses can be used as a key investigative tool in the long term, with the aim of making law enforcement more effective in cases of digital organised crime, in particular.
According to the Ministry, typical cases where this information could be used include crimes committed via criminal trading platforms (offering narcotics or Cybercrime-as-a-Service (CaaS)), messenger services or fake web stores. The draft bill therefore focuses on optimising how existing instruments are utilised within the digital landscape, rather than introducing new investigative powers.
Introduction of precautionary IP address retention
The draft obliges providers of internet access services to retain IP addresses – and, where necessary, accompanying port numbers – for a period of three months after they are assigned to a specific connection. Mandatory retention will apply to these data only; target IP addresses, content data, location data and other traffic data are explicitly excluded.
Access by law enforcement
The draft does not aim to extend law enforcement authorities’ existing access rights. They will still only be allowed to access the retained data if they have reasonable suspicion of an offence and this access is necessary to investigate the facts of the case. What is new, however, is that internet access providers will be required to actually retain the relevant data in future. Law enforcement authorities will therefore continue to access such data on the basis of their existing legal powers. The draft bill is not intended to make it possible to create personality or movement profiles.
Introduction of preservation orders
In addition to retaining IP addresses, the bill creates a legal framework for preservation orders. This will enable law enforcement authorities – where there is specific justification – to order the preservation of additional traffic data that would otherwise be deleted. Content data are once again excluded, however. The Ministry sees preservation orders as a useful supplement to, but not replacement for, IP address retention.
New rules for cell tower dumps
The draft bill also proposes changes to cell tower dumps. These allow law enforcement authorities to determine which mobile phones were connected to a cell tower near a crime scene at a given time. Following the Federal Court of Justice’s restriction of the scope of cell tower dumps to particularly serious crimes in its decision of 10 January 2024 (2 StR 171/23), the draft bill aims to reenable law enforcement to use these dumps for “crimes of substantial significance” as well.
Constitutional and EU law
The draft explicitly refers to recent case law of the European Court of Justice, which indicates that the targeted, temporary retention of IP addresses to fight serious crime might be in line with EU law. According to the Ministry, the proposed model differs fundamentally from previous provisions on data retention that were rejected by the courts, as it does not cover the content of communications or comprehensive traffic data.
Practical implications for companies
The new obligations are primarily aimed at internet access providers. These providers will have to adjust their technical and organisational processes to ensure, among other things, the legally sound implementation of a three-month retention period for relevant IP address data, while at the same time meeting stringent data protection and data security requirements.
Companies outside the telecommunications industry will generally not have any direct (retention) obligations. Indirectly, however, businesses should anticipate more robust law enforcement activity targeting internet-related offences. Companies should therefore in particular review their internal processes for handling cyber incidents, fraud and criminal online activities, and ensure they are prepared to respond to enquiries from the authorities.
For companies affected by cybercrime, the new rules could increase the chances of successful prosecution by law enforcement authorities. While past investigations often failed because IP addresses – the primary or most effective means of tracking perpetrators – were not (or no longer) available, the new mandatory retention requirement could make it easier for law enforcement to access relevant connection data and identify offenders.
Forward
