On 27 May 2026, Germany's Federal Cabinet adopted a draft cybersecurity law that the Federal Government markets as a shift to "active cyber defence." Interior Minister Alexander Dobrindt summarised the change bluntly: "so far, the response to attacks has been to try to redirect the attacks to harmless areas of the network. In future, we will target the attacker, their servers, their software and their strategy" (Bundesregierung, 27 May 2026). The bill expands the Federal Office for Information Security (BSI) to collect and analyse attack-preparation data and issue binding orders to DNS and digital-service providers, and it authorises the Federal Criminal Police Office (BKA) and Federal Police to block, disrupt, or destroy attacker-controlled infrastructure — including systems located abroad. The draft now goes to the Bundestag.
We should separate two very different things bundled into one bill. The detection and resilience half is overdue and proportionate. The offensive, cross-border half is where Germany risks legislating faster than it can supervise.
The case for acting is real
Start with the strongest version of the government's argument, because it is genuinely strong. German firms are bleeding. Bitkom's annual economic-security survey put the cost of cybercrime, data theft, espionage and sabotage to German business at roughly €267 billion in its 2024 edition, up from €206 billion a year earlier, with 45% of affected companies tracing attacks back to China and 39% to Russia (heise, Aug 2024). When a botnet's command-and-control server is actively herding compromised German hospitals or industrial controllers, the status quo — politely sinkholing traffic and waiting — can mean watching damage accumulate in real time. A state that can lawfully order a malicious domain killed, or knock over the server issuing the commands, can stop harm faster than one that cannot. That is not authoritarian overreach; it is incident response.
The BSI-facing provisions deliver exactly this kind of measured upgrade. Expanding the BSI's authority to detect "specific preparatory actions" and long-term campaigns, and requiring providers to relay BSI threat warnings directly to affected users, strengthens defence without putting the state on offence (Digital Watch, 2026). For a country implementing the EU's NIS2 directive, codifying who detects, who must report, and who must warn is the unglamorous plumbing that actually reduces breach dwell time. We support that part without reservation.
Where proportionality breaks
The problem is the leap from defending German networks to reaching into infrastructure "located outside Germany." Offensive cyber operations carry three failure modes that the draft does not adequately contain.
- Misattribution. Attribution in cyberspace is probabilistic, not forensic. Attackers routinely route through compromised third-party machines — a university in Brazil, a small business in Poland. "Destroying" attacker infrastructure can mean destroying an innocent victim's server, sometimes inside an allied jurisdiction, on the strength of an inference.
- Collateral damage. Disrupting shared hosting or a DNS resolver to disable one malicious actor can take down unrelated services that depend on it. The independent expert statement submitted on the bill warns specifically of "collateral damage, misattribution, and the proliferation of cyber tools" (interface, 2026).
- Diminishing returns. The same analysis notes that takedown operations "typically only slow down adversaries rather than stop them," because infrastructure is cheap to rebuild. Resilience scales; whack-a-mole against foreign servers does not.
There is also a sovereignty cost the bill underplays. A German police agency reaching into a server in another country is an intrusion into that state's jurisdiction. Done unilaterally and covertly, it invites reciprocal claims from Beijing and Moscow that their own cross-border operations are merely "active defence" too. Germany would be normalising the exact behaviour it is trying to deter.
The oversight gap is the real flaw
None of this means active defence is illegitimate. It means the supervisory architecture has to match the power. Here the draft is thin. The interface statement flags "parallel responsibilities with insufficient coordination," the absence of "clear provisions on transparency, oversight, and governance," and a federalism problem — public security is traditionally a state (Länder) competence, and concentrating offensive cyber power federally raises constitutional questions about whether the proposed thresholds meet German basic-law standards.
A proportionate version of this bill is not hard to describe. Cross-border disruption should require prior judicial authorisation against a defined, high-harm threshold — not the same standard as redirecting domestic traffic. Every executed measure should be logged and reported to a parliamentary oversight body, with after-the-fact notification to affected innocent parties where feasible. And the government should publish a vulnerability-handling policy, so the BSI's defensive mission is not quietly compromised by an offensive appetite for unpatched holes.
Bottom line
The Bundestag should pass the detection, reporting, and warning provisions largely as drafted — they are evidence-based, proportionate, and good for the open internet. But the cross-border offensive powers should not clear the chamber without judicial gatekeeping, mandatory transparency reporting, and a clear collateral-damage standard. Germany is right that the status quo is too passive. It would be wrong to fix that by handing its police a global kill switch with domestic-grade supervision.