Germany's Cybersicherheitsstärkungsgesetz — federal cabinet approves active-cyber-defence powers; Bundestag passage still ahead

The German federal cabinet approved the Cybersicherheitsstärkungsgesetz (Cyber Security Strengthening Act) on 2026-05-27 — the daily caught the Heise news hit; the primary government sources confirm the substance and, importantly, that it is a draft bill still requiring Bundestag passage and is not yet in force. Per the government's framing, it shifts the state from purely defending the target to acting directly against the attacker — "their servers, their software and their strategy" — with the BSI, BKA and Bundespolizei among the bodies gaining expanded authority to detect and counter large-scale, high-damage attacks (the announcement does not break the new powers down per agency in technical detail). For CH/EU defenders the watch item is the cross-border incident-response implication: once in force, German-authority active operations against infrastructure that may be hosted in or transit other jurisdictions raise coordination and deconfliction questions for any SOC running IR across the DACH region. Track the Bundestag passage; nothing changes operationally until it lands.