Germany's Gesetzentwurf zur Stärkung der Cybersicherheit: cabinet-approved active-cyberdefence powers for BKA, Bundespolizei and BSI

On 27 May 2026 the German Federal Cabinet adopted the Gesetzentwurf zur Stärkung der Cybersicherheit, now proceeding to Bundestag (German Federal Government, 2026-05-27; Digital Watch Observatory, 2026-05-31). The law grants: the BKA and Bundespolizei authority to shut down or disrupt attacker-controlled infrastructure including servers located outside Germany, reroute data traffic, and collect/modify/delete data on foreign systems; the BSI expanded authority to collect threat-preparation data and require telecoms and major platforms to relay BSI threat warnings to end users. Interior Minister Dobrindt: "In future, we will target the attacker, their servers, their software and their strategy." Personnel implications: BKA +264, Bundespolizei +90, BSI +21 positions by 2030. Civil-society analysis flags constitutional concerns (Basic Law, cross-border state action, jurisdictional conflict with Länder). For DACH/EU defenders: (a) once enacted, telecoms/platform operators gain a new duty-to-relay obligation for BSI warnings; (b) the law sets a precedent for EU active-cyberdefence norms that Swiss forthcoming cyber-resilience legislation (draft expected autumn 2026) will need to address.