The Weak European Reflex in German Cybersecurity

The German federal cabinet recently adopted the cybersecurity strategy 2021, which formulates the fields of action and goals for the next five years. However, the decisive factor for success is missing.
Germany, Germany news, German news, cybersecurity, cyberdefense, European Union, EU, European Commission, Annegret Bendiek, Matthias Schulze

© SquareMotion / Shutterstock

September 27, 2021 07:31 EDT

Whether financial crisis, migration or the coronavirus pandemic, the past decade has shown that Germany cannot easily implement its international goals without the European Union. This fact is hardly taken into account in the German cybersecurity strategy adopted on September 8.

Is Big Tech Ready to Tackle Extremism?


Germany’s positioning in European and international cybersecurity policy is listed as the last of four prioritized fields of action. These fields are largely of a domestic nature. This also applies to the German discourse on the topic of IT security: representatives of digital civil society, the Association of the Internet Industry (eco) and some computer science professors criticize the planned development of an active cyberdefense, including the possibility of digital counterattacks — so-called hackbacks.** However, they primarily discuss domestic federal competence or fundamental rights issues such as the separation requirement.

European Imperatives

There are four reasons why the EU would have to be much more involved in order for the strategy to work.

First, the number of serious cybersecurity incidents affecting EU services of general interest continues to rise. Diplomatic action, travel restrictions and asset freezes — for example, Russian intelligence officers blamed for cyberattacks — have proved cumbersome, incoherent and ineffective in the past. A purely national perspective means that EU member states do not react uniformly to cyber incidents.

Secondly, the EU is not only the framework for German policy, but it is also inextricably intertwined with it through the direct effect of European law. The 2014 ruling on data retention by the European Court of Justice (ECJ) not only formulated requirements for data protection, but also for data security. In the same way, the EU Cybersecurity Act of 2019 is a regulation and thus obliges all member states to implement it.

However, the importance of EU law and the case law of the ECJ is underestimated in the German cybersecurity strategy. Yet these are central reference points for German legislation. On the other hand, Germany cannot impose cyber sanctions against third countries or their so-called proxies without the European Union.

Thirdly, the German government cannot reduce the EU to a coordinating role, if only because internal market protection is inconceivable without the European Commission acting as a safeguard of EU treaty obligations. The security and stability of the EU is not the task of the member states alone. For example, the European Commission will set up a joint cyber unit by 2023 to take joint action against attackers. Part of the necessary investment will be provided through the Digital Europe program. The development of cyberdefense capabilities will be financed by the European Defence Fund. In her state of the European Union address on September 15, European Commission President Ursula von der Leyen also announced a cyber resilience act to define common standards.

Fourth, transnational cybercrime cannot be solved effectively on a purely national level. Europol and the European Cybercrime Centre (EC3) are regarded by other states as role models in the international fight against cybercrime precisely because of their transnational investigative successes. The call for a European investigative agency modeled on the Federal Bureau of Investigation is therefore becoming louder in cybersecurity policy.

Overall, it is clear that cybersecurity in the EU is no longer a national matter, but must be understood as a component of its shared sovereignty.

Germany in a Global Context

However, the necessary integration in the German cybersecurity strategy is not limited to the EU. It must also be coupled with strong transatlantic cooperation between the European Union and the US within the newly established Trade and Technology Council. Far too often, transatlantic cooperation is thought of in terms of national bilateralism between Germany and the United States.

Embed from Getty Images

The first argument in favor of this is that alliance solidarity obliges the German government to maintain an active cyberdefense even in peacetime. However, a demanding technical, legal and political attribution can neither be coordinated without the European External Action Service nor realized without US cooperation.

For this, Germany must in turn act in close coordination with its EU partners such as France, the Netherlands, Denmark or Sweden. Germany’s transnational critical infrastructure in itself effectively precludes it from going it alone in cyberdefense, not least because the expertise for sophisticated technical solutions is not sufficiently available in Germany.

A convincing security strategy, therefore, requires close cooperation with international experts as well as the knowledge imparted at the EU level via Europol in coordination with cybersecurity research centers and the European Union Agency for Cyber Security (ENISA). Sustainable influence on global standards and norm-setting in the multi-stakeholder forums of Internet governance can also only be successful in the long term if democratic states coordinate among themselves in data protection and data security policies.

In the face of increasingly complex global politics, the new German government should promptly Europeanize the cybersecurity strategy so that it sees itself as part of the EU cyber strategy 2020 and, in a global context, serves to cooperate with its democratic allies.

*[This article was originally published by the German Institute for International and Security Affairs (SWP), which advises the German government and Bundestag on all questions related to foreign and security policy. **Dr. Matthias Schulze was part of this initiative.]

The views expressed in this article are the author’s own and do not necessarily reflect Fair Observer’s editorial policy.


Only Fair Observer members can comment. Please login to comment.

Leave a comment

Support Fair Observer

We rely on your support for our independence, diversity and quality.

For more than 10 years, Fair Observer has been free, fair and independent. No billionaire owns us, no advertisers control us. We are a reader-supported nonprofit. Unlike many other publications, we keep our content free for readers regardless of where they live or whether they can afford to pay. We have no paywalls and no ads.

In the post-truth era of fake news, echo chambers and filter bubbles, we publish a plurality of perspectives from around the world. Anyone can publish with us, but everyone goes through a rigorous editorial process. So, you get fact-checked, well-reasoned content instead of noise.

We publish 2,500+ voices from 90+ countries. We also conduct education and training programs on subjects ranging from digital media and journalism to writing and critical thinking. This doesn’t come cheap. Servers, editors, trainers and web developers cost money.
Please consider supporting us on a regular basis as a recurring donor or a sustaining member.

Will you support FO’s journalism?

We rely on your support for our independence, diversity and quality.

Donation Cycle

Donation Amount

The IRS recognizes Fair Observer as a section 501(c)(3) registered public charity (EIN: 46-4070943), enabling you to claim a tax deduction.

Make Sense of the World

Unique Insights from 2,500+ Contributors in 90+ Countries

Support Fair Observer

Support Fair Observer by becoming a sustaining member

Become a Member