German Federal Cabinet adopts strategy for cybersecurity 2021

On 8 September 2021, the Federal Cabinet adopted the new strategy for cybersecurity 2021 presented by the Federal Ministry of the Interior, Building and Community (Bundesministerium des Inneren, für Bau und Heimat, BMI). The new strategy for cybersecurity replaces the 2016 German strategy for cybersecurity and describes the fundamental orientation of the Federal Government's cybersecurity policy for the next five years. It is the goal of the new strategy for cybersecurity to enable citizens to continue using digital technologies securely, freely and in a self-determined manner. The aim is to strengthen the digital sovereignty of the state, the economy, science and society, in particular through a high level of cybersecurity, i.e. the "abilities and possibilities of individuals and institutions to exercise their role(s) in the digital world independently, self-determinedly and securely".

In addition to the fields of action, the new strategy for cybersecurity provides for the first time for concrete guidelines, measures and goals by means of which, according to BMI, the challenges and risks of a digitalized world with technologies such as artificial intelligence and networked devices are to be mastered. BMI declares cybersecurity to be a task for society as a whole. The addressees of the new strategy for cybersecurity are in equal measure the state, the economy, science and society.1

Fields of Action and Guidelines of the new Strategy for Cybersecurity

The strategy for cybersecurity 2021 will at first retain the four fields of action of the strategy for cybersecurity 2016:

  • According to field of action 1, the strategy for cybersecurity 2021 sets itself the goal of increasing the "cybersecurity competence" of society. For example, the user-friendliness of IT security solutions is to be improved, digital consumer protection services are to be expanded, electronic identities and electronic communication are to be better protected. AI has a dual role to play here: on the one hand, AI is to be used as a tool to contribute to IT security; on the other hand, AI itself is also to be protected by specific IT security requirements.2 
  • In addition, field of action 2 provides for the strengthening of the National Cybersecurity Council, which is to be achieved by the improvement of cooperation between the state, business, science and civil society in the area of cybersecurity, as well as the strengthening of the German digital economy and the protection of German companies.3
  • Moreover, field of action 3 aims to expand the federal government's legislative competence to avert danger and the cooperation between the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) and the federal states. Law enforcement in cyberspace is also to be intensified and access by the security authorities to encrypted communications is to be created. Telecommunications and telemedia law is to be adapted to technological progress.4
  • The strategy for cybersecurity 2021 also provides with field of action 4 for Germany to actively participate in the further development of applicable strategies and regulation (such as EU’s Cybersecurity Strategy for the Digital Decade or the directive concerning network and information systems, in order to achieve a high standard of cybersecurity across the European Union by introducing and implementing agreed minimum standards.5 Germany also intends to advocate for the continuous further development of cybersecurity policy at NATO level.6

It is new that a total of four guidelines flank the four fields of action of the strategy for cybersecurity, which in turn are for the first time defined by 44 strategic goals. These guidelines are:

  • Establish cybersecurity as a joint task of the state, business, science and society;
  • Strengthening the digital sovereignty of the state, the economy, science and society;
  • Shape digitisation securely and
  • make goals measurable and transparent.7

The 13 strategic goals of the second field of action are among the most interesting for companies. These include goals such as "Further improve the protection of critical infrastructures"8, "Protecting companies in Germany"9, "Cybersecurity certification"10 and "Promote research and development of resilient, secure IT products, services and systems for the internal EU market".11

The IT security of products plays an important role in this. By increasing the IT security of products and creating products to increase their IT security, the BMI aims for strengthening the following economic sectors and their supply chains: Mobility and automotive industry, energy industry, smart home or IoT and smart cities, industry 4.0, healthcare, finance and the IT security industry with the fields of biometrics, long-term security and quantum technology.12

In order to evaluate the achievement of the defined strategic goals within the fields of action and to make the implementation of the strategy for cybersecurity 2021 continuously traceable and verifiable through operational measures, the new strategy for cybersecurity also includes for the first time specific measurability criteria. Based on these evaluation criteria, the various departments responsible for implementation report to BMI on the progress made in achieving the strategic goals.13

For example, a decline in the number of private individuals affected by cyber attacks or the reach of the BSI's information services for consumers will serve as an indicator of success in implementing the goal of promoting digital skills among all users.  The Federal Ministry of the Interior wants to see whether the goal of protecting companies in Germany is being achieved by the concrete demand for support programmes for the IT security of SMEs, by whether the number of users of the BSI's support services is increasing, and by the fact that the "Economic Protection Initiative" is establishing projects for the holistic protection of the value chain against the outflow of know-how and information.14


After BMI had already published a draft of the strategy for cybersecurity in June 2021, the inclusion of "digital sovereignty" as a guideline14 and the planned improvement of cooperation between the state, business and civil society16 were expressly welcomed by interest groups. On the other hand, the planned expansion of German security authorities' access to encrypted communication 17 and a possible weakening of security technologies in favour of state intervention possibilities18 as well as the expansion of surveillance powers at the expense of IT security, especially from the point of view that foreign intelligence services and cyber criminals could exploit security gaps, were criticised.19

Whether and how the strategic goals of the strategy for cybersecurity 2021 can be achieved in the coming years, despite or precisely because of the scope for action granted to the ministries, remains to be seen. In order to ensure an active exchange between government and industry in the meantime, the strategy for cybersecurity 2021 refers, among other things, to initiatives such as the "Initiative IT-Sicherheit in der Wirtschaft" (IT Security Initiative in the Economy) of the Federal Ministry for Economic Affairs and Energy (Bundesministerium für Wirtschaft und Energie, BMWi), the Alliance for Cybersecurity (ACS) or the "Cyber Alliance with Industry" launched by BMI and the Federation of German Industries (Bundesverband der Deutschen Industrie, BDI).20 We will continue to keep you up-to-date on current developments.

Did you know?

On November 4, Hogan Lovells will offer ACS members a webinar on "Standard and Requirements for Networked Consumer Products" (in German). You are a member? In this case, this webinar may be of interest to you. For more information and your option to register, please click here.



Authored by Nicole Böck.

Cybersicherheitsstrategie für Deutschland 2021, Kapitel 8.2 (S. 53 ff.).
Cybersicherheitsstrategie für Deutschland 2021, Kapitel 8.3.14 ff. (S. 111 ff.).
Cybersicherheitsstrategie für Deutschland 2021, Kapitel 8.4.1 (S. 114 ff.).
Cybersicherheitsstrategie für Deutschland 2021, Kapitel 8.4.2 (S. 117 ff.).
Cybersicherheitsstrategie für Deutschland 2021, Kapitel 8.2.11 (S. 77 ff.).
Cybersicherheitsstrategie für Deutschland 2021, Kapitel 8.2.5 (S. 63 ff.).
10 Cybersicherheitsstrategie für Deutschland 2021, Kapitel 8.2.12 (S. 79 f.)
11 Cybersicherheitsstrategie für Deutschland 2021, Kapitel 8.2.7 (S. 68 ff.).
13 Cybersicherheitsstrategie für Deutschland 2021, Kapitel 9 (S. 129 ff.).
15   Stellungnahme des Verbands der Elektrotechnik, Elektronik und Informationstechnik e.V. (VDE), 89cb2/stellungnahme-cyber-sicherheitsstrategie-2021---download-data.pdf, S. 1.
18         Stellungnahme der Gesellschaft für Informatik e.V. (GI), /GI/Allgemein/PDF/2021-06-16_GI-StN_CSS_2021.pdf.
19      Pressemitteilung des Forums InformatikerInnen für Frieden und gesellschaftliche Verantwortung e.V. zu einem gemeinsamen offenen Brief von knapp 40 Verbänden an die Bundesregierung.


This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.