7 November 2024

Germany proposes new law to protect security researchers and toughen penalties for cybercrime


Germany proposes new law to protect security researchers and toughen penalties for cybercrime

The German Federal Ministry of Justice has released a draft law designed to offer legal protection to IT security researchers who identify and responsibly report cybersecurity vulnerabilities. The new legislation seeks to clarify that specific actions taken by security researchers, IT security companies, and ethical hackers, when aimed at detecting and closing security gaps, will not be punishable under existing computer criminal law.

The draft law introduces several key updates, targeting both the protection of ethical cybersecurity practices and the strengthening of penalties for serious cybercrimes.

One of the draft law's main objectives is to exempt certain cybersecurity activities from criminal prosecution. Under current German law, security researchers risk prosecution for ‘unauthorized’ access to data when identifying system vulnerabilities. The new amendment proposes adding a specific clause to Section 202a of the German Criminal Code (StGB), clarifying that access intended solely to detect and close security gaps will not be classified as ‘unauthorized.’

The draft law also imposes harsher penalties for severe cases of spying on or intercepting data. In particular, it defines ‘particularly serious cases’ in which offenders would face increased penalties. These cases include incidents resulting in substantial financial loss, acts driven by greed or organized crime, and actions that compromise the security or operational integrity of critical infrastructure or governmental institutions. If a crime affects Germany's national security or critical infrastructure, even if conducted from abroad, offenders could face prison sentences ranging from three months to five years.

The proposed amendment to the German Criminal Code was published on November 4, 2024, and has been sent to German states and relevant industry associations for comment, with feedback open until December 13, 2024.


Back to the list

Latest Posts

Cyber Security Week in Review: December 6, 2024

Cyber Security Week in Review: December 6, 2024

In brief: Zero-day vulnerabilities in I-O data routers, Russian Turla hijacks C2 infrastructure of Pakistani hackers, and more.
6 December 2024
Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

The group has infiltrated the C2 infrastructure of the Pakistani-based actor Storm-0156, as part of the “spy-on-spy” tactics.
5 December 2024
Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

If exploited, the flaws allow attackers to alter device settings, execute arbitrary commands, and disable the firewall.
5 December 2024