08.07.2026

eco on German Cybersecurity Policy: Association Warns of Attack on Digital Civil Liberties

  • eco warns against cyber regulation that endangers digital civil liberties and trustworthy communication on the Internet.
  • NIS2, the German KRITIS Umbrella Act, the Cyber Resilience Act and the Cybersecurity Act must interlock more effectively instead of creating new duplicate obligations.
  • Cyberdome and state cyber defence must remain clearly defensive and be guided by proportionality, legal certainty and the protection of fundamental rights.

With a new position paper on current cybersecurity policy, eco – Association of the Internet Industry warns against the increasing tightening of security-policy interventions in the digital sphere. From the association’s perspective, cybersecurity rules are currently becoming not only denser, but also more intrusive.

NIS2, the German KRITIS Umbrella Act, the Cyber Resilience Act, the revision of the Cybersecurity Act, the German Act to Strengthen Cybersecurity, new data obligations and plans for a Cyberdome are fundamentally changing the relationship between the state, companies and digital infrastructures. What may initially sound like technical regulation directly affects people’s digital civil liberties. It concerns the security of networks, the availability of digital services, the protection of private communication and the question of how far the state may intervene in data flows, systems and communication channels.

From eco’s point of view, this question becomes particularly clear in the plans for a Cyberdome. Such an approach can only make sense if it remains defensive. Better situational awareness, earlier warnings, faster information sharing and concrete support for affected companies can increase security. Offensive interventions, unclear concepts of active cyber defence or measures that interfere with third-party systems do not belong here.

“Cybersecurity must not become a Trojan horse for state control over the digital sphere,” says Klaus Landefeld, member of the eco Board. “If the state can influence data flows or oblige providers to intervene in network infrastructures, this is no longer normal threat prevention. It then becomes a matter of principle: how trustworthy will communication on the Internet remain in future? Such instruments follow an authoritarian security logic and have no place in a liberal democracy.”

In the position paper, eco emphasises that Germany and Europe need effective cybersecurity. Attacks on companies, critical infrastructures and digital services are increasing. However, in the association’s view, security is not created through new regulation, but through clear responsibilities, practical procedures and close cooperation between the state and industry.

“Companies need protection against cyberattacks, but not regulation that paralyses them in an emergency,” says Landefeld. “Anyone who has to report, document and assess the same risks multiple times loses valuable time without making even a single system more secure. Cybersecurity is not created by paperwork, but by clear responsibilities, fast procedures and trust between the state and industry.”

From eco’s perspective, NIS2, the German KRITIS Umbrella Act, the Cyber Resilience Act and the Cybersecurity Act must interlock more effectively. Companies must not be required to assess, document and report the same risks multiple times. Providers of digital services in particular need uniform terminology, coordinated supervision and digital reporting channels that also work during an acute attack situation.

The German Federal Office for Information Security (BSI) has a central role to play here. Above all, the BSI should enable companies to identify risks, implement security measures and manage incidents effectively. Companies that fall under new requirements for the first time in particular need legally certain guidance and practicable standards instead of additional uncertainty.

eco also calls for greater clarity in the protection of critical infrastructures. Digital attacks, physical sabotage, supply-chain risks and hybrid threats cannot be treated separately in a crisis. The German KRITIS Umbrella Act must therefore not create a parallel system of obligations alongside NIS2. Emergency planning, security concepts and recovery capability must be considered together.

eco is also critical of tendencies to politically charge cybersecurity certification. Certificates can create trust if they remain technical, transparent and risk-based. By contrast, blanket supplier-related restrictions, political high-risk classifications or de facto replacement obligations for existing infrastructure would create new uncertainty and weaken the Digital Single Market.

“A Cyberdome must not become a cover name for offensive interventions in digital infrastructures,” says Landefeld. “Measures that interfere with third-party systems or alter data are technically risky, highly problematic in legal terms and politically explosive. The state must protect digital infrastructures, not increase their manipulability. Anyone who takes cybersecurity seriously draws a clear red line here.”

eco calls on the German federal government and European legislators to align cyber regulation consistently with security, proportionality and the protection of fundamental rights. Good cybersecurity policy strengthens trust, protects digital rights and makes companies more resilient. It must not result in the digital sphere gradually becoming more controllable, monitorable and steerable.

The full paper (in German) can be found here.

eco Board Member Klaus Landefeld on the German Coalition Agreement: “A surveillance overview bill must not just be lip service”