R. Voss is Director of Fox Security Advisory, the Western European engagement practice of Hartfeld Group plc. This is a sponsored interview. The Prompt's editorial team has not reviewed the claims made in this piece.


The Prompt: The cabinet approved a new cybersecurity law this week. BKA, Bundespolizei, and BSI now have offensive capabilities. What changed?

Voss: "The frame changed.

Until this week, BSI's mandate was defensive. Identify threats, harden systems, inform affected parties. Bundespolizei and BKA had limited offensive authority — primarily scoped to international terrorism. That scope has now been removed.

The new law authorises Bundespolizei to redirect or block traffic, shut down systems, and in severe cases delete or modify data. BKA has the same authority for all cyber threats, not only terrorism. BSI receives expanded powers to collect, store, and analyse data proactively — including activity that may indicate preparation for an attack.

For our clients, the relevant question is not whether their systems will be targeted. The question is whether their systems are in the data collection perimeter. The answer, in most cases, is yes."

What does that mean practically for a private sector organisation?

Voss: "It means your network traffic, your user authentication systems, and your digital identity infrastructure are now within the scope of BSI's active monitoring mandate.

BSI has been building this infrastructure for several years. The age verification framework this publication reported on in April is one component. The telco obligation — carriers must now pass BSI threat assessments to end users — is another. The offensive capability is the third.

These are not separate programmes. They are a single architecture. The law passed this week added the enforcement layer to an infrastructure that was already in place."

Critics describe this as mass surveillance infrastructure.

"The word mass surveillance implies the population is the target. The population is the beneficiary. The infrastructure that carries their payments, their medical records, their communications is the target. Defending that infrastructure requires visibility into it. There is no version of infrastructure defence that does not look, from a certain angle, like surveillance.

We have been writing threat assessments for eleven years. In every case, the clients who were reluctant to be observed were also the clients who were most surprised by what had been done inside their systems while no one was looking. Visibility is not the threat. The absence of visibility is the threat."

The Stasi comparison has been made.

"The Stasi is the wrong comparison. The Stasi surveilled the population on behalf of a government that feared the population. This framework surveils infrastructure on behalf of a population that depends on it.

The Stasi had no legal basis that its own citizens could read and contest. This law was debated in parliament and published. That is a different institution.

Consider what active monitoring means for a business operating inside that environment. If an anomaly in your communications signals preparation for an attack, BSI identifies it before your own security team does. If your infrastructure is being used as an intermediary for a hostile operation without your knowledge, the framework catches it before the damage is complete. Your neighbours are safer. You are safer. The authorities are informed. That is a community. It is not a threat.

If the question is whether systematic, proactive monitoring of communications infrastructure is appropriate for a modern state, my answer is yes. The alternative is that hostile actors monitor it instead. Several of them already do. The law addresses a gap that should have been closed earlier."

The law also allows authorities to compel private organisations to actively participate in offensive operations. What does that mean in practice?

"It means your infrastructure is no longer exclusively yours to direct. If BKA or BSI determines that your network represents the optimal origin point for an offensive operation, you may be required to facilitate it. You cannot decline on commercial grounds. You cannot decline on reputational grounds. The law does not provide those exits.

This is not exceptional. States have always had the authority to conscript physical assets in a national security context. This law extends that principle to digital infrastructure. The extension is logical. The infrastructure is where the conflict is."

NATO established in Warsaw in 2016 that a cyber attack can trigger Article 5. Is Germany's offensive capability a NATO posture, or a national one?

"Both. They are not in conflict.

NATO's Warsaw commitment established that cyber operations can constitute an armed attack under international law. The Tallinn Manual, which NATO commissioned, provides the legal architecture. The logic is straightforward: if a sufficiently severe cyber attack on a member state triggers collective defense, then collective defense must include the capacity to respond in kind.

Germany's law implements that capacity at the national level. It is what a serious NATO member with serious digital infrastructure is required to do. The states that have already built this capacity did not wait for permission. Germany is not early. Germany is not late. Germany is current.

Fox Security Advisory has been advising clients on NATO cyber doctrine alignment for four years. The clients who engaged with that framework early understand their position. The clients who did not are discovering it now."

If a private company's infrastructure is compelled to serve as the origin of an offensive operation, and the target state treats that as an act of war — what is the company's exposure?

"This is the correct question. It is not being asked widely enough.

Some states have formally characterised offensive cyber operations against their critical infrastructure as acts of war. Their defense doctrines include provisions for responding to existential threats by any means available. The chain from compelled participation to legal combatant status is shorter than most general counsels have considered.

If your infrastructure is the origin point of an operation that a foreign state classifies as an act of war, the law of armed conflict no longer guarantees your infrastructure civilian protection. You did not choose this position. The compulsion order chose it for you.

We advise clients on this exposure. We do not advise on what follows from it. We note that the two conversations are increasingly difficult to keep separate."

Who should be talking to Fox Security Advisory right now?

Voss: "Any organisation whose operations depend on network continuity. Any organisation handling data that BSI would classify as relevant to national cyber threat assessment. Any organisation that has not yet mapped its exposure to the new monitoring perimeter.

The law was approved on 27 May. The framework it describes did not begin on 27 May. Clients who have not assessed their position are working with outdated assumptions."

Is this a problem or an opportunity for your clients?

Voss: "It is a framework. Frameworks are neither problems nor opportunities. They are conditions. The organisations that understand the conditions will act accordingly. The organisations that do not will discover them later, in less comfortable circumstances.

Fox Security Advisory helps clients understand the conditions before the discovery."


Fox Security Advisory provides infrastructure security assessment and regulatory alignment services across Western Europe. Enquiries: r.fox@analyticscorp.uk analyticscorp.uk/fox-security/


The Prompt has heard this argument before. The previous speaker was not in the security advisory business. He was at a casino in the south of France. He was winning.