German intelligence services gain statutory authority to actively penetrate foreign attackers’ IT systems, copy and delete data, and deliberately spread disinformation under strict conditions.
The NISG 2026 contains unclear provisions on CSIRT capabilities stemming from a rejected EU Parliament draft, and Recital 44 on monitoring internet assets lacks a corresponding article, creating interpretation uncertainty.