Welcome to CypSec Group
We specialize in advanced defense and intelligent monitoring to protect your digital assets and operations.
Introduction of a digital identity, surveillance powers, state cybersecurity strategy and comprehensive intelligence integration.
Heidelberg, Germany - September 26, 2025
The 2025 German coalition agreement marks a profound shift in the state's relationship with its citizens. Under the guise of modernization and public safety, it introduces an integrated surveillance program that stretches across digital identity, law enforcement, intelligence, and cybersecurity.
Key measures include:
While these measures may appear fragmented, in combination they construct a system of default observability, not surveillance by emergency, but surveillance by design. The implications for privacy, accountability, and democratic agency are systemic.
The 2025 German coalition agreement, jointly authored by CDU, CSU, and SPD, sets a comprehensive roadmap for the next legislative term. In its ambition to modernize the state and respond to contemporary geopolitical, technological, and demographic challenges, it outlines far-reaching reforms across digital administration, cybersecurity, internal security, and intelligence collaboration.
While many of these measures are presented as necessary steps toward efficiency and resilience, a closer inspection reveals a significant shift in the relationship between the citizen and the state. Key provisions enable a range of surveillance capabilities: from biometric profiling and automated data analysis to expanded investigative powers and mandatory digital identities.
This analysis critically examines selected parts of the coalition agreement that, when read in context and in connection with one another, reveal the foundation of a technologically sophisticated and institutionally integrated surveillance infrastructure. Particular attention is paid to how surveillance capabilities are embedded into administrative modernization and digital public services, not only through explicit security policy but through the very architecture of state-citizen interaction.
At the heart of the coalition's digital governance strategy is a transformation of public administration. Citizens will no longer interact with the state through fragmented, analog, or paper-based processes. Instead, the agreement envisions a “One-Stop-Shop”, described as a fully digital, centralized interface for all administrative interactions: “Every citizen will receive a mandatory citizen account and a digital identity. We will provide the EUDI Wallet […] enabling identification, authentication, and payments” (lines 1804 - 1806)
This shift introduces not only a functional digital identity but an obligatory registration and authentication infrastructure, backed by European-level digital identity standards. The intention is to reduce bureaucratic friction, but the side effect is the elimination of anonymous or pseudonymous interaction with core state functions. Combined with the plan to make most administrative processes “digital-only” (line 1802), the state becomes a mandatory digital gatekeeper.
What makes this particularly concerning from a civil liberties standpoint is that this infrastructure is not isolated to a few high-security domains. Instead, it applies across the entire citizen lifecycle:
The implications are clear: this digital identity becomes a single point of integration, observation, and control, capable of linking financial transactions, administrative behavior, and biometric data under one centralized profile. While the coalition agreement briefly acknowledges the need for "assistance for those unwilling or unable to use the digital path" (line 1807), there is no indication that non-participation remains a viable, rights-equivalent alternative.
The agreement normalizes the idea of an all-seeing administrative infrastructure by embedding surveillance potential into routine digital interaction and infrastructural dependence. This type of surveillance is both totalizing and invisible, operating through the architecture of citizenship itself.
The coalition agreement foresees a robust expansion of state powers to surveil and investigate individuals, supported by legislative changes and the use of advanced technologies. While framed in terms of public safety and prosecutorial efficiency, the proposals open the door to deeply invasive forms of monitoring, both proactive and retroactive, and often blur the line between suspicion-based investigation and systemic preemption.
One of the key provisions is the reintroduction of data retention, which resembles a practice that was previously contested by constitutional and European courts: “We introduce a proportionate and constitutionally and EU-law compliant three-month retention obligation for IP addresses and port numbers, in order to associate them with a subscriber” (line 2630 - 2632)
Though the proposal attempts to avoid prior legal pitfalls by limiting the retention period and narrowing the scope, it nonetheless re-establishes a framework for the systematic logging of digital behavior. Even with a three-month limit, this enables retrospective user tracking across platforms and services, should the data be requested by authorities.
In parallel, the agreement allows “Quellen-TKÜ”, representing source telecommunications surveillance, more commonly known as a state trojan, for the Bundespolizei: “We allow the Federal Police, within their limited jurisdiction, to apply source TKÜ to combat serious crime, without access to retroactively stored data” (line 2632 – 2633)
This authorizes direct infiltration of a suspect's device, enabling real-time access to encrypted communication (e.g., messaging apps). While “retroactive access” is ruled out, the potential for live keystroke logging, message interception, and file access remains substantial.
These provisions must be read in the context of the global proliferation of commercial spyware, most notably the Pegasus software developed by NSO Group and its usage by German authorities. Pegasus enabled states worldwide, including EU members, to infiltrate mobile devices, bypass encryption, and surveil journalists, activists, and political opponents. While Germany claims domestic control and judicial oversight, the legalization of similar technical capabilities via Quellen-TKÜ aligns with the same global trend: embedding surveillance capabilities at the device level under the pretext of national security. The coalition agreement provides no indication that comparable abuses would be structurally impossible under its proposed regime.
Beyond traditional surveillance, the agreement introduces provisions for advanced algorithmic and biometric tools: “Authorities shall be allowed to perform automated data search and analysis, as well as retroactive biometric matching using publicly available internet data, including through artificial intelligence” (lines 2635 - 2636)
This effectively legitimizes the automated scraping and analysis of online media, e.g., images and videos from social platforms, for facial or behavioral recognition. It represents a paradigm shift from targeted investigation to data-driven pre-identification. The line between open-source intelligence (OSINT) and state-enabled mass biometric mining is left intentionally vague.
Additional clauses reinforce this trend:
These measures, especially in tandem, create a powerful toolset for reconstructing movements, contacts, and actions of individuals across public and digital spaces, even if those individuals were not initially under suspicion.
While the coalition agreement does not explicitly mention the European Union's “ChatControl” proposal, which is a planned regulation to combat child exual abuse, the overlap in logic is significant: both introduce backdoors for content inspection, rely on client-side scanning, and challenge encryption as a privacy guarantee. Should ChatControl pass at EU level, the infrastructure laid out in the coalition agreement would be well-suited for national implementation, further eroding confidential digital communication.
The agreement also commits to expanding the legal basis for surveillance by amending criminal procedure law:
These clauses expand state access to metadata and historical connection records. The cell tower search in particular allows mass acquisition of location data from mobile devices within a geographic area during a specified time, effectively scooping up data on all individuals in proximity, not just suspects.
Together, these provisions form a layered surveillance architecture:
While individually justified by crime prevention or prosecution, in concert they amount to an infrastructural framework for total digital observability. The agreement gives little attention to the risk of false positives, systemic bias, or the chilling effects on political expression and dissent.
These surveillance extensions align closely with Nancy Fäser's draft reform of the BKA-Gesetz, promoted by the Federal Ministry of the Interior. That draft envisions expanded undercover operations, long-term surveillance measures, and looser oversight mechanisms, many of which are implicitly prepared by the legal scaffolding of this coalition agreement.
Beyond extending individual investigative tools, the 2025 coalition agreement also outlines a significant transformation of Germany's internal security architecture. At the center of this shift is a move toward deeper integration, not only among police, intelligence services, and cybersecurity agencies, but also across administrative and civil domains. This integration is presented as a matter of national resilience and operational efficiency, yet it inherently raises concerns around institutional overreach, accountability, and separation of powers.
A central passage illustrates this approach: “We will fundamentally improve data exchange between security authorities (especially P20, joint storage systems) and with civilian agencies” (lines 2640 – 2641)
The term “P20” refers to a German initiative aimed at developing interoperable platforms across police and intelligence institutions. When linked to "Verbundspeicherung" (joint storage), this signals a deliberate dismantling of long-standing informational silos between different types of government authorities, e.g., criminal police, internal intelligence, migration offices, and welfare agencies.
Such consolidation is not neutral. It facilitates systemic profiling across multiple state domains, from administrative irregularities to behavioral red flags, potentially used in combination with psychological risk assessments: “To prevent further acts of violence [...] we will ensure early detection of risk potentials in persons with psychological abnormalities. For this, we will introduce joint risk assessments and an integrated cross-agency risk management system.” (lines 2642 – 2645)
This marks a clear move toward pre-crime logic, where suspicion arises not from actions but from behavioral or psychological patterns, flagged and processed by interlinked systems.
Another core component is the reorganization and empowerment of Germany's intelligence services, both structurally and technically:
ZITiS, the Central Office for Information Technology in the Security Sector, plays a controversial role in developing surveillance tools, including lawful hacking capabilities and cryptanalysis. Its integration into a broader, cross-agency cyber-intelligence center indicates a technological consolidation of surveillance capacities, potentially reducing transparency even further, given the classification and executive shielding of intelligence agencies.
The intelligence collaboration foreseen in the agreement raises additional concerns in the context of transnational intelligence sharing. Germany is increasingly integrated into European and transatlantic signals intelligence networks. Without stronger transparency guarantees, there is a risk of foreign influence over domestic surveillance infrastructure, or of a new “Crypto AG” scenario, where technical backdoors facilitate covert international data access.
Traditionally, Germany has maintained strong legal distinctions between its different types of agencies:
The coalition agreement dismantles these walls not by abolishing them explicitly, but by engineering cooperation and information sharing by default. Once these systems are technically interoperable and justified via shared risk logic, the distinctions blur. A data point collected by a welfare office or migration bureau might inform an intelligence assessment. A psychological evaluation might trigger police action, even without a criminal offense.
In its drive toward integration, the agreement sets the stage for a pervasive intelligence-state model, where risk perception, suspicion, and predictive analytics become shared reference points across all levels of government. This shift is not marked by a single authoritarian turn, but by the quiet normalization of executive interoperability, underpinned by new technologies, new legal instruments, and a public discourse focused on safety and modernization. Without firm legislative safeguards and democratic oversight, these developments may undermine the constitutional principles they claim to uphold, including proportionality, purpose limitation, and the fundamental right to informational self-determination.
Traditionally, cybersecurity is understood as a defensive discipline: protecting digital systems, networks, and data from unauthorized access or disruption. In the 2025 coalition agreement, however, cybersecurity is redefined not only as a matter of defense, but as an area of strategic sovereignty, state authority, and intelligence coordination. The result is a security framework in which digital resilience and digital control become indistinguishable, and where the cybersecurity apparatus itself forms the backbone of surveillance capabilities.
The agreement repeatedly emphasizes the expansion and centralization of cybersecurity responsibilities, especially under the Bundesamt für Sicherheit in der Informationstechnik:
These lines signal a shift from technical advisory to operational authority, making the BSI not just a support unit but a coordinating power center in Germany's security architecture. It will oversee government networks, mediate cyber incidents, and interface with other security agencies, all under the language of “resilience” and “national sovereignty”.
Yet hardening state networks also means gaining deeper visibility into those networks, and by extension, the individuals and organizations that depend on them. The more critical infrastructure and public services become digitized under BSI oversight, the more metadata, behavioral indicators, and threat assessments pass through central government filters.
One of the more controversial commitments is the call to develop “active” capabilities:
The term active cyber defense is deliberately vague but often implies offensive operations, such as counter-hacking, disabling adversarial infrastructure, or preemptive digital action against perceived threats. Unlike passive protection, these capabilities often operate in legal gray zones, involve international attribution challenges, and blur the line between law enforcement, intelligence, and military action.
Moreover, “intensifying information exchange” in this context almost certainly includes:
This significantly broadens the domain of lawful interception and surveillance, justified under the broader umbrella of threat mitigation.
While the coalition agreement does not explicitly authorize the Bundeswehr to conduct “Hack Back” operations, the emphasis on active cyber defense and sovereign capability development lays the legal and technical groundwork. The blurred line between cyber defense and cyber offense raises serious questions about militarization of digital space, particularly without parliamentary oversight. It is noteworthy that the Bundeswehr expressed a strong desire to conduct hack back over the past couple of years.
The push for "active cyber defense" must also be viewed against the backdrop of repeated attacks on critical infrastructure, including ransomware incidents affecting hospitals, regional governments, and public utilities. While these threats are real, their political function must be scrutinized. The coalition agreement frames sovereign digital defense as a necessity, but without clear limitations or transparency, the same justification loop that followed terror attacks (leading to expanded surveillance laws) may now replicate in the cybersecurity domain, this time under the banner of digital sovereignty.
Perhaps the clearest indicator that cybersecurity is being weaponized as a surveillance instrument lies in the agreement's plan for ZITiS: “A priority for the intelligence services will be a stronger joint orientation toward the cyber and information domain, including through the creation of a new specialized technical central office, incorporating ZITiS” (lines 2683 – 2685)
ZITiS, originally conceived as a supportive R&D unit for the security sector, is now being embedded in an institutional core of cyber-intelligence governance. This reflects a broader trend: placing technical knowledge not in academic, private, or multistakeholder contexts, but under the exclusive jurisdiction of state agencies, often shielded from public scrutiny.
From lawful hacking to cryptographic weakening, from zero-day stockpiling to biometric analytics, the development and deployment of such technologies inside a centralized and executive-driven apparatus positions cybersecurity not just as protection, but as surveillance by design.
The coalition agreement illustrates how cybersecurity is no longer a purely defensive concept. Through the expansion of state agencies, institutional centralization, and the integration of technical research into law enforcement and intelligence, Germany is building a dual-use infrastructure: one that protects critical systems but simultaneously empowers the state with unprecedented access, control, and intervention capabilities. This shift redefines cybersecurity, framing the digital realm as both a domain of governance and a battlefield. And in doing so, it risks embedding surveillance logic into the very fabric of technical infrastructure.
A key passage explicitly introduces such mechanisms: “To prevent further acts of violence, such as those recently experienced, we will ensure the early detection of risk potentials in persons with psychological abnormalities. For this, we will introduce joint risk assessments and an integrated cross-agency risk management system” (lines 2643 – 2645)
This statement raises immediate concerns:
While couched in the language of violence prevention, this kind of infrastructure can quickly drift toward profiling vulnerable populations, particularly when combined with the surveillance capacities described in previous sections, biometric analysis, automated data mining, and AI-driven interpretation of social signals.
Though not detailed in the agreement, Germany's expanding biometric databases, particularly in the context of migration control, pose serious risks when integrated with risk-based surveillance. Fingerprint and facial databases built for border control could be increasingly repurposed, or queried, by domestic law enforcement under the new interoperability framework.
Though not always described explicitly in the text, the systemic implications are clear: the state moves toward establishing a pre-crime infrastructure, where:
This paradigm is reflected in other parts of the agreement as well:
Together, these create a network of silent evaluation, where the legal threshold for suspicion is replaced by algorithmic thresholds, subjective assessments, and automated flagging systems.
Risk-based profiling systems, especially when using vague indicators like “psychological abnormality” or behavioral anomalies, have a long and well-documented history of disproportionately targeting marginalized communities. Without strong anti-discrimination safeguards, there is a high risk that the agreement’s architecture enables or amplifies systemic racial profiling, especially in predictive policing or biometric surveillance zones.
Traditionally, liberal democratic states distinguish between:
The coalition agreement erodes this boundary. By introducing risk-based assessment in both areas, the state becomes an anticipatory agent, always watching, always interpreting, always categorizing. This is particularly dangerous when applied to mental health, where misdiagnosis, misinterpretation of non-normative behavior, and cultural or linguistic bias are well-documented issues.
There is no indication of robust due process safeguards in this system:
The coalition's approach to early risk detection reflects a fundamental shift: from law enforcement to life enforcement, using digital tools, psychological indicators, and networked data to pre-classify individuals as potentially dangerous. Such systems, once normalized, are unlikely to remain limited to violent threats; they risk expanding to areas like dissent, nonconformity, or perceived social disruption. This is not a surveillance society built solely on cameras and trojans, but one based on silent diagnostics, where individuals are increasingly seen not as citizens, but as variables in a national threat model.
Administrative processes must be aligned with life circumstances. Increasingly, these processes will be carried out without the need for formal applications. For example, following the birth of a child, parents will automatically receive a child benefit notification. The modernization of social benefit administration will serve as a general blueprint. We are committed to consistent digitalization and a “digital-only” approach: administrative services should be made available digitally and easily via a central platform (“One-Stop-Shop”) - that is, without in-person visits or paper-based procedures. Every citizen will be mandatorily assigned a citizen account and a digital identity. We will make the EUDI Wallet available to citizens and businesses, enabling identification, authentication, and payments. Individuals who are unwilling or unable to use digital channels will receive support on site. For businesses, self-employed persons, and associations, we will provide specific access points. For example, we aim to enable company registrations within 24 hours.
We will introduce a proportionate, constitutionally and EU-compliant three-month retention obligation for IP addresses and port numbers, in order to enable attribution to a specific subscriber. Within their limited jurisdiction, we will authorize the Federal Police to deploy source telecommunications surveillance (Quellen-TKÜ) for the purpose of combating serious crimes, without access to retroactively stored data. For specific purposes, our security authorities shall, in accordance with constitutional requirements and the principle of digital sovereignty, be permitted to conduct automated data searches and analyses, as well as retroactive biometric matching using publicly accessible internet data, including through the use of artificial intelligence. For the purposes of criminal prosecution, we will permit the use of automated license plate recognition systems in recording mode.
We will fundamentally improve data exchange between security authorities (in particular through P20 and joint data storage) as well as with civil authorities. The federal government will contribute its share to adequate funding. In order to prevent further acts of violence, such as those that have occurred in the recent past, we aim to ensure the early detection of relevant risk potentials in individuals with psychological abnormalities. To this end, we will introduce joint risk assessments and an integrated, cross-agency risk management system. We are advocating for a genuine European Security Union.
We will strengthen the Federal Criminal Police Office and the Federal Office for the Protection of the Constitution, particularly in combating cybercrime, espionage, and sabotage. We place our trust in the Federal Police and will provide them with a modern Federal Police Act based on up-to-date legal foundations. The federal government will provide its agreed share of funding for the operational capabilities of the Länder riot police forces. To strengthen our national sovereignty and the operational capacities of our intelligence services, and to keep pace with the capabilities of relevant European partner services, we aim to implement a fundamental, constitutionally compliant, and systematic reform of federal intelligence law. This includes the legal framework for effective and efficient data exchange between intelligence services and other authorities (including the expansion of transmission powers and the review of data retention and deletion periods). We will ensure more effective and targeted oversight mechanisms, in accordance with the rulings of the Federal Constitutional Court, including parliamentary scrutiny by the German Bundestag.
We will continue to develop the National Cybersecurity Strategy with the aim of a clear allocation of roles and responsibilities. We will strengthen the Federal Office for Information Security and expand it into a central authority for matters of information and cybersecurity. We will reinforce our communication networks, particularly those used for crisis response and classified communication. The National Cyber Defense Center will be further developed, and we will intensify the exchange of information. Within the limits of constitutional law, we will expand our capabilities for active cyber defense. As part of implementing the NIS-2 Directive, we will revise the BSI Act. A strategic priority for the intelligence services will be a stronger joint alignment with the cyber and information domain, including the establishment of a new specialized technical central office, incorporating ZITiS.
We must provide our investigators with the necessary powers of investigation. Therefore, we will expand the catalog of offenses under §§ 100a ff. of the Code of Criminal Procedure as required. Among other things, we will remove the time limit on telephone surveillance in cases of residential burglary and amend §§ 100a and 100b StPO to eliminate the requirement that a listed predicate offense must precede money laundering charges. We aim to enable broader use of cell tower data searches (Funkzellenabfrage).
Security authorities must be equipped with modern, digital powers to address the security policy challenges of an increasingly digitized world. For specific purposes, they shall be granted the authority to conduct automated, AI-based data analysis. Under narrowly defined conditions involving serious criminal offenses, we aim to enable law enforcement agencies to carry out retroactive biometric remote identification of perpetrators. To facilitate the subsequent identification of suspected offenders, we will introduce video surveillance in high-crime areas. The Federal Criminal Police Office shall be provided with a legal basis for testing and training IT products.
About the 2025 German Coalition Agreement: The agreement signed by CDU, CSU, and SPD defines Germany's legislative program until 2029. It introduces binding digital identity infrastructure, expanded surveillance powers, deeper intelligence cooperation, and cybersecurity centralization. For more information, visit bundesregierung.de.
About CypSec: CypSec delivers advanced cybersecurity and risk management solutions for enterprise and government environments. Its platform covers vulnerability management, policy-as-code, deception technologies, secure communications, and active defense. For more information, visit cypsec.de.
Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.
We specialize in advanced defense and intelligent monitoring to protect your digital assets and operations.
