The German Federal Ministry of Justice has released a draft law designed to offer legal protection to IT security researchers who identify and responsibly report cybersecurity vulnerabilities. The new legislation seeks to clarify that specific actions taken by security researchers, IT security companies, and ethical hackers, when aimed at detecting and closing security gaps, will not be punishable under existing computer criminal law.

The draft law introduces several key updates, targeting both the protection of ethical cybersecurity practices and the strengthening of penalties for serious cybercrimes.

One of the draft law's main objectives is to exempt certain cybersecurity activities from criminal prosecution. Under current German law, security researchers risk prosecution for ‘unauthorized’ access to data when identifying system vulnerabilities. The new amendment proposes adding a specific clause to Section 202a of the German Criminal Code (StGB), clarifying that access intended solely to detect and close security gaps will not be classified as ‘unauthorized.’

The draft law also imposes harsher penalties for severe cases of spying on or intercepting data. In particular, it defines ‘particularly serious cases’ in which offenders would face increased penalties. These cases include incidents resulting in substantial financial loss, acts driven by greed or organized crime, and actions that compromise the security or operational integrity of critical infrastructure or governmental institutions. If a crime affects Germany's national security or critical infrastructure, even if conducted from abroad, offenders could face prison sentences ranging from three months to five years.

The proposed amendment to the German Criminal Code was published on November 4, 2024, and has been sent to German states and relevant industry associations for comment, with feedback open until December 13, 2024.