Germany’s Cybersecurity Architecture
Note: This is the current edition (6th) from April 2021.
*16.04.2021: Line between "CAZ" (Bayern) and "LfV Bayern" is missing. Text in paper OK. Thanks for the pointer SecuNinja.
*28.04.2021: Contrary to a vacancy notice, Hessen3C is not part of the Cyber-AZ from March 1 onwards. Information received from Hessen3C.
*22.06.2021: [Good to know] In order to call yourself CERT, it is no longer required to register at the CERT Coordination Center at Carnegie Mellon University (exception: CSIRTs based in the US). Thanks for the Pointer J. Valentin.
The foundation of Germany’s cybersecurity architecture dates back to 1986. It was in this year that the organization preceding the “Bundesamt für Sicherheit in der Informationstechnik” (Federal Office for Information Security, BSI, official translation), known as the “Zentralstelle für das Chiffrierwesen” (Central Office for Encryption, ZfCh, own translation), set up a working party to deal with questions of security amid the rapid development of ICT technology. On January 1, 1991, the BSI began its work as an offshoot of the “Bundesnachrichtendienst” (Federal Intelligence Service, BND, official translation).
In particular following the publication of the Cyber Security Strategy for Germany 2011, Germany’s national security architecture caught the public’s attention. Much has happened since then: Cybersecurity has become a core part of German security and defence policy, which has led to the emergence of new national and international players in the field as well as the development of links between them. Nevertheless, neither the 2011 strategy, nor the updated 2016 strategy, contain an overview of the increasingly complex architecture of German authorities’ tasks and competencies in cyberspace, albeit visualized or otherwise. For the first time, the “Bundesministerium des Innern, für Bau und Heimat” (Federal Ministry of the Interior, Building and Community, BMI, official translation) has presented a list of cybersecurity actors and initiatives from state, civil society, academia and industry as an online compendium in November 2020 within the framework of its National Cyber Security Pact. We hope that our publication series, in existence since 2018, has contributed to the BMI’s decision to take this step.
A structured policy approach is indispensable for effectively and efficiently positioning Germany within the realm of cyberspace, especially when considering limited resources. In this respect, this publication therefore seeks to make a contribution within the framework of Stiftung Neue Verantwortung’s policy work on cybersecurity. Hence, this publication provides a visualization of Germany's national cybersecurity architecture, a list of abbreviations and actors, as well as an explanation of the relationships between individual actors. In the current edition of this publication, municipal and NATO actors have been included as two new levels. Moreover, updates, adjustments and new actors have been made and added at EU, federal and federal state levels.
Identified connections in the visualization represent different aspects of a given relationship, ranging from the deployment of employees within the respective organization to members of the advisory board, financial grants or legal and professional supervision. Other international actors such as the United Nations (UN), mere legislative and judicial actors at all levels as well as actors in the private sector, academia and civil society are not yet accounted for.
This publication is based almost exclusively on open-source information. For this reason, we are grateful for any tips based on open-source information regarding additional information not included in these pages. Please contact Christina Rupp with suggestions for changes or additions. This document will be periodically updated in order to account for the latest developments of Germany's cybersecurity architecture.
This publication is a translation that is based on the current 6th edition of the German version. The earlier editions in German can be retrieved accordingly:
5th edition: Deutsche Cybersicherheits- und Cyberverteidigungspolitik: Staatliche Akteure und Zuständigkeiten, October 2020.
4th edition: Akteure und Zuständigkeiten in der deutschen Cybersicherheitspolitik, March 2020.
3rd edition: Akteure und Zuständigkeiten in der deutschen Cybersicherheitspolitik, November 2019.
2nd edition: Cybersicherheitspolitik in Deutschland. Akteure, Aufgaben und Zuständigkeiten. Im Fokus: Das Cyber-Abwehrzentrum, April 2019.
1st edition: Zuständigkeiten und Aufgaben in der deutschen Cyber-Sicherheitspolitik, July 2018.