German Encryption Policy At A Glance

Since the end of the Second World War and the founding of the Federal Republic of Germany, encryption and cryptanalysis have been jointly housed in the Zentralstelle für Chiffrierwesen (Central Office for Encryption, ZfCH), part of the Bundesnachrichtendienst (Federal Intelligence Service, BND).

From around 1970, the ZfCH, acting through the BND, participated in a joint operation with the CIA known as Operation Rubicon. Dubbed “the intelligence coup of the century,” the operation relied on the agencies’ covert ownership of the Swiss code-making company Crypto AG. By manipulating the company’s encryption devices, they could easily break the codes that governments used to protect their diplomatic and military communications, yielding vast intelligence gains.

In 1989, the ZfCH was renamed the Zentralstelle für Sicherheit in der Informationstechnik (Central Office for Security in Information Technology, ZSI). Major parts of the ZSI — particularly those concerned with cryptographic development and security — were transferred to the newly established Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security, BSI) in 1991. This marked a decisive turning point in German encryption policy, as it was the first time the government had structurally separated crypto-making and crypto-breaking into distinct legal and organizational entities. Around the same time in the early 1990s, the BND withdrew from Operation Rubicon and transferred its equity stake to the CIA.

In the 1990s, Germany defined its guiding principle on encryption policy, which remains in effect today: “security through encryption and security despite encryption.” The idea is straightforward yet complex — robust encryption should be securely implemented and promoted as long as security and intelligence agencies can still perform their tasks effectively. Consequently, the federal and state governments have focused on granting security and intelligence agencies the legal authority to compromise devices and accounts through lawful hacking operations such as Online-Durchsuchung (online searches) and Quellen-Telekommunikationsüberwachung (source telecommunications surveillance).

To strengthen these capabilities, the Bundesministerium des Innern und für Heimat (Federal Ministry of the Interior and Community, BMI) founded the Zentrale Stelle für Informationstechnik im Sicherheitsbereich (Central Office for Information Technology in the Security Sector, ZITiS) in 2017. ZITiS is tasked with research and the procurement of tools needed for cryptanalysis. As the office was not established by parliamentary law, it lacks the legal authority to conduct operational activities. Instead, it supports other federal agencies engaged in lawful hacking operations.

While both federal and state authorities continue to rely on lawful hacking — as reaffirmed by the 2025 extension of state police powers to conduct such operations — Germany began shifting towards structurally weakening encryption in 2019. During the Conference of Interior Ministers that year, the issue of lawful interception was raised. Although limited progress was made nationally, Germany advanced the discussion at the EU level the following year, contributing to the Council Resolution on Security through Encryption and Security Despite Encryption.

In 2020, the German IT industry association BITKOM outlined how lawful interception could be technically implemented. It proposed that lawful interception interfaces should be designed and integrated through international standardization bodies — an approach consistent with Germany’s 2021 Cybersecurity Strategy. The strategy states that technical and operational solutions for lawful access to encrypted communications should be developed in close coordination with affected companies, stakeholders, and relevant authorities at the European level.

In conclusion, within the German government’s institutional framework, the BSI acts as the primary “crypto-maker,” while ZITiS serves as a facilitator of “crypto-breaking.” Although ZITiS lacks operational powers, it is fully equipped to support government efforts to promote lawful interception and access mechanisms in standardization bodies and other relevant fora, particularly at the EU level.

In 2025, the European Commission’s DG CNECT and DG HOME established the Expert Group for a Technology Roadmap on Encryption. Germany is represented in the group by a ZITiS employee, officially in a personal capacity.

References

1. Abgeordnetenhaus Berlin (2025): Antrag der Fraktion der CDU und der Fraktion der SPD Gesetz zur Reform des Berliner Polizei- und Ordnungsrechts und zur Änderung des Gesetzes zu Artikel 29 der Verfassung von Berlin

2. bitkom (2020): Positionspapier - Starke Verschlüsselung für mehr Sicherheit Cyber-Sicherheit und Wirtschaftsschutz mit Verschlüsselung Strafverfolgung und Gefahrenabwehr trotz Verschlüsselung

3. Bundesministerium des Innern, für Bau und Heimat (2021): Cybersicherheitsstrategie für Deutschland 2021

4. Der Bundesminister für Wirtschaft und Technologie und der Bundesminister des Innern (1999): Anlage 1 zur Kabinettsvorlage des Bundesministeriums für Wirtschaft und Technologie und Bundesministeriums des Innern, Eckpunkte der deutschen Kryptopolitik

5. European Commission (2025): Expert Group for a Technology Roadmap on Encryption (E04005)

6. Greg Miller (2020): How the CIA used Crypto AG encryption devices to spy on countries

7. P0nyb0ys0da et al. (2025): Zentralstelle für das Chiffrierwesen

8. Rat der Europäischen Union (2020): Entschließung des Rates zur Verschlüsselung – Sicherheit durch Verschlüsselung und Sicherheit trotz Verschlüsselung

9. Sven Herpig (2023): Stellungnahme von Dr. Sven Herpig [...] für die öffentliche Anhörung des Ausschusses für Digitales des Deutschen Bundestags am 25. Januar 2023 zum Thema "Cybersicherheit - Zuständigkeiten und Instrumente in der Bundesrepublik Deutschland"

10. Sven Herpig and Julia Scheutze (2021): The Encryption Debate in Germany: 2021 Update

11. Sven Herpig and Stefan Heumann (2019): The Encryption Debate in Germany