German coalition agreement: What impact will the future German Federal Government's security initiatives have on telecommunications companies?

The future German government coalition aims to strengthen the country's law enforcement and security authorities. According to the draft of the coalition agreement between the CDU, CSU and SPD published on 9 April 2025 (currently no English version available), digital investigation powers are to be expanded. The plans of the future Federal Government will lead to increased obligations for telecommunications companies. The most important planned initiatives at a glance:

Data retention of IP addresses is coming

The discussion about the ‘minimum storage of IP addresses’, commonly known as data retention of IP addresses, picked up speed rapidly in late 2024. Last December, the conservative CDU/CSU parties introduced a bill to the Bundestag (Bundestag document 20/13366, in German), which the center-left SPD already supported in principle at the time. Due to the political situation, the bill failed in the previous legislative period.

The coalition agreement now clarifies: providers of publicly available internet access services for end users are to be obligated to store IP addresses and port numbers for three months. By means of this traffic data, the security authorities shall be enabled to identify subscribers.

Taking into account the initial bill proposed by the CDU/CSU, the legal implementation is likely to be carried out by amending Section 176 of the German Telecommunications Act (TKG). According to their bill, the providers of internet access services would be required to store IP addresses, a unique identifier for the connection, port numbers, and the date and time of use of the IP address for a period of three months. The production of this traffic data may only be ordered by the courts in cases of serious crime. It is still unclear whether the production of data for intelligence purposes will also be introduced, as provided for in the bill of the CDU/CSU.

It remains to be seen whether the German legislature's provisions will pass the CJEU's assessment. Even though the CJEU has indicated that the storage of IP addresses can, in principle, be in line with EU law (CJEU, judgment of 20 September 2022, Joined Cases C-793/19 and C-794/19), it cannot be foreseen whether the specific law of the German legislator will be accepted by the CJEU.

Extension of (source) telecommunications surveillance

The coalition agreement provides for a softening of the requirements for ordering telecommunications surveillance pursuant to Section 100a of the German Code of Criminal Procedure (StPO). In particular, the catalogue of criminal offences for which telecommunications surveillance can be ordered if there is initial suspicion will be expanded. Telecommunications providers must expect the number of telecommunications surveillance orders to increase.

Source telecommunications surveillance, i.e. the interception of telecommunications by accessing the user's IT systems, will be expanded. However, the CDU/CSU's call to enable source telecommunications surveillance for all security authorities, including the intelligence services, was rejected. Only the Federal Police (Bundespolizei) will be granted this investigative power. The Federal Criminal Police Office (BKA) and some police authorities of the German Federal States already have this power.

Radio cell inquiry: Overrule the Federal Court of Justice case law

The latest restrictive German Federal Court of Justice (BGH) case law on radio cell inquiry (BGH, decision of 10 January 2024 – 2 StR 171/23) is to be revised. The Federal Court of Justice has ruled that an order to produce radio cell data is only permissible under Section 100g (3) of the StPO in the case of particularly serious crimes listed in Section 100g (2) sentence 2 of the StPO. Fraud, for example, is not included in this catalogue. The coalition agreement stipulates that radio cell inquiries should be comprehensively enabled again. It is to be expected that a regulation will be issued that clarifies that the initial suspicion of a specific serious crime is not a prerequisite for a radio cell inquiry.

Mobile network providers must prepare themselves for a substantial increase in the number of radio cell inquiries.

Lack of clarity on the decryption of communication content

The CDU/CSU's call to obligate electronic communications service providers to decrypt and forward communication content to law enforcement authorities did not appear in the coalition agreement. At the same time, however, there is no clear commitment to the protection of encrypted communication. The position of the incoming Federal Government remains unclear in this regard. In view of the negotiations at EU level on the CSAM Regulation, the government will have to take a position soon.

What do the plans mean for telecommunications companies?

Telecommunications companies must prepare themselves for a significant increase in investigation measures. In particular, the implementation of IP address data retention requires early technical and organisational preparations. Businesses should therefore follow further legislation closely in order to be able to react to new requirements on time.

We are happy to assist you with any questions regarding telecommunications law and investigation measures by German law enforcement and security authorities.