Cybersecurity to be Exempted from Germany's Debt Brake Rules

In a significant policy shift aimed at enhancing Germany’s digital defenses, spending on IT security will soon be exempt from the country’s strict debt brake rules—at least when it exceeds one percent of the gross domestic product. This announcement came from designated Chancellor and CDU/CSU parliamentary group leader Friedrich Merz along with CSU parliamentary group leader Alexander Dobrindt on March 14, 2025.

New Financial Framework for Security Investments

The exemption stems from an agreement between the Union parties (CDU/CSU), SPD, and the Greens on a new financial package that removes security-relevant investments from stringent budget constraints. Beyond IT security, the regulation also covers expenditures for the German armed forces, disaster and civil protection, and intelligence services.

While specific measures or legislative adjustments have not yet been presented, government sources indicate that the Federal Office for Information Security (BSI) and the Foreign Office will receive additional funding for cybersecurity initiatives. The exact implications of the plans negotiated by the three parties for IT security remain unclear at this stage.

Special Fund of 500 Billion Euros

The agreement between the Union, SPD, and Greens also includes the establishment of a special fund for infrastructure investments. This fund will be anchored in the German Basic Law (constitution) and exempted from the debt brake rules.

For this purpose, the three parties plan to take out loans of up to 500 billion euros over a twelve-year period. Of these funds, 100 billion euros will go directly to the federal states to enable targeted investments in modernization projects. Under pressure from the Greens, an additional 100 billion euros will be earmarked for climate protection measures and the climate-friendly transformation of the economy.

Constitutional Amendment Challenges

Despite the agreement reached, implementing the planned constitutional amendment remains challenging. Although the Union, SPD, and Greens have agreed in negotiations, amending the Basic Law requires a two-thirds majority in the Bundestag—a threshold that cannot be reached in the newly elected parliament (which will convene on March 25, 2025) without support from additional parties.

Accordingly, the reform must be passed before the end of the current legislative period. The Federal Constitutional Court has given the green light for a decision by the outgoing Bundestag, rejecting several motions from parties including the AfD and Left Party that sought to prevent the old Bundestag from being convened.

Strengthening Germany’s Digital Resilience

This policy change reflects growing recognition of cybersecurity as a critical component of national security infrastructure. With increasing cyber threats targeting both public and private sectors, Germany’s decision to prioritize IT security funding outside traditional budget constraints signals a strategic pivot toward digital resilience.

The exemption mechanism—triggered only when spending exceeds one percent of GDP—establishes a significant threshold that both acknowledges fiscal responsibility while creating flexibility for substantial investments when necessary. This approach may serve as a model for other European nations facing similar challenges in balancing fiscal discipline with emerging security needs in the digital domain.