»White hat hacking« is an important component of modern security strategies and must therefore also be decriminalized in Germany. The VDA is therefore calling for the swift (resumption of) work on the amendment to the Computer Crimes Act.
In an increasingly digitized world, cybersecurity is becoming more and more important. This applies to all products with an internet interface, but vehicles in particular. After all, if a vehicle is hacked, it not only causes inconvenience for drivers and owners, but can also become a societal safety issue. At the same time, there are still legal uncertainties in Germany for security researchers – both independent and commissioned – who uncover security vulnerabilities in order to enable their remediation before any societal or economic damage occurs. As an essential component of modern security technologies, this so-called »white hat hacking« must also be decriminalized in Germany.
Given the increasing connectivity and digitalization in the automotive industry, vehicle manufacturers are also obligated to continuously review the security of their products and to identify and address potential vulnerabilities at an early stage. Penetration tests are considered a key tool for validating the effectiveness of cybersecurity measures. However, the industry faces a significant conflict: While legal requirements, such as UNECE Regulation R155 in conjunction with EU Regulation 2019/2144, mandate invasive testing, the current provisions of the German Criminal Code (§§ 202a ff. StGB) criminalize such tests under certain conditions.
Under Section 202a(1) of the German Criminal Code (StGB), it is currently a criminal offense for anyone to gain unauthorized access (i.e., without explicit consent) to computer systems by bypassing access controls (e.g., simple password protection) and thereby obtaining access to data not intended for them. With regard to individuals who »hack« computer systems with the intent to cause harm, it makes perfect sense that they can be prosecuted. At the same time, however, this law creates legal uncertainty for individuals who attempt to bypass the security measures of computer systems to uncover vulnerabilities before any damage has occurred, if they do so without the express consent of all authorized parties.
Obtaining the necessary, comprehensive consent is easier said than done. It proves extremely difficult within the automotive industry’s complex supply chain, particularly since vehicle software often contains numerous components from third-party suppliers. For independent security researchers in particular – though not exclusively – it is usually impossible to obtain such consent. The result is a legal gray area that, in particular, reduces the availability of test results from independent security researchers, who – out of fear of prosecution – may then choose not to disclose their findings to manufacturers, thereby jeopardizing the cybersecurity of vehicles.
The consequence of this situation is paradoxical: While honest security researchers act cautiously or do not disclose vulnerabilities they have found, malicious hackers (»black hat hackers«) have easier access and can exploit security vulnerabilities. This leads to a growing knowledge advantage for attackers over manufacturers. Furthermore, this restrictive legal framework threatens to cause a brain drain, as qualified professionals might choose to apply their expertise in less restrictive countries.
By November 2024, the time had already come. The Federal Ministry of Justice had drafted a bill to amend the computer crime law, the industry consultation had taken place, and the outcome took into account a large part of the automotive industry’s interests. But then the premature change in government prevented the draft bill from entering the parliamentary process, and the urgently needed amendments to computer crime law were not implemented. Although the call for an amendment to computer crime law made it into the coalition agreement in 2025, it has not yet been included in any further implementation proposal.
The VDA calls for the swift (re)introduction of the legislative amendment. The amendment should not only facilitate the legal identification and reporting of security vulnerabilities; the tester’s intent should also be included as a decisive criterion. A positive intent is characterized, for example, by responsible handling of discovered vulnerabilities, a contribution to improving system security, and the protection of manufacturers and users. Negative intentions, such as exploiting vulnerabilities for financial gain beyond a bug bounty or the irresponsible disclosure of data, should, however, continue to be subject to criminal prosecution.
The VDA also opposes mandatory certification or accreditation of independent security researchers, as this could run counter to the spirit of the community and encourage abuse by black-hat hackers. Instead, a legal framework should be established that permits ethically motivated testing while also defining clear rules for handling the findings (»Coordinated Vulnerability Disclosure«).
Overall, a consistent and practical regulatory framework should be enshrined in law as soon as possible, enabling manufacturers, contracted testers, and independent security researchers to carry out their work without the risk of criminal prosecution. This is intended to strengthen the cybersecurity of vehicles in the long term and increase user confidence in the safety of modern mobility.
[1] Cybersecurity Testing, Amendment of Criminal Law Regarding the Conduct of Cybersecurity Testing, VDA Position Paper, August 2024
Dr. Kirsten Matheus
is a Senior Expert at the VDA specializing in digitalization, cybersecurity, and data.