Whether financial crisis, migration or Corona – the past decade has shown that Germany cannot easily implement its international goals without the EU. This fact is hardly taken into account in the German cybersecurity strategy adopted on 8 September. Germany’s positioning in European and international cybersecurity policy is listed as the last of four prioritised fields of action. These fields are largely of a domestic nature. This also applies to the German discourse on the topic of IT security: representatives of digital civil society, the Association of the Internet Industry (eco) as well as some computer science professors criticise the planned development of an active cyber defence – including the possibility of digital counterattacks, so-called hackbacks.* However, they primarily discuss domestic federal competences or fundamental rights issues such as the separation requirement. There are four reasons why the EU would have to be much more involved in order for the strategy to work.