
When TLS Is Not Enough
When TLS Is Not Enough
Most people assume that if an email is encrypted in transit, itâs safe. But a recent court ruling in Germany makes it clear thatâs not always true.
The Higher Regional Court of Schleswig-Holstein ruled that sending invoices via email with only TLS encryption isnât enough. A business emailed an invoice for over âŹ15,000 to a private customer. Somewhere along the way, the email was intercepted and altered. The customer, thinking everything was normal, sent the money straight to criminals. The court decided this was a GDPR violation and awarded the customer damages equal to the stolen amount.
This changes the game for businesses. The ruling suggests that when real money is at stake, companies canât just rely on basic transport encryption. The court argued that end-to-end encryption (E2EE) is necessary to protect sensitive data from interception. TLS, which only secures the path between mail servers, wasnât enough to stop the fraud.
Does this mean every company needs to switch to end-to-end encryption for all emails? Not exactly. The ruling doesnât demand a one-size-fits-all approach. Instead, businesses need to think harder about the risks and match their security measures to the data theyâre handling.
For businesses, this means rethinking how they send important information. If an email includes financial details, trusting TLS alone might be like locking the front door while leaving the windows open. Encrypted PDFs, secure customer portals, or fully E2EE email services could be better options.
The real lesson here? This verdict isnât necessarily final. Higher courts could overturn it, or legislators could step in to clarify encryption requirements under GDPR. But it does highlight the weak understanding of courts and regulators about cryptography. End-to-end encryption is not the answer here, we are talking about integrity protection. And thus, the ruling is not only wrong but also dangerous. Integrity protection is about digital signatures, not encryption.
References
-
Verdict (available at https://www.gesetze-rechtsprechung.sh.juris.de/bssh/document/NJRE001598708) [Accessed: 08.02.2025].
-
Court Ruling on Email Encryption (available at https://www.heise.de/news/Urteil-Ende-zu-Ende-Verschluesselung-statt-TLS-bei-E-Mails-6763661.html) [Accessed: 08.02.2025].
You Might Also Like
Discover more articles related to your interests

Imprint terror in Germany
Legal implications of the German law on digital services

Challenges in Cyber Risk Management
Cybersecurity risk management is not easyâit is about managing assets, evolving threats, and building a culture of security.

The Dresden Data Breach of 2024 and DLP
A recent data breach in Dresden has exposed sensitive information. What is data leakage prevention (DLP), and how can organizations protect their data?

The Door Wedge Is A Lesson in Cybersecurity
The common door wedge is a great analogy for cybersecurity: Learn more about balancing security and convenience, and how well-intentioned shortcuts can lead to unintended consequences.