Image: ImageFlow / Shutterstock.com
Cybersecurity is no longer a niche topic for IT departments. Nevertheless, this fact does not seem to have sunk in at many German companies. As reported by Heise Online, a recent study by Schwarz Digits paints an alarming picture: many companies are simply unaware that they have long been required to fulfill new obligations—and are thus risking severe penalties.
The new NIS2 Directive has been in force in Germany since December 6, 2025. It is intended to better protect critical infrastructure and important companies from cyberattacks. However, in practice, there is a surprising lack of awareness.
Significant knowledge gaps among companies
The Cyber Security Report 2026 by Schwarz Digits is based on a survey of 1,001 German companies. The result is clear: 48 percent of companies underestimate their obligations under NIS2.
The situation is particularly problematic for smaller but economically strong companies. Ninety-two percent of companies with 10 to 49 employees and annual revenues of more than €10 million assume that they are not subject to the directive. In fact, however, many of them are regulated.
This means that numerous companies are obliged to implement security measures, report incidents, and define clear responsibilities for IT security—without even knowing that they are affected.
Heavy penalties for violations
Anyone who ignores the requirements is taking a considerable risk. The directive provides for significant penalties.
This goes so far that, depending on the classification of the institutions, penalties of up to 10 million euros or 2 percent of global annual turnover can be imposed.
Christian Müller, Co-CEO of Schwarz Digits, sums up the importance of this:
"In 2026, cybersecurity will no longer be an IT task, but a matter of survival for every management team."
However, many companies feel ill-prepared. 62 percent of respondents say they receive too little support from authorities in implementing the NIS2 requirements. Only 21 percent consider government measures to be sufficient.
New threat: attacks using artificial intelligence
At the same time, another threat is growing: cyberattacks using artificial intelligence.
Dr. Alexander Schellong from Schwarz Digits warns of a new category of attack:
"Over the next twelve months, autonomous AI attacks will overwhelm our current security approaches. A key target will be the manipulation of AI decisions in the real world—the so-called kinetic prompt hack."
This refers to attacks in which manipulated inputs cause AI systems to make incorrect decisions—for example, in autonomous machines, robots, or industrial control systems.
Supply chains are becoming a security issue
Another weak point lies in the supply chains. Every second company already reports attacks on suppliers.
Nevertheless, 75 percent of companies do not conduct regular security checks on their partners. At the same time, only about one-third know exactly which service providers or software suppliers they actually depend on.
Europe's digital dependence remains high
The issue of digital sovereignty is also increasingly being discussed. According to the report, only 10 of the 27 enterprise products examined meet the minimum requirements of a European cloud sovereignty model.
Nevertheless, 80 percent of software spending in the EU goes to US providers. Dependence on foreign platforms therefore remains a structural risk.
Rolf Schumann, Co-CEO of Schwarz Digits, sees this as a strategic challenge:
"Digital sovereignty has matured into a strategic necessity."
comment
What is less surprising is that cyberattacks are becoming increasingly professional. That was to be expected. What is truly remarkable is something else: many companies only address IT security when it is required by law—and sometimes not even then.
NIS2 is not a theoretical regulation, but a direct response to real economic damage amounting to billions. Nevertheless, part of the business community still seems to perceive the rules as distant bureaucracy.
The real risk therefore lies not only in hacker groups or AI-based attacks. The bigger problem is often a combination of overconfidence, a lack of information, and a deceptive sense of calm in everyday life.
Those who only take action when an incident occurs or an authority inquires have failed to understand the most important lesson of recent years: digital security has long been part of corporate management—it is not just an IT issue in the basement.
Source: heise.de
