Germany’s Cybersecurity is an Illusion – Why BSI Reports and NIS2 Lull Us into a False Sense of Security

Germany positions itself as a cybersecurity leader – with BSI situation reports, NIS2 implementation, and KRITIS regulation. Yet the reality in companies and authorities paints a different picture: most measures are paperwork without operational impact. An uncomfortable assessment.

TL;DR

• BSI situation reports accurately describe the threat landscape – but operational protection in authorities and SMEs lags years behind
• NIS2 obliges around 30,000 companies, but many lack the budget or personnel for implementation
• The digitalization of public administration fails at the basics: outdated software, missing patches, no incident response
• The shortage of IT security professionals in Germany is more severe than in comparable EU countries

The Potemkin Village of German Cybersecurity

Every year, the BSI publishes its situation report. Every year, the threat landscape increases. Every year, new regulations follow. And every year, too little happens operationally.

The problem is not the analysis. BSI reports are among the best in the world. The problem is the gap between insight and action. One example: The district of Anhalt-Bitterfeld was paralyzed by ransomware in 2021. The administration was down for months. Four years later, hundreds of German municipalities still operate identical infrastructures without significant hardening.

NIS2 was supposed to change this. On paper, it sounds ambitious: reporting obligations within 24 hours, personal liability for managers, penalties up to 10 million Euro. In practice? Germany’s implementation lags behind the EU timeline. Many of the 30,000 affected companies don’t even know they fall under NIS2.

Where the Gaps Lie

Public Administration: Thousands of authorities operate with Windows systems beyond the end of support. Patch management often exists only as a concept. IT departments consist of one or two people who also repair printers and administer Active Directory.

SMEs: Companies with 200 to 500 employees often have no dedicated security officer. IT is co-managed by the managing director or outsourced to an external service provider that primarily ensures availability, not security.

Critical Infrastructures: Hospitals, water suppliers, energy grids – theoretically protected by KRITIS regulations. In practice, audits repeatedly show: segmentation is missing, OT networks are connected to the internet, backups are not available offline.

The Self-Deception of Compliance

The real problem is structural: Germany confuses compliance with security. An ISO-27001 certificate proves that processes are documented – not that they work. A penetration test every two years shows a snapshot – but attackers test daily.

Regulatory density is increasing, but operational resilience is not keeping pace. Companies invest in audit reports and compliance tools instead of detection and response. The result: perfect documentation, but no incident response plan that has ever been tested under pressure in an emergency.

What Really Needs to Change

1. Operational Audits Instead of Paper Audits: Regulators should not just check documentation but conduct unannounced red-team exercises. Those who fail the test do not get a grace period but must improve immediately.

2. Central Security Services for SMEs: The SME sector cannot operate its own SOCs. The state must – as in Israel or Estonia – provide central services: threat intelligence, incident response, vulnerability scanning as public infrastructure.

3. Skilled Worker Offensive Instead of Lip Service: Germany trains fewer than 5,000 IT security professionals per year. The demand is over 100,000. Without a radical realignment of training – including lateral entry programs and attractive compensation in the public sector – every regulation remains ineffective.

Conclusion: Honesty as the First Step

Germany does not have a knowledge problem but an implementation problem. The situation reports are correct, the regulations are ambitious – but there is a dangerous gap between the law and lived practice. The first step would be to honestly name this gap instead of deluding ourselves with compliance illusions.

Key Facts

BSI Staff: The BSI has around 1,700 employees – Israel’s comparable authority INCD operates with similar strength for a population one-tenth the size.

KRITIS Outages: According to the BSI, there were over 670 reportable IT security incidents in critical infrastructures in 2024 – an increase of 28 percent.

Frequently Asked Questions

Is NIS2 Ineffective?

NIS2 is not ineffective, but its implementation in Germany is too slow. The directive sets the right impulses – personal liability, short reporting deadlines, high fines. The problem lies in the delayed national legislation and lack of audit capacities.

What Can SMEs Do If Budget and Personnel Are Limited?

Three immediate measures: First, purchase Managed Detection and Response (MDR) as an external service – costs a fraction of an in-house SOC. Second, set up offline backups and test them monthly. Third, implement the top ten CIS controls – this reduces 85 percent of all attack vectors.

How Does Germany Compare in the EU?

In the ENISA Maturity Report, Germany is in the upper midfield – behind Estonia, the Netherlands, and France. There is significant catch-up needed, especially in the implementation in SMEs and public administration.

Related Articles

• Digital Geneva Convention: Why International Law Fails in Cyberspace
• Ban Ransomware Payments? The Most Dangerous Idea in Cyber Policy
• The CISO is a Scapegoat – Why the Role Needs Fundamental Reform

More from the MBF Media Network

• Digitalization in SMEs: Best Practices on mybusinessfuture.com
• C-Level Perspectives on IT Security on digital-chiefs.de

Header Image Source: Pexels

About the author: Tobias Massow

More articles by Tobias Massow