Security Operations Center: Made in Germany

8 min Reading Time

The Deutsche Telekom’s Master SOC in Bonn processes 95 million attack attempts per day. 250 cybersecurity experts work around the clock, networked with centers in 13 countries. The DCSO, founded by Allianz, BASF, Bayer, and Volkswagen, shares threat intelligence between companies and the BSI. And G DATA operates its Managed SOC exclusively in Germany – deliberately positioning itself as an alternative to U.S. providers. Security Operations Centers Made in Germany are not a niche product. They are the response to a threat landscape that produces 309,000 new malware variants every day.

TL;DR

• Telekom SOC: 95 million attack attempts per day, 250 experts in Bonn, one billion data points analyzed daily from 3,000 sources
• GDPR Advantage: German SOC providers are not subject to the U.S. CLOUD Act – security data remains under German jurisdiction and is protected from extraterritorial access
• Market: 970 million Euro in managed security services in Germany in 2024, projected growth to over 1 billion Euro by 2028
• NIS2 Driver: 30,000 companies affected by NIS2, 24-hour incident reporting requirement forces adoption of professional detection infrastructure
• Cost Comparison: In-house SOC from 1 million Euro per year, managed SOC from 60,000 Euro – cost factor of 15 to 20

95 Million Attacks Per Day: The Telekom Master SOC

In September 2024, Deutsche Telekom opened its new AI-powered Master SOC in Bonn, one of Europe’s largest integrated cyber defense centers. The numbers reveal the scale: 30,000 to 40,000 attack attempts per minute, up to 95 million per day. Seventy million attacks daily hit Telekom’s honeypot systems – deliberately placed traps that identify attackers before they reach real infrastructure.

More than 250 cybersecurity experts work around the clock in Bonn, connected to SOC centers in 13 other countries. Roughly one billion security-relevant data points from around 3,000 sources are analyzed daily with AI support. Telekom’s Security Dashboard (sicherheitstacho.eu) visualizes cyberattacks in real time and is publicly accessible – an unprecedented transparency signal that no U.S. provider offers.

Thomas Tschersich, Head of Telekom Security, described the motivation behind the new SOC: Today’s cyberattacks require responses within hours or minutes, not days. AI in the SOC is not a replacement for human analysts but the scaling lever that makes processing 95 million events per day even possible. No human team could review that volume – AI handles pre-selection and correlation, allowing analysts to focus on critical cases.

Sources: Telekom press release September 2024, Statista MSS 2024, BSI Threat Report 2024

DCSO: Intelligence-Sharing as a Business Model

The German Cyber Security Organisation (DCSO) follows a different model than traditional SOC providers. Founded in 2015 with equal shares by Allianz, BASF, Bayer, and Volkswagen, DCSO operates on a non-profit logic: profits are reinvested, not distributed. All products are in-house developed – no dependency on third-party technology.

The key differentiator is its community approach: members share threat intelligence with each other and with authorities, including the BSI (Federal Office for Information Security). This combines intelligence-sharing with operational security services – Managed Detection and Response, Incident Response, Internet Exposure Monitoring, and Threat Intelligence. The mission: “Protect Europe as an economic space and societal model from digital attacks.”

DCSO holds the TeleTrusT quality seal “IT Security Made in Germany” and is ISO 27001 certified. For industrial companies unable to handle their threat landscape alone – but unwilling to trust a commercial U.S. provider – DCSO offers a structurally unique alternative: collectively owned, non-profit oriented, and anchored in German jurisdiction.

G DATA and Eviden: SOC Operations Exclusively in Germany

G DATA Advanced Analytics from Bochum launched its Managed SOC in February 2026 with a clear promise: SOC operations and service delivery exclusively in Germany. Data stored on servers in Bochum, Frankfurt, and Berlin. Direct 24/7 support at the headquarters. G DATA is a qualified APT-Response service provider according to BSI standards – a qualification held by only a select few providers.

This location commitment is not a marketing gimmick but a regulatory differentiator. For companies subject to NIS2 or KRITIS regulations and required to prove their security data is not processed in jurisdictions with extraterritorial access rights, a German-based SOC simplifies compliance. The U.S. CLOUD Act of 2018 allows U.S. authorities to access data held by U.S. companies – even if that data is physically located in Europe. A SOC operated by a German company in Germany is not subject to this access.

Eviden (the security brand of Atos) complements the German SOC ecosystem with global reach: 6,500 dedicated security experts, 16 next-generation SOCs worldwide, and its own AI platform AIsaac for threat detection. According to ISG Provider Lens 2025, Eviden is a leader in all three cybersecurity categories in Germany: Strategic Security Services, Next-Generation SOC/MDR, and Technical Security Services. Eviden also leads the EU research project CYDERCO for the European Cybersecurity Competence Center.

GDPR as a Competitive Advantage for SOCs

The central conflict between European data protection and U.S. law directly impacts SOC operations: A Security Operations Center processes the most sensitive corporate data – network traffic, log data, incident reports, and often personal data. If a U.S. company operates this SOC, such data may fall under the CLOUD Act, regardless of where servers are physically located.

For European companies under GDPR, this creates a permanent gray zone between European data protection laws and U.S. access legislation. Standard contractual clauses and the EU-U.S. Data Privacy Framework mitigate but do not fully resolve the issue. A SOC with a German provider eliminates this gray zone: German jurisdiction, no exposure to the CLOUD Act, and no use of customer data for internal purposes (e.g., AI training) without explicit consent.

This advantage becomes even more critical under NIS2: The 30,000 regulated companies must document their supply chain security – including their SOC provider. If the SOC provider operates under a jurisdiction conflicting with European data protection, this becomes an audit risk. A German SOC provider with BSI recognition and the TeleTrusT seal significantly simplifies compliance verification.

NIS2 as a Driver of SOC Demand

The NIS2 Implementation Act has been in force since December 2025. Approximately 30,000 companies in Germany are affected – those with at least 50 employees and 10 million Euro in annual revenue across 18 defined sectors. The 24-hour incident reporting deadline is the requirement with the most significant operational impact: without technical detection and response systems, this deadline is practically unachievable.

For most of the 30,000 affected companies, this means they need a SOC. But building an internal SOC is neither financially feasible nor personnel-wise viable for the average mid-sized company. An internal SOC for a company with 1,000 employees costs between 1.0 and 1.6 million Euro per year and requires at least five to eight specialists for 24/7 operations. Setup takes 12 to 24 months. A managed SOC starts at around 60,000 Euro per year and becomes operational in two to four months. The cost factor is 15 to 20.

The NIS2 audit checks whether a company operates a functional detection infrastructure. A managed SOC with documented SLAs (Service Level Agreements) and regular reports fulfills this requirement. An Excel spreadsheet with manual log entries does not. Thus, NIS2 directly drives demand for professional SOC services – and German providers are the natural beneficiaries, as they deliver compliance proof by default.

Build vs. Buy: When Does a Managed SOC Make Sense?

The cost calculation is clear for most companies. An internal SOC requires not only infrastructure (SIEM, SOAR, Endpoint Detection, Log Management) but above all personnel – and skilled professionals are scarce in Germany. There are currently 149,000 open IT positions, with Cloud Security (52 percent) and Cyber Threat Intelligence (40 percent) being the most urgently needed skills. Even if a company has the budget, it often cannot find the right people.

The managed SOC market in Germany totaled 970 million Euro in 2024 (Statista) and is projected to grow beyond one billion Euro by 2028. Average spending per employee is 22.60 Euro. The ISG Provider Lens 2024 evaluated 109 providers across eight quadrants – a market density indicating real demand and growing supply.

For companies with more than 5,000 employees and critical infrastructure, an internal SOC may make sense – provided they can recruit and retain skilled staff. For the typical mid-sized company with 200 to 2,000 employees, a managed SOC from a German provider with BSI recognition is the most pragmatic solution: faster deployment, lower operating costs, and compliance-ready out of the box.

What Makes SOC Made in Germany Unique

Four factors combined make the German SOC market unique internationally. First: regulatory density (GDPR, NIS2, BSI Basic Protection, KRITIS Ordinance) enforces a security standard that in many other markets remains voluntary. Second: BSI recognition as an APT-Response provider and the TeleTrusT seal “IT Security Made in Germany” establish quality standards exceeding ISO 27001. Third: freedom from the CLOUD Act gives German providers a structural advantage with any customer needing to prove European data sovereignty. Fourth: DCSO’s intelligence-sharing model (companies share threat data among themselves and with the BSI) represents a cooperative approach unmatched in any other European market.

The threat landscape underscores the urgency: The BSI Threat Report 2024 documents 309,000 new malware variants per day (up 26 percent), 726 KRITIS notifications (a significant increase from 490 the previous year), and 22 active APT groups operating in Germany. Global ransomware payments exceeded 1.1 billion USD. DDoS attacks doubled in the first half of 2024. These figures make one thing clear: a SOC is no longer optional – it’s essential. And a German SOC offers the added benefit of combined compliance and security in a single solution.

The maturity of German SOCs can be measured using the SOC-CMM (Security Operations Center Capability Maturity Model) – the global de facto standard for SOC assessments. The model evaluates five domains (Business, People, Process, Technology, Services) on a scale from 0 to 5. The 2025 SOC Maturity Report by the SOC-CMM Institute shows that 49 percent of surveyed SOCs are interested in formal CMM certification, driven by internal quality goals and NIS2 compliance pressure in the EU. German SOCs like the Telekom Master SOC or DCSO demonstrably operate at higher maturity levels (Level 3 to 4), evident in automated detection, structured intelligence sharing, and systematic incident response processes. For KRITIS operators, this maturity level is not optional – it must be audited and proven to the BSI every two years.

The secunet model completes the picture: With revenue of 406.4 million Euro in 2024 (an eleventh consecutive record) and its role as the federal government’s IT security partner, secunet demonstrates that Cybersecurity Made in Germany is a scalable business model – not only in the SOC space but also in post-quantum cryptography, SINA Cloud, and e-government. The German SOC ecosystem is broader than any other in Europe, combining commercial providers (Telekom, G DATA, Eviden), community-driven organizations (DCSO), and state infrastructure (BSI, CERT-Bund).

For CEOs and CISOs, the action recommendation is clear: If you fall under NIS2 and don’t yet have a SOC, you must act now. The 24-hour reporting requirement is already in effect. The BSI is actively auditing. And a managed SOC from a German provider is not the most expensive solution – it’s the most efficient. Made in Germany in the SOC context means regulatory certainty, verifiable data sovereignty, and a quality promise that isn’t just found in marketing brochures but in BSI attestations and TeleTrusT seals.

Frequently Asked Questions

How much does a SOC in Germany cost?

An internal SOC for a company with 1,000 employees costs 1.0 to 1.6 million Euro per year and requires 12 to 24 months to build. A managed SOC starts at approximately 60,000 Euro per year and becomes operational in 2 to 4 months.

Why is a German SOC better than a U.S. provider?

German SOC providers are not subject to the U.S. CLOUD Act, which allows U.S. authorities access to data held by U.S. companies – even if the data is stored in Europe. For companies subject to GDPR and NIS2, a German SOC significantly simplifies compliance.

What is the DCSO?

The German Cyber Security Organisation (DCSO) was founded in 2015 by Allianz, BASF, Bayer, and Volkswagen. It provides Managed Detection and Response, Threat Intelligence, and Incident Response using a community model: members share threat information with each other and with the BSI.

Does my company need a SOC for NIS2?

If your company falls under NIS2 (at least 50 employees and 10 million Euro revenue in 18 sectors), a detection infrastructure is mandatory. The 24-hour incident reporting deadline is practically impossible to meet without technical detection systems. For most mid-sized companies, a managed SOC is the most cost-effective solution.

How large is the SOC market in Germany?

The managed security services market in Germany is valued at 970 million Euro in 2024 (Statista), with projected growth to over 1 billion Euro by 2028. The ISG Provider Lens 2024 evaluated 109 providers across eight quadrants.

Header Image Source: Pexels / Tima Miroshnichenko (px:5380655)

About the author: Tobias Massow

More articles by Tobias Massow