Commentary by Ari Albertini, CEO of FTAPI

The attack on Rheinmetall is not a technical problem. It shows how vulnerable our country is in the digital space: economically, militarily, politically. Such attacks have long been a reality. But are we consistent in our approach to cybersecurity? Not at all.

The biggest weakness is not in technology, but in everyday life. In the supply chain, in project communication, in collaboration with changing partners. Every day, sensitive information is forwarded, shared and copied – often unprotected, under time pressure and with a focus on speed rather than security. Everyone protects themselves, but hardly anyone looks left or right. Yet security does not end at the edge of your own network. It must be considered throughout the entire value chain.

An example: A supplier reports a material delay by email. The project manager forwards the message – along with confidential plans, deadlines and prices. Sometimes via Outlook, sometimes via a cloud link, sometimes via private devices. The more external contacts are involved, the greater the risk. This is exactly where many attacks start: in the operational hustle and bustle.

What is often underestimated is that it is not the individual document that is the problem. It is the sum total. The mass of seemingly harmless data reveals more about a company than any single piece of information on its own. That is precisely what makes it so dangerous.

Secure communication should not be an IT special case. It must work as easily as a file attachment – while also taking encryption, access and traceability into account. Automation is key here: only when protection processes work reliably in the background can errors be avoided before they become vulnerabilities. Platforms are needed, not patchwork. Otherwise, security remains a concept rather than a practice.

And that is precisely why it is good that NIS 2 is gaining momentum again. The directive not only creates new obligations, but also finally establishes a common framework. Binding standards, clear responsibilities, comprehensive security. Because anyone who works with critical information today bears responsibility – for themselves and for the entire network.

Cyber security is a matter of national sovereignty. Anyone who operates critical infrastructure or processes sensitive data needs full control: over systems, over information, over communication channels. Those who bear responsibility must also retain it. And that is only possible if security is taken into account in everyday work.

Germany needs a new understanding of digital defence. No ‘we should’, but clear rules. Clear standards. Clear responsibilities. And the courage to leave responsibility where it belongs.