When it comes to IT and physical security, companies across the country consider themselves well positioned. Subjectively, according to recent studies, specialists and managers rate the protection of technical infrastructure as solid across the board. Nevertheless, cyber attacks and terrorist attacks pose a constant and therefore serious risk. Critical infrastructure organisations should prevent this with objective, established security measures – especially in times of high regulatory pressure.

The figures are striking: around 47 percent of German employees feel well protected by their companies’ IT security measures; more than a third (around 32 percent) even rate the mechanisms as very good. The data collected by Statista reflects a trend that is also evident elsewhere: the majority of respondents (46.9 percent) consider the risk of becoming a victim of cybercrime or data theft to be low.

However, the objective reality paints a different picture: for the period from 2015 to 2023, the industry association Bitkom recorded a significant increase in total damage attributable to data theft, industrial espionage and sabotage, for example. From 51.5 billion euros in the reference year 2015, expenditure rose to 205.9 billion euros by 2023 – an increase of 309 percent.

In view of these developments, it would be fatal for companies of any size to rely solely on gut feeling – after all, attacks on cyber and physical infrastructure put sales, innovative strength and general business acumen at risk. Surveys conducted by the BKA and Deutsche Telekom in 2023 illustrate how real the threat is: Domestic companies with at least ten employees and an annual turnover of one million euros or more were frequently victims of data theft (41 percent), hardware theft (35 percent) and spying using digital means (30 percent). The number of organisations believed to be affected was almost the same in all cases.

The EU is promoting the prevention of such and similar cases with ambitious directives such as NIS-2 and CER: The NIS-2 cybersecurity directive, for example, calls for a cross-risk approach that specifies not only digital security measures but also precautions for the physical protection of infrastructure.

In future, companies covered by the NIS 2 Directive will have to implement risk management measures for cyber security. They will also have to report cyber incidents. According to estimates by the Federal Statistical Office, this affects almost 30,000 companies in Germany alone.

CER, on the other hand, focuses on the physical resilience of critical facilities. Among other things, the directive provides for the systematic recording of relevant infrastructure and the establishment of central reporting systems for incidents.

Both directives have deadlines for implementation into national law, with corresponding penalties for failure to legislate – and so far with mixed success. With the collapse of the coalition in November 2024, the implementation of NIS-2 and CER in Germany failed. Implementation was supposed to take place by October 2024 at the latest. To avoid infringement proceedings, the implementation plans must gain momentum under the new government.

Companies should not sit idly by until then: the economic pressure alone is too high, regardless of political developments. Organisations therefore have a duty to make themselves secure against attacks in accordance with both directives, for example with an information security management system (ISMS) in accordance with ISO 27001. The responsibility therefore lies equally at the political and corporate level: organisations that act in good time in accordance with established standards rather than gut feeling will have a clear advantage.