Every Second German Company Doesn't Know Its Cyber Obligations - and Pays the Price
Summary
The Cyber Security Report 2026 by Schwarz Digits reveals a stark reality: cyberattacks cause more than 202 billion euros in damage to the German economy every year. Around 48% of affected businesses are unaware that they fall under the NIS2 directive, which has been binding law in Germany since December 2025. Meanwhile, 75% never audit their suppliers for security gaps - even though one in two companies has already experienced attacks targeting their own supply chain. Businesses that ignore NIS2 face fines of up to 10 million euros and personal liability for management. This article explains what is at stake and what companies should do right now.
202 billion euros. Every single year. That is the price Germany pays for cyberattacks - and the number keeps growing. It makes no difference whether a company is a listed corporation or a ten-person operation. Attackers look for the weakest points in the system, and they find them far too often. The Cyber Security Report 2026, published by Schwarz Digits at the Cyber Security Conference in Heilbronn in March 2026, is a wake-up call that was long overdue. Most German companies are dramatically underestimating their own exposure to cyber threats.
The study is based on a representative survey of 1,001 German businesses. The findings are clear - and deeply concerning.
Germany's Blind Spots
The biggest problem here is not technical. It is a knowledge problem. Around 48% of companies that fall under the NIS2 directive according to current law simply believe they are not affected. The situation is most striking among smaller businesses with high revenues: among companies with 10 to 49 employees and annual revenues above 10 million euros, a staggering 92% wrongly assume they are outside the scope of NIS2 - even though they clearly are not.
This is not a harmless misunderstanding. Germany's NIS2 Implementation Act (NIS2UmsuCG) has been in force since 6 December 2025 - with no transition period whatsoever. Around 29,500 businesses across 18 sectors are affected, ranging from energy suppliers and IT service providers to mechanical engineering and logistics companies. The registration deadline with Germany's Federal Office for Information Security (BSI) passed on 6 March 2026. Any company that has not yet registered is already in breach of current law.
The consequences are serious. Violations can result in fines of up to 10 million euros or 2% of global annual turnover, whichever is higher. What is particularly new - and particularly serious - is the introduction of personal liability: managers and directors can be held directly responsible for security failures, and in severe cases may even face a temporary ban from exercising their professional duties.
The supply chain represents another major blind spot. Every second company has already recorded attacks targeting its own suppliers - yet 75% still do not conduct regular security audits of their partners. This is the digital equivalent of locking the front door while leaving the basement window open. Attackers know this pattern and exploit it deliberately.
The picture around artificial intelligence is equally troubling. A full 54% of surveyed businesses consider the cyber risk posed by AI to be minimal or non-existent - despite months of warnings from security experts that AI-powered attacks will outpace traditional defences.
What Companies Should Do Now
The figures are alarming, but the constructive message is this: companies that act now can protect themselves. Here are the most important steps:
First, check whether your company falls under NIS2. The BSI provides a registration portal at muk.bsi.bund.de. A late registration carries some risk, but it is far better than no registration at all. When in doubt, consult a specialist.
Second, bring the supply chain actively into your security strategy. This means regular security questionnaires for suppliers, clear contractual clauses regarding cybersecurity standards, and ideally independent audits of key partners.
Third, employee awareness training is not optional - it is essential. The most common entry point for attackers remains the human element: phishing emails, fake links, and social engineering calls. Regular training significantly reduces this risk.
Finally, cybersecurity must be placed on the management agenda - not buried in an IT ticket system. NIS2 makes this legally binding: leadership bears personal responsibility, and rightly so. Digital security has long since become a core business function, not an IT detail.
As Christian Müller, Co-CEO of Schwarz Digits, put it: those who misread NIS2 as a bureaucratic burden are risking not just financial penalties, but the operational substance of their entire business.
The 202-billion-euro figure is alarming. More alarming still is the fact that a large share of this damage is preventable - if companies understood what is heading their way and took action accordingly.
Quellen
Schwarz Digits, Cyber Security Report 2026, veröffentlicht auf der Cyber Security Conference Heilbronn, 5. März 2026 - schwarz-digits.de
heise online: Deutsche Unternehmen ignorieren NIS2-Pflichten massiv, 5. März 2026 - heise.de
Presseportal / Schwarz Digits: Weckruf für die deutsche Wirtschaft - Cyber Security Report 2026, 5. März 2026 - presseportal.de
OpenKRITIS: NIS2-Umsetzungsgesetz in Deutschland 2025/2026 - openkritis.de
SECJUR: NIS2 Umsetzung Deutschland - Gesetz, Fristen & Schritte 2026 - secjur.com
mybusinessfuture.com: NIS2-Umsetzung Checkliste für den Mittelstand, April 2026 - mybusinessfuture.com
Quick links
Follow us
-
Twitter
-
Linkedin
Get in touch with us
Email us
info (a) CyberSchild (.) com
Call us
+423 793 7175
