What is Cyber Resilience? A Definition

The term cyber resilience is increasingly coming into focus in current IT security projects. For example, the Network and Information Security Directive NIS-2, which came into force on December 6, 2025, explicitly aims to increase the resilience of critical infrastructure. The Cyber Resilience Act (CRA), which will become fully mandatory in exactly two years on December 11, 2027, even has resilience in its name. The actual goal is to make products in the IT environment secure in the broadest sense. Security and resilience are already getting mixed up here.

In IT, the terms security and resilience are often used in parallel or even interchangeably. However, there is actually a clear distinction. IT security primarily relates to the period before possible attacks. It is mainly about preventing attacks or at least making them significantly more difficult. Resilience, on the other hand, comes into play when an attack has already occurred and operations must continue or at least resume as quickly as possible. This includes, in particular, the ability to adapt to attacks – or also to accidents or natural disasters.

Nevertheless!

"Cyber resilience means remaining operational despite attacks," explains Samira Taaibi from Fraunhofer IEM. Taaibi is leading a study on a deeper understanding of resilience and how to achieve it. One of her first findings is that there is still no uniform understanding of what cyber resilience actually means and how to actively improve it. While there is the NIST definition, which Fraunhofer IEM also uses as a basis:

The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources

However, this does not help companies or, more specifically, software developers who want to make their products more resilient. In more concise terms, cyber resilience can be defined as follows:

The ability of an IT infrastructure unit to continue to perform its task despite disruptions and attacks

How does resilience work?

The implementation of resilience can be divided into four fundamental areas.

1. Anticipate: Recognize risks and possible attack vectors early, prepare for disruptions, and plan appropriate measures.
2. Withstand: Absorb attacks or disruptions so that operations are not affected or only partially impaired.
3. Recover: Quickly and in a controlled manner restore services to a functional state after a successful attack.
4. Adapt: Learn from incidents and further develop systems so that similar attacks are less successful in the future.

It is already clear that this is not a static property that can be secured once and then forgotten. While a product can be equipped with resilience as part of "Secure by Design," the reaction to acute incidents, at the latest, usually requires measures after commissioning. This then requires regular mitigations or patches for newly discovered security problems. And adaptation requires a mechanism to react to the environment and its changes in such a way that the system becomes more resistant overall.

However, there is no consensus on how resilience actually works in IT and, above all, how to improve it in a targeted manner. Research is still needed at this point to improve understanding – as in Taaibi's current study within the framework of the research project CyberResilience.nrw. This project is about the state of cyber resilience in German organizations; interested parties can also participate until December 31, 2025.

(ju)