German companies massively ignoring NIS2 obligations
Schwarz Digits warns: Almost half of all companies do not know their obligations under NIS2. Small businesses in particular face high penalties.
(Image: Schwarz Digits)
German companies are lulling themselves into a dangerous sense of security: According to the Cyber Security Report 2026 by Schwarz Digits, 48 percent of the surveyed companies are massively underestimating their obligations under the NIS2 directive. For high-revenue small businesses with 10 to 49 employees and beyond 10 million euros in annual turnover, as many as 92 percent falsely exclude being affected – even though they are subject to regulation.
The representative survey of 1,001 German companies reveals a dramatic information deficit. While cyberattacks cost the German economy over 202 billion euros annually and account for 70 percent of all economic damage, many businesses lack awareness of their legal obligations. The NIS2 directive has been in force in Germany since December 6, 2025, and provides for severe sanctions: Particularly important entities face fines of up to 10 million euros or 2 percent of their global annual turnover, while important entities face fines of up to 7 million euros or 1.4 percent.
“In 2026, cybersecurity is no longer an IT task, but an existential question for every management board,” warns Christian Müller, Co-CEO of Schwarz Digits. “Anyone who misunderstands NIS2 as a bureaucratic burden risks not only painful sanctions but the operational substance of their company.”
Videos by heise
Particularly critical: 62 percent of companies feel insufficiently supported by authorities in the NIS2 implementation. Only 21 percent attest to sufficient protection from political and administrative measures. The federal states perform worst with a 7 percent positive rating, followed by municipalities with 12 percent and the federal government with 15 percent.
Artificial intelligence as an underestimated risk
While 73 percent of large companies have implemented clear rules for AI use, 54 percent of all respondents consider the cyber risk from AI usage to be non-existent or not present at all. Dr. Alexander Schellong, Managing Director Institutes, Accelerators & Cybersecurity at Schwarz Digits, paints a grim picture: “In the next twelve months, autonomous AI attacks will overrun our current security approaches. A central goal will be the manipulation of AI decisions in the real world – the so-called kinetic prompt hack.”
With this term, Schellong describes attacks in which manipulated inputs cause AI systems to make decisions that have physical consequences – for example, in autonomous systems, robotics, or control systems. The danger: Such attacks require no human interaction and are difficult to prevent.
Supply chains as an entry point
Every second company registers attacks on suppliers, yet 75 percent refrain from regular security audits of their partners. Only a third have an overview of the actual dependencies in the supply chain. Particularly devastating: IT service providers and compromised software updates are among the most damaging threats. After supply chain attacks, full operational recovery can take up to 30 days.
Cybersecurity budgets, while averaging 17 percent of the IT budget, remain reactive and regulatory-driven. Despite the massive threat landscape, only 13 percent of companies invest specifically in dedicated resources to reduce technological dependencies – even though 42 percent would be willing to pay more for sovereign solutions.
Digital sovereignty remains wishful thinking
With the EU Cloud Sovereignty Framework, the report introduces a new assessment model for digital sovereignty. Of 27 analyzed enterprise products, only 10 meet the EU minimum requirements. EU-based open-source solutions lead the ranking, while non-European proprietary platforms often fail due to jurisdictional dependencies such as the US CLOUD Act. Nevertheless, 80 percent of EU software spending currently goes to US providers.
“Digital sovereignty has matured into a strategic necessity,” emphasizes Rolf Schumann, Co-CEO of Schwarz Digits. “Anyone who enters into one-sided dependencies on non-European platforms loses control over their data and their ability to act in the long term.”
The frustration with purely defensive strategies is clearly evident: 79 percent of companies advocate for state-sponsored hackbacks, and over 50 percent even wish for hackback powers for private actors. The report interprets this as a sign of growing frustration with the defensive positioning against professionalized attackers.
The complete Cyber Security Report 2026 was published on March 5, 2026, at the Cyber Security Conference in Heilbronn.
(fo)
