BSI warns: Companies are deceiving themselves about their cybersecurity!

BSI warns: Companies are deceiving themselves about their cybersecurity!

On June 22, 2025, the Federal Office for Information Security (BSI) and the TÜV Association will present alarming results of a representative survey on cybersecurity in companies. This study not only shows a worrying increase in the threat level, but also reveals that many companies massively underestimate the risks and overestimate their own resilience. The BSI urgently warns against “deceptive security” and is calling on companies to take a critical look at their own cybersecurity.

A key finding of the survey is that only around half of the companies surveyed are aware of the new EU directive on network and information security (NIS-2). This directive, which came into force in January 2023, will be implemented into national law and the BSI will become the supervisory authority for around 29,000 companies that will be legally obliged to comply with the NIS 2 directive for the first time. This implementation is required by October 17, 2024.

Worrying company valuation

Although 91% of companies rate their cybersecurity as “good” or “very good,” the survey signals that 27% of businesses view IT security as a “small” or “not at all” priority. In addition, 56% of those surveyed are in favor of legal requirements to increase the level of protection. Dr. Michael Fübi, President of the TÜV Association, emphasizes the urgency of implementing the NIS 2 directive in order to adequately prepare companies for the challenges of the digital world.

The NIS 2 Directive introduces new reporting requirements and sanctions. Affected companies, many of which come from important sectors such as energy, transport and healthcare, must deal with the new requirements at an early stage and increasingly implement cyber risk assessment and management measures. A coordinated and proactive approach to cyber hygiene and training is essential.

Regulatory challenges and support

BSI President Claudia Plattner underlines the need to implement this directive and highlights the challenges associated with regulatory requirements. She points out that the BSI provides information and advice to support companies in order to sustainably improve their cybersecurity. This also includes the Cyber ​​Resilience Act (CRA), which defines minimum cybersecurity requirements for connected products and refers to “Technical Guideline TR-03183”, which describes requirements for manufacturers and products.

To implement the NIS-2 policy, companies must register on business service portals. It is advisable to plan both budget and resources for the requirements. Management is bound by stricter liability rules, while the NIS authority in the Ministry of the Interior has the authority to issue instructions to correct security deficiencies. Violations can result in penalties of up to 10 million euros or 2% of global annual turnover, which underlines the importance of a comprehensive risk analysis.

The NIS 2-compliant measures now required could significantly increase protection against cyberattacks and minimize the risk of data loss or operational failures. Companies are therefore faced with the urgent need to face the new challenges in order to ensure a secure digital future.

For a more in-depth look at the survey results, the BSI provides detailed information on its website, while the Online Security website provides specific information on the NIS 2 directive.

Further information on the current situation in cybersecurity is available via datensicherheit.de and onlinesicherheit.gv.at accessible.