One in seven companies victims of hacker attacks

12.06.2025

Source: E & M powernews

In its latest cyber security report, TÜV records IT security incidents in 15 percent of companies and calls for the German government to implement the NIS-2 directive quickly.

The cyber security situation in the German economy remains tense. According to a representative study by the Berlin-based TÜV association, 15 percent of companies reported at least one successful IT security attack in the past twelve months. The study is based on a survey conducted by the market research institute Ipsos among 506 companies with at least ten employees. Compared to the previous study two years ago, the proportion of hacked companies has thus risen by four percentage points.

"The German economy is in the crosshairs of state and criminal hackers who want to capture sensitive data, extort money or sabotage important supply structures," said Michael Fübi, President of the TÜV Association, at the presentation of the "TÜV Cybersecurity Study 2025" in Berlin. The increasing use of artificial intelligence (AI) by attackers is particularly worrying.

The energy industry in particular, with its closely linked grids and control systems in control centers and data centers, is part of the critical infrastructure in terms of cybersecurity. With the smart meter rollout and the remote controllability of generators and consumers, high security standards must also be ensured here. Fübi reported from TÜV that they do not rely on one, but several cloud solutions from different providers in order to have backups of data and processes.

Investing more money in security

Despite the growing threat situation, companies consider themselves to be in a good position: 91% rate their cyber security as good or very good. At the same time, 27% stated that IT security only plays a subordinate role for them. Fübi warned not to underestimate the risks: "Companies should take cyber security seriously and provide the necessary resources for it."

The President of the Federal Office for Information Security (BSI), Claudia Plattner, supported the appeal. "A successful attack is always more expensive than the precautionary measures," she said. In addition, all those affected must learn from each other. Concealing incidents out of shame only plays into the hands of the attackers, said Plattner. Therefore, companies should definitely report incidents. She hopes that the Network and Information Security Directive (EU-NIS-2), which introduces uniform requirements, will be implemented quickly.

Legal regulations are important

The TÜV association is also calling for clear legal regulation in view of the threat situation. The NIS2 Directive stipulates minimum cyber security requirements for around 30,000 companies from security-critical sectors. "The federal government should pass the law quickly," demanded Fübi. It is critical that only half of companies say they are even aware of the directive. Plattner promised that the BSI would support companies with information and consulting services in order to strengthen economic resilience.

In addition to the NIS2 directive, the TÜV association also refers to the planned Cyber Resilience Act (CRA), which is to regulate security requirements for digital products from 2027. The BSI is aiming to take over market surveillance as part of the CRA. 70% of companies consider norms and standards to be important or very important. However, only 22% fully implement the relevant requirements, while a further 53% implement them at least partially.

Artificial intelligence on the rise

AI is increasingly playing a role on the attacker side: one in two IT security managers reported AI-based attacks on their own company. In larger companies with over 250 employees, this figure is 81 percent. "Despite this, only 10 percent of companies use AI for their own defense, and another 10 percent are planning to use it," said Fübi. The focus here is on the early detection of threats, the analysis of vulnerabilities and automated responses.

Companies rely on various measures to defend themselves: 65% have invested in secure hardware, 59% have sought external advice and 53% have trained their employees. Emergency drills and penetration tests, on the other hand, were only carried out in 22% of companies. Spending on IT security is declining: only 27% increased their budget recently, compared to 52% two years ago.

The TÜV Cybersecurity 2025 report is available to download as a PDF.

Author: Susanne Harmsen