Cyberattacks on Germany: Are we already in a cyberwar, and what does that mean for SMEs?
- 32% of SMEs in Germany were victims of at least one cyberattack in the last 12 months.
- Germany is in a permanent hybrid cyber conflict with state-sponsored actors from Russia, China, and other countries.
- SMEs are strategic targets and serve as gateways into the supply chains of critical infrastructures.
- NIS2 makes cybersecurity a legal obligation for many mid-sized companies.
- Those who invest in cyber resilience now not only protect their own company but also strengthen Germany's overall digital security.
- Item A
- Item B
- Item C
Hybrid Conflict instead of 'Classic' Warfare
The attacks are subtle. Instead of air raid sirens, fake emails, crippled IT systems, and encrypted data indicate that cyber conflicts are escalating. German companies are increasingly affected by this: According to a recent Cyber Resilience Study by Proliance 32 percent of SMEs experienced at least one cyberattack in the last twelve months.
What at first glance appears to be isolated security incidents has long followed a larger logic: The attackers are testing how resilient Germany and its companies are. To do this, they use a mix of drone espionage, sabotage of critical infrastructures, and cyberattacks.
Experts refer to the combination of various means as a 'hybrid conflict'. This is precisely what the German government is observing. In the O-Plan, a new defense plan for crises and defense scenarios, the Ministry of Defense explicitly warns for the first time that acts of sabotage, cyberattacks, and disinformation campaigns could be the potential precursor to a digital war.
Attackers' Goals: Weaken the State, Divide Society
Security agencies such as the Federal Office for the Protection of the Constitution (Verfassungsschutz) and the Federal Criminal Police Office (BKA) have reported a significant increase in hybrid activities, particularly with Russian backgrounds, since the beginning of the war in Ukraine. These are many small attacks that may seem manageable individually, but they pursue a common goal: to gradually weaken the state, economy, and society.
Disinformation campaigns using fake videos about Chancellor Merz, or manipulated election information for the federal election, are intended to discredit top politicians and further erode trust in the state and democracy. Highly networked industrial nations like Germany are, according to the BSI, not only targeted by state-sponsored groups from Russia, but also from China, North Korea, or Iran.
Striking in this context is the increasing use of so-called low-level agents: petty criminal helpers who are recruited via online channels and often don't even know who they are working for. This 'policy of many small pinpricks,' which also targets small businesses, is intended to show that the state cannot protect its citizens – a narrative that, in case of doubt, also turns against companies and their supply chains.
Government Response: Security Offensive and 'Cyber Dome'
To protect citizens and businesses, the federal government is responding with a security offensive that expands both surveillance and cyber defense powers. Federal Minister of the Interior Alexander Dobrindt announced a series of defense measures for 2026:
- Source telecommunications surveillance (TKÜ) capability for the Federal Police ("state trojan")
- Increased powers for security authorities to disable digital systems of attackers abroad during digital attacks
- Planned establishment of a "Cyber Dome" for automated defense against cyberattacks
These measures are intended to protect state and critical systems, but they do not replace the responsibility of companies to strengthen their cyber resilience.
What does the cyber crisis mean for SMEs?
Small and medium-sized enterprises have long become part of the attack surface in cyber warfare, serving attackers either as a direct gateway or being affected as part of supply chains. The BSI classifies SMEs explicitly as particularly vulnerable to cyberattacks because resources, expertise, and clear responsibilities for information security are often lacking.
According to cybersecurity specialist Acronis, the situation could worsen further in 2026: Attacks are becoming more automated, more scalable, and often barely visible. This pushes traditional protection mechanisms to their limits.
A successful attack can cripple production, logistics, or customer portals for days, resulting in direct revenue losses, contractual penalties, and reputational damage. In a situation where state entities themselves become targets of hybrid attacks, SMEs must understand their role as part of overall societal resilience.
Find out where your company stands in terms of information security and which cyber risks you should be prepared for.
How well is Germany prepared for cyber warfare?
Fear of cyber warfare is widespread in Germany: 61 percent of citizens fear such a scenario. However, two-thirds believe the country is not adequately prepared for it. While a clear majority generally believes Germany is technically capable of participating in cyber warfare, in practice, the Federal Republic is considered only conditionally prepared for defense in cyberspace. According to the BSI situation report, the widespread resilience of SMEs in Germany remains a particular challenge.
Another hurdle is that many decision-makers believe their company would not be a worthwhile target for cyberattacks. However, for cybercriminal attackers, target selection is less about revenue or industry and more about a favorable cost-benefit ratio for the attack. If the effort is low, as with poorly protected SMEs, attacks are particularly worthwhile.
NIS2: Framework for Greater Cyber Resilience and Improved Defenses
The NIS2 Implementation Act significantly tightens the requirements for cyber and information security and extends them to more companies than NIS1 envisioned. Affected companies also include SMEs that are considered "important" or "particularly important" under the new directive and therefore must demonstrate comprehensive technical and organizational measures (TOM) must.
Among the key obligations are:
- Implementation of an Information Security Management System (ISMS)
- structured risk management for cyber and information security
- Business Continuity Management (BCM) including emergency and recovery plans
Even companies not directly covered by NIS2 are increasingly being held accountable through supply chain requirements and contractual security standards. While this might seem like unnecessary bureaucratic overhead, it helps prepare Germany for future cyberattacks.
"For many SMEs, cyber incidents are now among the biggest business risks. Unfortunately, decision-makers often only address threats when it's too late. NIS2 makes cybersecurity a mandatory requirement and a strategic advantage for many smaller businesses. Those who implement the requirements can contain attacks, reduce downtime, and manage legal risks," says Stefan Rühl, Head of Information Security at Proliance.
Five quick levers for SMEs
You can significantly reduce key risks for your company with manageable effort.
1. Clarify responsibilities
- Appoint a person responsible for information security (internal or external)
- Establish information security as a management task rather than purely an IT issue
2. Consistently implement basic protection
- Keep systems up to date with regular patches and updates
- Ensure antivirus protection and secure firewalls
- Regularly test backups of business-critical data
3. Strengthen teams
- Offer awareness training on phishing, social engineering, and password security
- Implement clear guidelines for mobile working, private devices, and cloud services
- Create low-threshold options for reporting suspicious emails or incidents
4. Think emergency-oriented
- Define and document early on who does what if systems fail or data is encrypted
- Practice for emergencies with typical scenarios such as ransomware, core system failure, or data exfiltration
5. Assess NIS2 Maturity
- determine if your company is subject to NIS2
- utilize a gap analysis to assess processes, technology, and organization for NIS2 readiness
Conclusion: Time to Strengthen Digital Security
Security experts warn that Germany remains too passive in the face of hybrid attacks, instead of actively challenging attackers. This is a risky stance, especially for SMEs. Because whether directly impacted or through supply chains, they have long been targets of hybrid attacks.
Anyone who takes responsibility now, leverages NIS2 as an opportunity for greater clarity, and systematically invests in cyber resilience, not only reduces their own risk. They also make a measurable contribution to ensuring that Germany is less vulnerable in cyberspace and maintains its ability to act in hybrid conflicts.
Still have questions? We have the answers.
According to the Proliance Cyber Resilience Study 2025, 67% of SMEs in Germany experienced at least one cyberattack within twelve months. Germany is in a permanent hybrid cyber conflict with state-sponsored actors from Russia, China, North Korea, and Iran. SMEs are strategic targets, serving as gateways into the supply chains of critical infrastructures. The BSI classifies SMEs as particularly vulnerable due to a lack of resources, expertise, and clear responsibilities for information security. Successful attacks cause production outages, revenue losses, and reputational damage. Proliance strengthens cyber resilience with tailored security concepts.
Five quick, immediate measures offer effective protection: Appoint an internal or external Information Security Officer; implement baseline security with regular patches, updates, antivirus protection, and tested backups; conduct awareness training on phishing and social engineering, along with clear guidelines for mobile working; establish incident response processes for system failure and ransomware scenarios; and assess NIS2 maturity through a gap analysis. Even a manageable effort significantly reduces major risks. Proliance offers a non-binding NIS2 check in just ten minutes to determine your current status and provide recommendations for SMEs.
The NIS2 Implementation Act has been in force since December 2025 without a transition period and affects approximately 29,500 companies in Germany. Affected SMEs must immediately demonstrate comprehensive technical and organizational measures (TOMs): implement an Information Security Management System (ISMS), establish structured risk management for cyber information security, and implement Business Continuity Management (BCM) with emergency recovery plans. Even companies not directly affected are effectively obligated through supply chain requirements. NIS2 makes cybersecurity a legal obligation. Proliance supports with professional NIS2 consulting and ISMS implementation.
Do you have further questions on this topic? Our experts will be happy to advise you free of charge.
