Digitalization and cybersecurity: The Cyber ​​Security Report 2026 by Schwarz Digits – A rude awakening for SMEs

Cybersecurity is a top priority: Will the NIS2 law be the death knell or the savior for companies?

The digitalization of the German economy has a dangerous downside: cybercrime has long since become a highly professional, multi-billion-euro business and increasingly threatens the existence of medium-sized companies. While attackers are constantly refining their methods through the use of artificial intelligence, almost half of all businesses are lulled into a false sense of security. The current "Cyber ​​Security Report 2026" reveals a shocking self-deception – particularly with regard to the new European NIS2 directive. Many CEOs are unaware that new revenue and employee thresholds have already brought them under the strict regulations. Those who ignore the warning signs now risk not only devastating production losses, reputational damage, and high ransom demands, but also personal liability for their management. The following article examines why cybersecurity has definitively transformed from an IT detail problem into a macroeconomic governance issue, what the new laws actually require, and how companies can turn this apparent bureaucratic obligation into a genuine competitive advantage.

Related to this:

• AI fears and profitable AI security alarmism are devouring Europe's future – Managed AI as a strategic response

While cyberattacks are becoming a billion-dollar business, almost half of companies consider themselves unaffected – and underestimate the implications of NIS2

The most dangerous security vulnerability: self-deception

In the midst of a global trend toward the professionalization and industrialization of cyberattacks, the Schwarz Digits Cyber ​​Security Report 2026 reveals an uncomfortable truth: a large portion of German businesses fundamentally misjudges their own risk. Around 48 percent of the surveyed companies assume they are not subject to the NIS2 directive, even though they could objectively fall within its scope. The situation is particularly precarious for high-revenue small businesses that meet the thresholds but simultaneously exhibit the weakest internal security expertise and the lowest awareness of regulatory obligations.

The study also reveals the vast gap between aspiration and reality. While Europe aims to create a unified, significantly stricter framework for cyber and operational resilience with NIS2, many companies still view the issue as a minor IT detail and a mere footnote to compliance. In reality, cybersecurity has long been a macroeconomic risk factor: According to one analysis, cyberattacks now account for approximately 70 percent of economic damage in Germany – from production outages to extortion. It is within this tension between regulatory pressure, real threats, and organizational overload that the decision will be made whether NIS2 becomes a competitive disadvantage or a catalyst for modernization.

What NIS2 really requires – and who it affects

The NIS2 Directive pursues a clear objective: to improve the resilience of the European economy against cyber incidents by establishing minimum standards for security, governance, and reporting obligations. It expands the scope of affected companies far beyond traditional critical infrastructures. In addition to energy, transport, and healthcare, sectors such as mechanical engineering, food production, digital services, waste management, postal and courier services, electronics manufacturing, and numerous industrial suppliers are now particularly in focus.

Two categories are practically relevant: "important facilities" and "particularly important facilities," each subject to different requirements and sanction frameworks. Crucial are sector classification and thresholds, typically based on the number of employees (around 50 or more) and revenue (around €10 million or more). This is precisely where the misunderstanding lies: many medium-sized businesses that never considered themselves critical infrastructure are now unknowingly slipping into the scope of application due to revenue and employee thresholds.

At its core, NIS2 requires three things: risk-based information security management, clear processes for detecting and reporting incidents, and measures to secure the supply chain. In addition, it includes requirements for business continuity, backup strategies, physical security, cryptography, access control, and regular training. The explicit responsibility of senior management is particularly significant: according to several analyses, managers can be held personally liable if they fail to fulfill their duties to manage cybersecurity. This makes NIS2 a top priority – whether management likes it or not.

The Cyber ​​Security Report 2026: A reflection of resilience gaps

The Cyber ​​Security Report 2026 by Schwarz Digits paints a picture that must be interpreted, without exaggeration, as a wake-up call. In addition to the aforementioned misjudgment of NIS2 vulnerabilities, the data reveals further worrying patterns. More than half of the companies surveyed assume that AI applications will not significantly alter the threat landscape, even though attackers are now specifically using artificial intelligence to automate phishing, recognize patterns in defense mechanisms, and adapt their attacks.

At the same time, the report identifies the supply chain as one of the biggest risk factors. One in two companies registers attacks on suppliers or partners, yet around three-quarters forgo regular security audits of their service providers. In a networked economy where production chains, cloud services, and digital platforms are closely intertwined, internal IT hardening is insufficient if the weakest link in the chain remains open.

Furthermore, there is a massive distrust of government support. Only about one-fifth of companies feel adequately protected by political measures; many criticize the lack of clarity, the fragmentation of responsibilities, and the insufficient operational support. At the same time, almost 80 percent of those surveyed support so-called "hackback" measures by the government – ​​an indication that expectations for a more active, proactive state are growing, while companies' own risk management often remains underdeveloped.

Our EU and German expertise in business development, sales and marketing - Image: Xpert.Digital

Industry focus areas: B2B, digitalization (from AI to XR), mechanical engineering, logistics, renewable energies and industry

More information here:

• Expert Business Hub

A thematic hub offering insights and expertise:

• Knowledge platform covering global and regional economies, innovation and industry-specific trends
• A collection of analyses, insights, and background information from our key areas of focus
• A place for expertise and information on current developments in business and technology
• A hub for companies seeking information on markets, digitalization, and industry innovations

Cyber ​​risks as a macroeconomic burden

From an economic perspective, cyberattacks are far more than a fringe issue in IT. Studies and industry analyses estimate the annual damage caused by cybercrime in Germany at over €200 billion. This includes production losses, lost value creation, ransom payments, reputational damage, and long-term competitive disadvantages due to the loss of know-how. When Schwarz Digits points out that around 70 percent of registered economic damage is now attributable to cyberattacks, it demonstrates that cybersecurity has become just as crucial a factor for business location as energy prices or the availability of skilled workers.

At the corporate level, this has a direct impact on cash flow and investment capacity. A successful ransomware attack can bring production to a standstill for days or weeks, jeopardize supply contracts, and strain credit lines. Particularly problematic is the fact that such incidents often extend beyond one-off costs: customer relationships can be permanently damaged, insurers adjust premiums and terms, and the implementation of stricter regulations following a serious incident ties up resources that would otherwise have been invested in growth or innovation.

Economic logic clearly favors a preventative approach. Investments in security architectures, monitoring, training, and crisis plans are rational from a business perspective if they reduce massive risks of failure. NIS2 strengthens this incentive by introducing sanction mechanisms and personal liability – but the most effective lever remains the understanding that cyber resilience is a prerequisite for stable business models, not their enemy.

Related to this:

• Fastly's Global Security Research Report and the AI ​​security gap: When innovation grows faster than defense

Small and medium-sized enterprises (SMEs) flying blind: skills shortage, IT debt and shadow IT

The particular vulnerability of German SMEs can be explained by a combination of structural factors. Many companies have a historical strength in product development and manufacturing, but are comparatively weak in IT governance and security architecture. Legacy systems, organically grown network structures, and individually tailored specialized solutions coexist, often without a consistent patching and authorization concept.

The shortage of skilled workers exacerbates the problem. Small and medium-sized enterprises, especially in rural areas, struggle to attract specialized security experts. As a result, their limited IT teams are overloaded with operational tasks, while strategic security and governance issues are neglected. Shadow IT—self-implemented tools and cloud services without central control—continues to grow in the background, creating additional attack vectors.

While NIS2 formally shifts the focus to strategic governance and management responsibility, without sufficient resources there is a risk that companies will resort to symbolic politics: policies are formulated, audits are announced, but the actual vulnerabilities remain unchanged. This would mean the directive would miss precisely what it is intended to achieve: a real, demonstrable increase in resilience.

AI as an amplifier: both a risk and an opportunity

A key misconception among many companies is the assumption that AI, while a trending topic, does not fundamentally change the actual threat landscape. In reality, modern models enable extensive automation and personalization of attacks. Phishing emails can be generated in perfect German, incorporating industry-specific references and corporate jargon; scripts for exploiting known vulnerabilities can be assembled without requiring in-depth expert knowledge.

At the same time, AI opens up enormous potential on the defense side. Anomaly detection systems can identify unusual patterns in network traffic, login behavior, or data access that would escape human analysts. User and Entity Behavior Analytics (UEBA) makes it possible to identify deviations from typical user behavior and react early. Automated playbooks in security orchestration platforms can react within seconds in an emergency, isolate systems, and protect backups.

Economically, AI reduces marginal costs on both the attack and defense sides. Whether it ultimately becomes a disadvantage or an advantage for a company depends on governance, architecture, and management. Those who treat AI merely as a marketing buzzword or use it only in sales and marketing but not in the security stack are missing a crucial opportunity.

From IT project to governance issue: A roadmap for NIS2

Given the complexity, it's clear that NIS2 compliance cannot be managed as a purely IT project. A sensible approach begins with a sober assessment: In which sector is the company positioned, which thresholds are being met, and into which category does it fall? Based on this, an Information Security Management System (ISMS) should be established or expanded, defining roles, processes, and responsibilities.

Key steps include: systematic risk analysis of critical business processes, definition of protection requirements, a clear authorization concept, backup and recovery strategies, a reporting and incident response process, and regular training. The supply chain must be explicitly included: contractual clauses on security standards, segmented networks, clear rules for remote access, and regular audits.

At the management level, it is crucial that cybersecurity is placed on the agenda as an ongoing management issue, similar to financial risks or occupational safety. Reports on threat landscape, incidents, audits, and improvement measures should be integrated into the normal management cycle. External service providers can help bridge the skills gap – but only if they are not used as a dumping ground for responsibility, but rather are integrated into a clear governance structure.

NIS2: A burden or an opportunity?

The crucial question is how German businesses interpret NIS2. If the directive is primarily seen as a bureaucratic burden, there is a risk of a minimal compliance approach: companies fulfill just the bare minimum, diligently document their actions, but only marginally alter the actual security situation. In this scenario, cyberattacks would continue to cause significant economic damage, while companies invest additional time and money in formal reporting.

In an alternative scenario, NIS2 is used as an opportunity to consolidate outdated IT structures, digitize processes, and modernize security architectures. Companies that invest early can position themselves as reliable, resilient players to customers and partners. In a world where supply chain risks are increasingly relevant to decision-making, demonstrable cyber resilience can become a key differentiator.

The economic assessment is therefore clear: The question is not whether companies should address cybersecurity and NIS2 – they must. The real management decision is whether they perceive this obligation merely as a cost factor or as a strategic investment in competitiveness and trustworthiness.

☑️ Our business language is English or German

☑️ NEW: Correspondence in your native language!

Konrad Wolfenstein

I and my team are happy to be available to you as your personal advisor.

You can contact me by filling out the contact form here or simply call me at +49 7348 4088 965. My email address is: [email protected]

I'm looking forward to our joint project.

☑️ SME support in strategy, consulting, planning and implementation

☑️ Creation or realignment of the digital strategy and digitization

☑️ Expansion and optimization of international sales processes

☑️ Global & Digital B2B trading platforms

☑️ Pioneer Business Development / Marketing / PR / Trade Fairs

Benefit from Xpert.Digital's extensive, five-fold expertise in a comprehensive service package | R&D, XR, PR & Digital Visibility Optimization - Image: Xpert.Digital

Xpert.Digital possesses in-depth knowledge across various industries. This allows us to develop tailored strategies precisely aligned with the requirements and challenges of your specific market segment. By continuously analyzing market trends and monitoring industry developments, we can act proactively and offer innovative solutions. The combination of experience and expertise generates added value and provides our clients with a decisive competitive advantage.

More information here:

• Benefit from Xpert.Digital's 5 areas of expertise in one package – starting from just €500/month