In June 2025, a wave of cyber attacks on critical infrastructure – including energy suppliers, hospitals and transport networks – shook the German economy. These attacks, which are considered one of the greatest threats to the digital era, have drawn new legal obligations for companies, in particular through the NIS2 directive. This article examines the current situation, highlights the legal and operational risks and offers thorough strategies for cyber security and compliance in an increasingly insecure digital surroundings.

Legal Framework: NIS2 Directive, BSI Act and Criminal Law

The NIS2 guideline, which was completely adopted in German law in June 2025, expands the obligations for operators of critical infrastructure (criticism) and other companies.The central requirements include:

1. Duty to report: cyber incidents must be reported to the Federal Office of Information Technology (BSI) within 24 hours (Art. 23 NIS2).
2. Risk management: comprehensive security measures, e.g. regular penetration tests and training, are mandatory (Art. 21 NIS2).
3. Fine: Violations can result in punishments up to 10 million euros or 2 % of the global annual turnover.

The BSI act, which regulates national implementation, complements this with specific requirements for german companies.In addition,the Criminal code (StGB) can apply if data leaks lead to serious damage – e.g. § 202a StGB (spying on data) in the event of negligent behavior. The latest attacks,including an incident in a North Rhine-Westphalian energy supplier in June 2025,underline the urgency of these regulations.

Challenges: Quick Reaction, Data Loss and Coordination

The new obligations bring considerable challenges. First, the quick response to cyber attacks requires an immediate message to the BSI, which is challenging for complex attacks – e.g. ransomware. companies have to submit an initial assessment within 24 hours, which is often not feasible if IT infrastructure is lacking. Second,data loss threatens: In June 2025,attacks on hospitals showed that sensitive patient data can be compromised,which results in liability claims and reputation damage.

third, coordination with authorities is a problem. The BSI demands detailed reports, but many companies have no processes to deliver this data quickly. Practical observations show: Companies without emergency plans not only risk punishments,but also business failures. In addition, the insurance costs increase: cyber insurance that covers such risks have become more expensive as the number of attacks increases.

Another risk is the dependence on suppliers. Many companies use cloud services or IT service providers who can be exposed to attacks themselves. A failure of these service providers could endanger your own security, which increases the duty of the companies.

Current Developments: Attacks, BSI Measures and Political Reactions

In june 2025, a massive cyber attack on a large energy company in North Rhine-Westphalia illustrates the explosiveness: Hacker paralyzed the network for hours, which led to power failures. The BSI then initiated increased surveillance and imposed initial fines, including against a hospital that did not report an attack in time. In June 2025, the Federal Government announced an action package that promotes the financing of security measures, but the implementation is still pending.

International reactions are growing. The United States has imposed sanctions against alleged Russian hackers associated with the attacks while China has tightened its own security regulations. This could burden the supply chains of German companies that rely on Asian hardware.

sectoral effects: Energy, Healthcare and Traffic

the effects of the cyber attacks vary depending on the industry. In the energy industry, network operators are particularly affected. The attack in North Rhine-Westphalia has shown that a failure endangers the security of supply, which results in strict security requirements. In the healthcare industry, attacks on hospitals have compromised patient data, which not only results in fines but also liability claims.in the transport sector, for example in the case of rail networks, attacks could cause operational disorders that increase economic damage.

Global Perspective: International Cooperation and Sanctions

The global context shows that cyber attacks are an international problem.In June 2025, the United states imposed sanctions against cyber groups related to Russia or North Korea, which increases the tensions. China, on the other hand, has tightened its security laws, which influences the export of IT hardware. German companies that use global supply chains must adapt to geopolitical risks that additionally burden their cybersecurity.

Practical Solutions: Secure cyber Security and Compliance

In order to fulfill the legal obligations and minimize cyber risks, German companies should implement the following measures:

1. Perform security audits: Carry regular penetration tests and vulnerabilities analyzes to identify attack vectors, especially in critical systems such as energy networks.
2. Develop emergency plans: create protocols in the event of cyber attacks, e.g. backup systems and communication strategies with the BSI, to comply with the 24-hour registration period.
3. Cooperate with the BSI: Work with the BSI early to maintain support in incidents and to document compliance.
4. Employee training: train teams on Phishing, Social Engineering and Safe IT practices to minimize human mistakes that make up 80 % of the attacks.
5. Check insurance: Complete or update cyber insurance, cover data losses, company failures and legal costs, whereby the policy should be tailored to NIS2 requirements.
6. Secure the supply chains: Check IT service providers and cloud providers for security standards, for example through contractual obligations on data protection and emergency plans.
7. Technological investments: Implement safety solutions such as firewalls,intrusion detection systems and encryption to ward off attacks.
8. Crisis communication: develop guidelines for communication with customers and authorities in the event of an attack to protect openness and trust.
9. Monitor regulatory developments: Keep an eye on changes in the NIS2 implementation or new BSI guidelines, e.g. by subscriptions for security updates.

Long -Term Perspective: Resilience and Trust

Strengthening cyber security through proactivity can increase the resilience of German companies and promote the trust of customers and partners. Companies that secure their infrastructure are better prepared for future attacks and can minimize business failures. At the same time, the risk of new waves of attack remains, especially if geopolitical tensions escalate.

Your Path to Security

Cyber attacks on critical infrastructure require increased legal care in 2025, but with the right measures, German companies can avoid fines, data losses and business failures. please contact me to develop tailor -made solutions for your cyber security and protect your company!

Welcome to Koudous Law.