Heilbronn, 05.03.2026
- Massive knowledge gap regarding NIS-2: Around 48% of the companies surveyed underestimate their regulatory impact.
- Underestimated danger: 54% of companies assume that AI applications do not influence the cyber threat situation.
- Supply chain risk: Half of the companies report attacks on suppliers, but 75% do not conduct regular audits of their partners.
Heilbronn, March 5, 2026 – The "Cyber Security Report 2026" published today by Schwarz Digits at the Cyber Security Conference (CSC) reveals an alarming picture of the German economy. Despite estimated economic losses of over €202 billion annually due to cyberattacks, the representative survey of 1,001 German companies shows a deep discrepancy between perceived preparedness and structural resilience. Although cybersecurity budgets rose to 17% of IT budgets, they remained reactive and regulatory-driven. Almost every second company massively underestimates its regulatory impact under NIS-2. The report proves that while attackers are becoming more professional with the help of AI, many companies are indulging in a dangerous security illusion.
NIS-2 knowledge gap and government resilience
The report reveals a critical information deficit: 48% of the companies surveyed mistakenly assume that they are not affected by NIS-2 directive. The situation is particularly dangerous for small businesses with high revenues: although they have a small workforce of 10 to 49 employees, they exceed the revenue threshold of €10 million and are therefore subject to regulation. In this segment, up to 92% believe they are deceptively secure and falsely rule out being affected.
"In 2026, cybersecurity will no longer be an IT task, but a matter of survival for every management team," says Christian Müller, Co-CEO of Schwarz Digits. "Those who misunderstand NIS-2 as a bureaucratic burden, risk not only painful sanctions but also the operational substance of their company."
Criticism of the public sector is also growing: 62% of companies feel that they are not receiving sufficient support from the authorities in the introduction of NIS-2. The state's general digital capacity to act is also being penalized: only 21% of companies feel sufficiently protected by political and administrative measures.
The grassroots level is viewed particularly critically: only 7% believe that German federal states are well positioned to defend against cyberattacks – putting them even lower than local authorities (12%) and the federal government (15%). In this context, 79% of respondents are in favor of state hackbacks, and more than half would like to see such powers granted to private actors – a clear sign of growing frustration with purely defensive strategies to date.
AI as a double-edged sword
Artificial intelligence is shaping the current and future threat landscape in 2026 by massively accelerating and scaling existing threats. Nevertheless, more than half of the companies (54%) rate the cyber risk posed by the use of AI as non-existent or negligible. While large companies (73%) have clear rules on the use of AI, at least 23% of SMEs need some catch up.
"In the next twelve months, autonomous AI attacks will overwhelm our current security approaches," warns Dr. Alexander Schellong, Managing Director Institutes, Accelerators & Cybersecurity at Schwarz Digits. "A key target will be the manipulation of AI decisions in the real world – the so-called 'kinetic prompt hack'. We urgently need to close the gap between perceived security and actual vulnerability."
Digital sovereignty between desire and reality
When it comes to digital sovereignty, there is a huge gap between aspiration and reality. While its strategic relevance is recognized, there is a massive lack of operational implementation. Only 19% of the companies have a strategy for digital sovereignty, with regulated industries such as finance and insurance leading the way. Although 42% of the companies surveyed would be willing to dig deeper into their pockets for sovereign solutions, and half of them see the establishment of European data rooms as a decisive step toward digital sovereignty, reality lags behind expectations. Only 13% are investing specifically in dedicated resources to actively reduce technological dependencies. The report underpins this data with the newly developed Software Sovereignty Framework (EU SSF). The model certifies EU-based open-source solutions as having significantly higher sovereignty than proprietary platforms from non-EU countries.
"Digital sovereignty has matured into a strategic necessity," emphasizes Rolf Schumann, Co-CEO of Schwarz Digits. "Those who enter into unilateral dependencies on non-European platforms will lose control over their data and their ability to act in the long term."
Supply chain risk: the open door
The interconnection of the economy is becoming a central weakness. Although every second company has already recorded attacks on its suppliers, 75% still do not conduct regular audits of their partners. This lack of control is risky, as only a third of the organizations have a complete overview of their actual dependencies within the supply chain. Attacks via IT service providers (managed service providers) or compromised software updates are particularly devastating. Such incidents are among the most damaging threats: in serious cases, it often takes up to 30 days for operations to be fully restored.
The Cyber Security Report 2026 is available for download (German version). We provide the report in English in April.