This means that these companies were the target of successful cyberattacks and had to respond actively. The results are based on a representative survey conducted by the Ipsos Institute among 506 companies with at least ten employees in Germany. IT security managers were surveyed, including senior specialists, IT managers and members of management.

Compared to the previous study from 2023, the proportion of hacked companies has increased by four percentage points. Dr. Michael Fübi, President of the TÜV Association, warned at the study presentation in Berlin: "The German economy is in the crosshairs of state and criminal hackers who are specifically targeting sensitive data, ransom payments or the sabotage of critical infrastructures." It is worrying that cyber criminals are increasingly relying on modern technologies such as AI - and that many companies are apparently underestimating the associated risks.

Self-perception and reality diverge

Despite the growing threat, 91% of the companies surveyed rate their own cyber security as "good" or "very good". At the same time, one in four companies (27%) admits that IT security plays little or no role in their operations. Fübi warns: "Cybersecurity must be a top priority. Companies have a duty to invest appropriately and provide the necessary resources."

The majority of respondents are in favor of government action: 56% of respondents are in favor of legally binding cybersecurity measures. Fübi is therefore calling on the German government to "swiftly adopt the overdue national implementation of the NIS2 Directive."

This European directive defines binding security requirements for around 30,000 companies in critical sectors such as energy, healthcare and digital services. Nevertheless, only around half of the companies surveyed are even aware of the NIS2 directive.

BSI President Plattner: "Cybernation Germany is just at the beginning"

Claudia Plattner, President of the Federal Office for Information Security (BSI), also sees an urgent need for action: "The low level of awareness of the NIS2 directive is alarming. Clear guidelines are needed for Germany to become a cyber nation - if implemented correctly, they can significantly increase digital resilience." She emphasizes that the BSI focuses on cooperation and support, not bureaucracy. Under the motto "Cybersecurity before bureaucracy", the authority already provides companies with extensive information and advice. As part of the Cyber Resilience Act (CRA), the BSI is planning to take over market surveillance for networked products in future.

Phishing dominates the attack methods

15% of German companies recorded a cyberattack in 2024 © TÜV Cybersecurity Study 2025.

Phishing remains by far the most common form of attack: 84% of affected companies report this - an increase of 12 percentage points compared to 2023. The attack is usually carried out via deceptively genuine emails with links to malware. Fübi explains: "Artificial intelligence makes phishing more dangerous. It helps attackers to create personalized emails, write deceptively real texts or even imitate voices." Although ransomware attacks (12%) are on the decline, the risk remains high. Attackers encrypt data and demand a ransom. On the positive side, more and more companies have established back-up strategies. Other threats mentioned are other malware attacks (26%) and password attacks (12%).

Artificial intelligence as a double-edged sword

According to the study, 51% of companies report attacks in which AI was used. In larger companies (250 employees or more), the figure is as high as 81%. The threat posed by AI is real: 82% see AI as a tool for exploiting specific vulnerabilities. 89% say that AI makes attacks more efficient and harder to detect. Nevertheless, only 10% actively use AI for cyber defense - another 10% plan to use it. The aim is to detect threats at an early stage, identify data anomalies, analyze vulnerabilities or fend off attacks automatically.

How companies are arming themselves against cyber threats

Many companies have already taken measures to strengthen their digital security. This is particularly common:

• Secure hardware (65 %)
• External consulting (59 %)
• Cybersecurity software (48%)
• Employee training (53 %)

However, only 22% rely on regular emergency drills or penetration tests, which can be crucial in an emergency. Also critical: only 27% have increased their IT security budget - two years ago, the figure was 52%. Fübi emphasizes: "Investments must keep pace with the increasing threats."

Standards and regulation as the key to resilience

Binding norms and standards are an important building block. 70% of respondents rate these as important or very important for improving cyber security. Currently, 22% fully comply with the relevant standards, while 53% are guided by them but only partially implement them. "Standards help to permanently anchor cyber security in the company," explains Fübi.

Appeal to politics and business

In view of growing threats, the TÜV association is calling for clearer legal requirements. 55% of respondents support stricter security requirements for companies - also to make the internet more secure. NIS2 and the upcoming Cyber Resilience Act (CRA) are key levers here. The latter provides for mandatory security requirements for all products with digital components from 2027. "Companies can only strengthen their resilience in the long term if they deal with the new requirements at an early stage," says Fübi.

You can download the full report on the 'TÜV Cybersecurity Study 2025' here.