The latest assessment from the Federal Office for Information Security (BSI) reveals substantial and ongoing vulnerabilities in Germany's government IT infrastructure, underscoring the need for comprehensive cybersecurity enhancements. The BSI, responsible for overseeing national IT security, has highlighted that although incremental improvements have been made, significant risks remain due to outdated software and insufficient protective measures across multiple federal agencies.

The BSI's annual security review has become a cornerstone in Berlin's digital policy calendar, providing both a current overview of IT security and outlining new policies intended to address these concerns. A major development in the coming year is the planned 65% increase in the BSI's budget. This expansion is linked to newly assigned responsibilities, including its role as a market surveillance authority under the new Cyber Resilience Act. The BSI will now oversee the security standards of a wide array of networked products, from consumer devices to critical infrastructure components.

With the implementation of the NIS2 Directive, the agency's remit will broaden further. Around 30,000 organizations will be subject to stricter IT security requirements, with the BSI tasked with audits, advisories, and incident response duties. Additionally, the BSI will take charge of cybersecurity leadership within the federal administration, acting as the central coordination office for government digital security.

Persistent Issues in Federal IT Security

The report identifies ongoing security lapses within the federal administration. According to the BSI, close to 10% of government IP addresses are still running unsupported, end-of-life software, posing a significant attack surface for cybercriminals. The agency has also flagged approximately 30,000 vulnerable Microsoft Exchange servers, a number that increased from 17,000 reported earlier, indicating a worrying trend of slow software updating practices. Each day, the BSI discovers an average of 119 new vulnerabilities, emphasizing the evolving threat landscape.

Despite these challenges, the BSI notes gradual progress in the resilience of critical infrastructure. The agency is focused on closing identified gaps, particularly as attackers increasingly exploit unpatched systems, including software designed to enhance security, such as VPN solutions.

Proactive Measures and Legislative Changes

To counter these challenges, the federal government is planning to equip security agencies with new powers aimed at disrupting and neutralizing the infrastructure used by attackers, even if those are located outside Germany. While this approach avoids direct counter-hacking, it is designed to strengthen preventive defenses and ensure rapid response to active threats.

The geopolitical context is also influencing cybersecurity policy. The BSI report stresses the importance of developing secure frameworks and standards for interconnected sectors, such as energy, transportation, and digital infrastructure. This is particularly relevant as the proliferation of cloud-connected devices and decentralized networks increases the complexity of determining what constitutes critical infrastructure.

Regulatory Focus and Product Security

Another significant challenge highlighted is the security of products associated with critical sectors, such as automotive technology and surveillance systems. The BSI stresses that certification alone is insufficient; continuous updates and strict controls over data flow are necessary. There is heightened scrutiny on products manufactured abroad, especially from China, due to concerns about unauthorized data access and potential vulnerabilities. Authorities emphasize the need for layered security controls to ensure operational integrity, even in the event of supplier issues or geopolitical tensions.

Future Outlook and Policy Implications

The upcoming NIS2 regulations, expected to be passed by the Bundestag soon, will address these issues in more detail, particularly for critical infrastructure sectors. However, the new rules will not extend to all industries. While some political voices have called for greater independence for the BSI to avoid conflicts of interest, the current focus remains on tightening security standards and expanding the agency's mandate.

The BSI's latest findings make it clear that Germany's cybersecurity environment, though showing some improvement, still faces considerable risks. The ongoing efforts to modernize and secure government IT systems will require sustained investment, rigorous oversight, and close coordination between government agencies and industry stakeholders.