Cyberattacks cost the German economy €267 billion in 2024. Why DACH companies — especially the Mittelstand — are prime targets, and what they must do now to defend themselves.
The DACH region — Germany, Austria, and Switzerland — is one of the most targeted areas in the world for cyberattacks. Home to Europe's largest economy, a dense network of high-value manufacturers, and thousands of innovative mid-market companies, DACH presents an irresistible target for cybercriminals and state-sponsored attackers alike.
In 2024 alone, cyberattacks cost the German economy an estimated €267 billion, according to the Bitkom industry association — nearly double the figure from just three years earlier. And the threat is accelerating.
The statistics paint a stark picture:
Germany's Mittelstand — the backbone of approximately 3.5 million small and medium-sized enterprises — is uniquely vulnerable. These companies are often:
This creates a devastating asymmetry: high-value targets with startup-level security budgets.
The DACH region is Europe's manufacturing powerhouse. Germany alone accounts for over 25% of EU manufacturing output. This industrial concentration means:
The DACH region's political and economic significance makes it a priority for state-sponsored cyber espionage:
The German Federal Office for the Protection of the Constitution (BfV) has warned that cyber espionage is the biggest threat to Germany's economic security, with estimated losses exceeding €50 billion annually from IP theft alone.
DACH companies navigate a web of overlapping regulations:
The complexity itself becomes a vulnerability. Companies spend so much time understanding which regulations apply that they struggle to actually implement the required security measures.
The past two years have seen a relentless wave of attacks against DACH organizations:
The LockBit ransomware group stole approximately 40 terabytes of data from Continental, one of the world's largest automotive suppliers. The attackers had access to the network for over a month before detection. Continental refused to pay the ransom, and sensitive data including employee information, customer contracts, and technical documents was published on the dark web.
Germany's largest defense contractor was hit by a targeted cyberattack that disrupted civilian business operations. While military systems were reportedly unaffected, the attack highlighted the vulnerability of even security-conscious organizations.
A ransomware attack on Südwestfalen-IT, a municipal IT service provider, crippled government services across 72 municipalities in North Rhine-Westphalia. Citizens couldn't register vehicles, apply for passports, or access essential government services for weeks. The attack demonstrated how a single point of failure in shared IT infrastructure can paralyze an entire region.
Battery manufacturer Varta AG suffered a cyberattack that forced the company to shut down all IT systems and production lines. The attack contributed to significant financial losses and was a factor in the company's subsequent insolvency proceedings — a stark example of how cyberattacks can be existential threats to mid-market companies.
While not recent, this attack remains a landmark case: a ransomware attack on a German hospital led to the diversion of emergency patients and the death of a patient who couldn't receive timely care. It was the first known case of a fatality directly linked to a cyberattack.
In February 2026, Germany's national railway operator was hit by a massive DDoS attack that disrupted online services and digital infrastructure, highlighting the continued vulnerability of critical transportation systems.
Ransomware has become the dominant cyber threat in the DACH region. Key trends include:
The average ransomware demand for DACH companies has risen to approximately €1.2 million, with large enterprises facing demands of €5-20 million. Some attackers now research their victims' cyber insurance policies and calibrate demands accordingly.
Modern ransomware attacks don't just encrypt data — they: 1. Exfiltrate data before encrypting it 2. Threaten to publish stolen data if the ransom isn't paid 3. Contact customers and partners directly to pressure the victim 4. Launch DDoS attacks against the victim's remaining infrastructure
Sophisticated ransomware groups now specifically target backup systems first, destroying an organization's ability to recover without paying. Attacks on backup infrastructure increased by 94% in 2024.
Ransomware-as-a-Service platforms have lowered the barrier to entry. Groups like LockBit, ALPHV/BlackCat, and Clop provide ready-made attack tools to affiliates, enabling even low-skill attackers to launch devastating campaigns against DACH companies.
There's a dangerous misconception that cyberattacks primarily target large enterprises. The data tells a different story:
Attackers target SMBs because they offer maximum return for minimum effort: - Fewer security controls and monitoring capabilities - Less likely to have incident response plans - More likely to pay ransoms to resume operations quickly - Serve as entry points into larger supply chains
A common attack pattern: compromise a small supplier, use their trusted access to reach the larger target. The SolarWinds and Kaseya attacks demonstrated this at global scale, but it happens daily at regional scale throughout DACH.
You can't defend what you can't see. Many DACH companies have shadow IT, forgotten subdomains, exposed development environments, and legacy applications that they've lost track of. The first step is a comprehensive attack surface assessment.
Annual penetration tests are insufficient against threats that evolve weekly. Implement continuous automated security testing that covers your web applications, APIs, and external infrastructure.
The NIS2 directive will affect an estimated 29,000 organizations in Germany alone. If you're in a covered sector with 50+ employees, start your compliance preparation now. The requirements include mandatory incident reporting within 24 hours, supply chain security assessments, and management accountability.
Have a plan before you need it. This means: - Documented incident response procedures - Identified external forensics and legal partners - Regular tabletop exercises - Offline backups tested for actual recovery
Phishing remains the #1 initial access vector in DACH. Regular security awareness training, phishing simulations, and strong authentication (MFA everywhere) are essential.
Assess the security posture of your critical suppliers. Under NIS2, you'll be required to do this anyway — but smart organizations are getting ahead of the regulation.
The math is simple: - Average cost of a breach in Germany: €4.9 million - Average cost of proactive security measures: A fraction of that
Every week without adequate security testing is a week where vulnerabilities go undetected, where attackers have free access, and where the next headline-grabbing breach inches closer.
The DACH region's economic strength is built on engineering excellence, precision, and foresight. It's time to apply those same principles to cybersecurity.
KENSAI gives DACH companies the continuous, AI-powered security testing they need — without the enterprise price tag. See your vulnerabilities before attackers do.
👉 Get your free security scan at kensai.app/free-scan — takes 2 minutes, covers your entire attack surface.
Scan your infrastructure for vulnerabilities in minutes — no credit card required.
Start Free Scan →Published by KENSAI Security Research — AI-Powered Cybersecurity Platform