Attackers often go after outdated and unused test accounts, or stumble upon publicly accessible cloud storage containing critical data that’s a bit dusty. Sometimes an attack exploits a vulnerability in an app component that was actually patched, say, two years ago. As you read these breach reports, a common theme emerges: the attacks leveraged something outdated: a service, a server, a user account… Pieces of corporate IT infrastructure that sometimes fall off the radar of IT and security teams. They become, in essence, unmanaged, useless, and simply forgotten. These IT zombies create risks for information security, regulatory compliance, and lead to unnecessary operational costs. This is generally an element of shadow IT — with one key difference: nobody wants, knows about, or benefits from these assets.

In this post, we try to identify which assets demand immediate attention, how to identify them, and what a response should look like.

Physical and virtual servers

Priority: high. Vulnerable servers are entry points for cyberattacks, and they continue consuming resources while creating regulatory compliance risks.

Prevalence: high. Physical and virtual servers are commonly orphaned in large infrastructures following migration projects, or after mergers and acquisitions. Test servers no longer used after IT projects go live, as well as web servers for outdated projects running without a domain, are also frequently forgotten. The scale of the problem is illustrated by Lets Encrypt statistics: in 2024, half of domain renewal requests came from devices no longer associated with the requested domain. And there are roughly a million of these devices in the world.

Detection: the IT department needs to implement an Automated Discovery and Reconciliation (AD&R) process that combines the results of network scanning and cloud inventory with data from the Configuration Management Database (CMDB). It enables the timely identification of outdated or conflicting information about IT assets, and helps locate the forgotten assets themselves.

This data should be supplemented by external vulnerability scans that cover all of the organization’s public IPs.

Response: establish a formal, documented process for decommissioning/retiring servers. This process needs to include verification of complete data migration, and verified subsequent destruction of data on the server. Following these steps, the server can be powered down, recycled, or repurposed. Until all procedures are complete, the server needs to be moved to a quarantined, isolated subnet.

To mitigate this issue for test environments, implement an automated process for their creation and decommission. A test environment should be created at the start of a project, and dismantled after a set period or following a certain duration of inactivity. Strengthen the security of test environments by enforcing their strict isolation from the primary (production) environment, and by prohibiting the use of real, non-anonymized business data in testing.

Forgotten user, service, and device accounts

Priority: critical. Inactive and privileged accounts are prime targets for attackers seeking to establish network persistence or expand their access within the infrastructure.

Prevalence: very high. Technical service accounts, contractor accounts, and non-personalized accounts are among the most commonly forgotten.

Detection: conduct regular analysis of the user directory (Active Directory in most organizations) to identify all types of accounts that have seen no activity over a defined period (a month, quarter, or year). Concurrently, it’s advisable to review the permissions assigned to each account, and remove any that are excessive or unnecessary.

Response: after checking with the relevant service owner on the business side or employee supervisor, outdated accounts should be simply deactivated or deleted. A comprehensive Identity and Access Management system (IAM) offers a scalable solution to this problem. In this system, the creation, deletion, and permission assignment for accounts are tightly integrated with HR processes.

For service accounts, it’s also essential to routinely review both the strength of passwords, and the expiration dates for access tokens — rotating them as necessary.

Forgotten data stores

Priority: critical. Poorly controlled data in externally accessible databases, cloud storage and recycle bins, and corporate file-sharing services — even “secure” ones — has been a key source of major breaches in 2024–2025. The data exposed in these leaks often includes document scans, medical records, and personal information. Consequently, these security incidents also lead to penalties for non-compliance with regulations such as HIPAA, GDPR, and other data-protection frameworks governing the handling of personal and confidential data.

Prevalence: high. Archive data, data copies held by contractors, legacy database versions from previous system migrations — all of these often remain unaccounted for and accessible for years (even decades) in many organizations.

Detection: given the vast variety of data types and storage methods, a combination of tools is essential for discovery:

• Native audit subsystems within major vendor platforms, such as AWS Macie, and Microsoft Purview
• Specialized Data Discovery and Data Security Posture Management solutions
• Automated analysis of inventory logs, such as S3 Inventory

Unfortunately, these tools are of limited use if a contractor creates a data store within its own infrastructure. Controlling that situation requires contractual stipulations granting the organization’s security team access to the relevant contractor storage, supplemented by threat intelligence services capable of detecting any publicly exposed or stolen datasets associated with the company’s brand.

Response: analyze access logs and integrate the discovered storage into your DLP and CASB tools to monitor its usage — or to confirm it’s truly abandoned. Use available tools to securely isolate access to the storage. If necessary, create a secure backup, then delete the data. At the organizational policy level, it’s crucial to establish retention periods for different data types, mandating their automatic archiving and deletion upon expiry. Policies must also define procedures for registering new storage systems, and explicitly prohibit the existence of ownerless data that’s accessible without restrictions, passwords, or encryption.

Unused applications and services on servers

Priority: medium. Vulnerabilities in these services increase the risk of successful cyberattacks, complicate patching efforts, and waste resources.

Prevalence: very high. services are often enabled by default during server installation, remain after testing and configuration work, and continue to run long after the business process they supported has become obsolete.

Detection: through regular audits of software configurations. For effective auditing, servers should adhere to a role-based access model, with each server role having a corresponding list of required software. In addition to the CMDB, a broad spectrum of tools helps with this audit: tools like OpenSCAP and Lynis — focused on policy compliance and system hardening; multi-purpose tools like OSQuery; vulnerability scanners such as OpenVAS; and network traffic analyzers.

Response: conduct a scheduled review of server functions with their business owners. Any unnecessary applications or services found running should be disabled. To minimize such occurrences, implement the principle of least privilege organization-wide and deploy hardened base images or server templates for standard server builds. This ensures no superfluous software is installed or enabled by default.

Outdated APIs

Priority: high. APIs are frequently exploited by attackers to exfiltrate large volumes of sensitive data, and to gain initial access into the organization. In 2024, the number of API-related attacks increased by 41%, with attackers specifically targeting outdated APIs, as these often provide data with fewer checks and restrictions. This was exemplified by the leak of 200 million records from X/Twitter.

Prevalence: high. When a service transitions to a new API version, the old one often remains operational for an extended period, particularly if it’s still used by customers or partners. These deprecated versions are typically no longer maintained, so security flaws and vulnerabilities in their components go unpatched.

Detection: at the WAF or NGFW level, it’s essential to monitor traffic to specific APIs. This helps detect anomalies that may indicate exploitation or data exfiltration, and also identify APIs that get minimal traffic.

Response: for the identified low-activity APIs, collaborate with business stakeholders to develop a decommissioning plan, and migrate any remaining users to newer versions.

For organizations with a large pool of services, this challenge is best addressed with an API management platform in conjunction with a formally approved API lifecycle policy. This policy should include well-defined criteria for deprecating and retiring outdated software interfaces.

Software with outdated dependencies and libraries

Priority: high. This is where large-scale, critical vulnerabilities like Log4Shell hide, leading to organizational compromise and regulatory compliance issues.

Prevalence: Very high, especially in large-scale enterprise management systems, industrial automation systems, and custom-built software.

Detection: use a combination of vulnerability management (VM/CTEM) systems and software composition analysis (SCA) tools. For in-house development, it’s mandatory to use scanners and comprehensive security systems integrated into the CI/CD pipeline to prevent software from being built with outdated components.

Response: company policies must require IT and development teams to systematically update software dependencies. When building internal software, dependency analysis should be part of the code review process. For third-party software, it’s crucial to regularly audit the status and age of dependencies.

For external software vendors, updating dependencies should be a contractual requirement affecting support timelines and project budgets. To make these requirements feasible, it’s essential to maintain an up-to-date software bill of materials (SBOM).

You can read more about timely and effective vulnerability remediation in a separate blog post.

Forgotten websites

Priority: medium. Forgotten web assets can be exploited by attackers for phishing, hosting malware, or running scams under the organization’s brand, damaging its reputation. In more serious cases, they can lead to data breaches, or serve as a launchpad for attacks against the given company. A specific subset of this problem involves forgotten domains that were used for one-time activities, expired, and weren’t renewed — making them available for purchase by anyone.

Prevalence: high — especially for sites launched for short-term campaigns or one-off internal activities.

Detection: the IT department must maintain a central registry of all public websites and domains, and verify the status of each with its owners on a monthly or quarterly basis. Additionally, scanners or DNS monitoring can be utilized to track domains associated with the company’s IT infrastructure. Another layer of protection is provided by threat intelligence services, which can independently detect any websites associated with the organization’s brand.

Response: establish a policy for scheduled website shutdown after a fixed period following the end of its active use. Implement an automated DNS registration and renewal system to prevent the loss of control over the company’s domains.

Unused network devices

Priority: high. Routers, firewalls, surveillance cameras, and network storage devices that are connected but left unmanaged and unpatched make for the perfect attack launchpad. These forgotten devices often harbor vulnerabilities, and almost never have proper monitoring — no EDR or SIEM integration — yet they hold a privileged position in the network, giving hackers an easy gateway to escalate attacks on servers and workstations.

Prevalence: medium. Devices get left behind during office moves, network infrastructure upgrades, or temporary workspace setups.

Detection: use the same network inventory tools mentioned in the forgotten servers section, as well as regular physical audits to compare network scans against what’s actually plugged in. Active network scanning can uncover entire untracked network segments and unexpected external connections.

Response: ownerless devices can usually be pulled offline immediately. But beware: cleaning them up requires the same care as scrubbing servers — to prevent leaks of network settings, passwords, office video footage, and so on.

Kaspersky official blog – ​Read More

Imagine: a user lands on a scam site, decides to make a purchase, and enters their bank card details, name, and address. Guess what happens next? If you think the attackers simply grab the cash and disappear — think again. Unfortunately, it’s much more complicated. In reality, the information enters a massive shadow-market pipeline, where victims’ data circulates for years, changing hands and being reused in new attacks.

At Kaspersky, we’ve studied the journey data takes after a phishing attack: who gets it, how it’s sorted, resold, and used on the shadow market. In this article, we map the route of stolen data, and explain how to protect yourself if you’ve already encountered phishing, or if you want to avoid it in the future. You can read the detailed report complete with technical insights on Securelist.

Harvesting data

Phishing sites are carefully disguised to look legitimate — sometimes the visual design, user interface, and even the domain name are almost indistinguishable from the real thing. To steal data, attackers typically employ HTML forms prompting users to enter their login credentials, payment card details, or other sensitive information.

As soon as the user hits Sign In or Pay, the information is instantly dispatched to the cybercrooks. Some malicious campaigns don’t harvest data directly through a phishing site but instead abuse legitimate services like Google Forms to hide the final destination server.

The stolen data is typically transmitted in one of three ways — or a combination of them:

• Email. This method is less common today due to possible delays or bans.
• Telegram bots. The attackers receive the information instantly. Most of these bots are disposable, which makes them hard to track.
• Admin panels. Cybercriminals can use specialized software to harvest and sort data, view statistics, and even automatically verify the stolen information.

What kind of data are phishers after?

The range of data sought by cybercriminals is quite extensive.

• Personal data: phone numbers, full names, email, registration and residential addresses. This information can be used to craft targeted attacks. People often fall for scams precisely because the attackers possess a large amount of personal information — addressing them by name, knowing where they live, and which services they use.
• Documents: data and scans of social security cards, driver licenses, insurance and tax IDs, and so on. Criminals use these for identity theft, applying for loans, and verifying identity when logging into banks or e-government portals.
• Credentials: logins, passwords, and one-time 2FA codes.
• Biometrics: face scans, fingerprints, and voice samples used to generate deepfakes or bypass two-factor authentication.
• Payment details: bank card and cryptocurrency wallet details.
• And much more.

According to our research, the vast majority (88.5%) of phishing attacks conducted from January through September 2025 targeted online account credentials, and 9.5% were attempts to obtain users’ personal data, such as names, addresses, and dates. Finally, 2% of phishing attacks were focused on stealing bank card details.

What happens to the stolen data next?

Not all stolen data is directly used by the attackers to transfer money to their own accounts. In fact, the data is seldom used instantly; more commonly, it finds its way onto the shadow market, reaching analysts and data brokers. A typical journey looks something like this.

1. Bulk sale of data

Raw data sets are bundled into massive archives and offered in bulk on dark web forums. These dumps often contain junk or outdated information, which is why they’re relatively cheap — starting at around US$50.

2. Data sorting and verification

These archives are purchased by hackers who act as analysts. They categorize datasets and verify the validity of the data by checking if the login credentials work for the specified services, if they are reused on other sites, and if they match any data from past breaches. For targeted attacks, cybercriminals compile a digital dossier. It stores information gathered from both recent and older attacks — essentially a spreadsheet of data ready to be used in hacks.

3. Resale of verified data

The sorted datasets are offered for sale again, now at a higher price — and not only on the dark web but also on the more familiar Telegram.

According to Kaspersky Digital Footprint Intelligence, account prices are driven by a large number of factors: account age, 2FA authentication, linked bank cards, and service userbase. It’s no surprise that the most expensive and in-demand commodity on this market is access to bank accounts and crypto wallets.

Category	Price, US$	Average price, US$
Crypto platforms	60–400	105
Banks	70–2000	350
E-government portals	15–2000	82.5
Social media	0.4–279	3
Messaging apps	0.065–150	2.5
Online stores	10–50	20
Games and gaming platforms	1–50	6
Global internet portals	0.2–2	0.9
Personal documents	0.5–125	15

4. Repeat attacks

Once a cybercriminal purchases a victim’s digital dossier, they can plan their next attack. They might use open-source intelligence to find out where the person works, and then craft a convincing email impersonating their boss. Alternatively, they could hack a social media profile, extract compromising photos, and demand a ransom for their return. However, rest assured that nearly all threatening or extortion emails are just a scare tactic by scammers.

Cybercriminals also use compromised accounts to send further phishing emails and malicious links to the victim’s contacts. So, if you receive a message asking you to vote for a niece in a contest, lend money, or click on a suspicious link, you have every reason to be wary.

What to do if your data has been stolen

1. First, recall what information you entered on the phishing site. If you provided payment card details, call your bank immediately and have the cards blocked. If you entered a login and password that you use for other accounts, change those passwords right away. A password manager can help you create and store strong, unique passwords.
2. Enable two-factor authentication (2FA) wherever possible. For more details on what 2FA is and how to use it, read our guide. When choosing a 2FA method, it’s best to avoid SMS, as one-time codes sent via a text can be intercepted. Ideally, use an authenticator app, such as Kaspersky Password Manager, to generate one-time codes.
3. Check the active sessions (the list of logged-in devices) in your important accounts. If you see a device or IP address you don’t recognize, terminate that session immediately. Then change your password and set up two-factor authentication.

How to guard against phishing

• Don’t click on links in emails or messages without first scanning them with a security solution.
• If you receive a suspicious email, always check the sender’s address to see if you’ve had any contact with that person before. If someone claims to represent a government authority or company, be sure to compare the domain the email was sent from with the domain of the organization’s official website. No official correspondence should ever come from a free email service.
• Use an authenticator app for two-factor authentication.
• Create hack-resistant passwords. Our research shows that hackers can crack almost 60% of all passwords in the world in less than an hour. Alternatively, consider switching to passkeys, which offer much stronger account protection, but keep in mind that they come with their own caveats.
• Remember: using the same password for multiple services is a critical mistake. This is exactly what malicious actors exploit. Even if you’ve never fallen for a phishing scam, your passwords and data can still end up in data breaches, as cyberattackers target not just individuals but entire companies. This year, the Identity Theft Resource Center has already recorded over two thousand data breaches. To minimize the risks, create a unique and strong password for every account. You don’t have to — and actually can’t — memorize them all. It’s better to use a password manager, which generates and securely stores complex passwords, syncs them across all your devices, auto-fills them on websites and in apps, and alerts you if any of your credentials appear in a known data breach.

More on phishing and scams:

• How phishers and scammers use AI
• Phishing 101: what to do if you get a phishing email
• Email extortion: how scammers use blackmail
• Telegram scams with bots, gifts, and crypto
• Et cetera

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter.  

“It’s a dangerous business, going out your door. You step onto the road, and if you don’t keep your feet, there’s no knowing where you might be swept off to.” — Bilbo Baggins 

It’s almost the end of the year, which feels like the perfect time to start an epic quest. 

So, Middle-earth. I’m walking across it. Not with the intention of destroying the One Ring, but to increase my daily step count in the nerdiest way possible. 

As I suspect is the origin story for most quests these days, my journey began by downloading an app.

It’s called “The Conqueror.” There are many different distances you can choose from, but I chose Middle-earth because I’m that person who watched all the behind-the-scenes footage from Peter Jackson’s Lord of the Rings extended edition box set and physically shed tears because I wasn’t there. 

Heeding Bilbo’s warnings about roads, I’m using a treadmill. After receiving my official race bib (#199574), I hopped on and muttered under my breath, “So it begins.”

So far, I’ve passed Bag End, South Farthing, Woody End, Maggot’s Farm, and I’m currently doing a stopover at Buckleberry Ferry. That’s 130km (55% of the Shire) done. Only 120km until Bree, where I can rest up with a pint at The Prancing Pony. And a mere 2,787km to go until I get to Mount Doom. If only Frodo hadn’t taken so many detours… 

I’ve been rewarded at each milestone with postcards full of extremely nerdy facts about the landscape. And because of The Conqueror’s partnership with an ocean clean-up charity, I’ve also “saved” 20 plastic bottles from entering the sea, which feels very cool to have accomplished while never leaving the house.

It’s a strange, delightful journey: half fitness plan, half fantasy pilgrimage. And it got me thinking about the value of knowing your destination.

Oftentimes when I’m speaking to defenders, one of their main challenges is “I’m struggling to do all the things, all the time.” When everything gets a bit overwhelming, and threats either shift unpredictably or circle back to tactics we thought we’d left behind, it’s easy to lose your sense of direction and say, “What are we doing this for again?”

That’s what I’ve come to like about this quest across Middle-earth: there’s a destination, and there are milestones. Mount Doom is a f*****g long way from Buckleberry Ferry. But I like just knowing the next marker even if I can’t yet see the (Bag)end.

As you’re making plans for next year, it might be worth using that idea: Where are you heading? What are the things you’re doing right now are actually helping you get there? Which detours/madness will lead you into Fangorn Forest? 

If in doubt, follow your nose.

The one big thing 

While tracking ransomware activities, Cisco Talos uncovered new tactics, techniques, and procedures (TTPs) linked to a financially motivated threat actor targeting victims with DeadLock ransomware. The DeadLock ransomware targets Windows machines with a custom stream cipher encryption algorithm that uses time-based cryptographic keys to encrypt files.  

Why do I care? 

There’s a few things that the threat actor does as part of this campaign to make recovery for victims more complicated. First, they use the Bring Your Own Vulnerable Driver (BYOVD) technique with a previously unknown loader to exploit the Baidu Antivirus driver vulnerability (CVE-2024-51324), enabling the termination of endpoint detection and response (EDR) processes. Also, the custom encryption method allows DeadLock ransomware to effectively encrypt different file types in enterprise environments while preventing system corruption through selective targeting and anti-forensics techniques. 

So now what? 

The Talos blog has a full breakdown of the attack, including the new TTPs, attempts at lateral movement, the ways the actor attempts to impair defenses, and the encryption process. Snort SIDs for the threats are: 65576, 65575 and 301358. ClamAV detections are also available for this threat:

• Win.Tool.EDRKiller-10058432-0  
• Win.Tool.VulnBaiduDriver-10058431-1  
• Ps.Tool.DeleteShadowCopies-10058429-0  
• Win.Ransomware.Deadlock-10058428-0

Top security headlines of the week  

Chinese hackers are using “stealthy and resilient” Brickstorm malware to target VMware servers 
The Cybersecurity and Infrastructure Security Agency (CISA) is warning that China-sponsored threat actors are using Brickstorm malware to achieve long-term persistence in critical infrastructure networks. (ITPro) 

Critical Apache Tika vulnerability leads to XXE injection 
A critical-severity vulnerability in the Apache Tika open source analysis toolkit could allow attackers to perform XML External Entity (XXE) injection attacks. (Security Week) 

Zero-click agentic browser attack can delete entire Google Drive using crafted emails 
A new agentic browser attack targeting Perplexity’s Comet browser that’s capable of turning a seemingly innocuous email into a destructive action that wipes a user’s entire Google Drive contents. (The Hacker News) 

Can’t get enough Talos? 

Spy vs. spy: How GenAI is powering defenders and attackers 
Nick Biasini provides an update on how Talos is seeing threat actors currently use genAI, and how defenders can use it as a force multiplier. 

Microsoft Patch Tuesday for December 2025 
The Patch Tuesday for December of 2025 includes 57 vulnerabilities, including two that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”

Most prevalent malware files from Talos telemetry over the past week 

SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a 
MD5: 1f7e01a3355b52cbc92c908a61abf643 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a 
Example Filename: cleanup.bat 
Detection Name: W32.D933EC4AAF-90.SBX.TG 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe 
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 1ec34305e593c27bb95d538d45b6a17433e71fa1c1877ce78bf2dbda6839f218 
MD5: a1f4931992bf05e9bff4b173c15cab15 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=1ec34305e593c27bb95d538d45b6a17433e71fa1c1877ce78bf2dbda6839f218 
Example Filename: a1f4931992bf05e9bff4b173c15cab15.exe 
Detection Name: Auto.1EC343.272247.in02

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
MD5: aac3165ece2959f39ff98334618d10d9 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe 
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
Example Filename: ck8yh2og.dll 
Detection Name: Auto.90B145.282358.in02 

Cisco Talos Blog – ​Read More

Germany is taking decisive steps to strengthen its cybersecurity framework following the rise of digital threats. Last month, the Bundestag adopted the NIS-2 Implementation Act, translating the EU NIS-2 Directive (Directive (EU) 2022/2555) into national law. Published in the Federal Law Gazette on 5 December 2025 and in force since 6 December 2025, the Act modernizes the country’s IT security legislation and broadens the range of entities subject to regulatory oversight. 

The Federal Office for Information Security (BSI) is tasked with supervision and enforcement under the Act, coordinating cybersecurity across federal agencies in its role as the CISO Bund. The law applies to industrial production, including electronics, machinery, vehicles, and other transport systems. Obligations generally target companies with at least 50 employees or that meet specific revenue and balance sheet thresholds. 

Certain sensitive sectors, such as telecommunications and digital services, are covered regardless of size. As a result, the number of regulated entities in Germany rises dramatically, from around 4,500 under previous frameworks to roughly 30,000, including many mid-sized companies that were previously outside critical infrastructure regulations. 

Registration and Reporting Requirements 

Entities within scope must register within three months with the BSI and the Federal Office for Civil Protection and Disaster Assistance (BBK). Registration requires providing company master data, designated contact points, and internal reporting structures.  

The law establishes a three-step incident reporting process: an initial notification within 24 hours of becoming aware of a cybersecurity incident, an update within 72 hours, and a final report within 30 days, with additional interim reports if requested. 

The NIS-2 Implementation Act sets binding, verifiable minimum requirements, including risk management, vulnerability and patch management, incident response planning, end-to-end logging, multi-factor authentication, and supply chain security. Industrial operators must secure control systems, manage distributed device fleets, and document supplier components.  

Management is explicitly responsible for oversight, decision-making, and training, embedding cybersecurity accountability at the executive level. 

Violations carry severe penalties. “Particularly important entities” can face fines of up to €10 million or 2% of global annual turnover, while “important entities” may incur fines up to €7 million or 1.4% of turnover. The BSI is empowered to issue binding orders, and management members may be held personally liable for failures to implement or supervise required measures. 

 Section 38 of the Act effectively obliges management to implement cybersecurity measures, not just approve them. Section 2(13) defines “members of management bodies” as executives appointed by law, articles of association, or partnership agreements, covering executive functions but excluding supervisory board roles in two-tier structures. 

Integration with EU Cybersecurity Legislation 

The NIS-2 Directive establishes EU-wide requirements for risk management, incident reporting, and operational resilience. It applies to essential entities and mandates an “all-hazards” approach to protect against cyberattacks, technical failures, sabotage, and natural disasters.  

Germany’s NIS-2 Implementation Act integrates these obligations with sector-specific legislation, including the Digital Operational Resilience Act (DORA) for financial services, the Cyber Resilience Act for digital products, and the Critical Entities Resilience Directive (CER). Sector-specific laws generally take precedence where requirements overlap, ensuring legal clarity under the lex specialis principle. 

The EU Cyber Solidarity Act complements NIS-2 by providing operational frameworks for cross-border emergency response, including the Cybersecurity Emergency Mechanism and the European Cybersecurity Alert System. Coordination through the NIS Cooperation Group and networks such as EU-CyCLONe supports strategic and operational collaboration for large-scale incidents. 

Next Steps for Organizations 

With the NIS-2 Implementation Act now active, organizations have until April 2026 to register with the BSI and establish governance, risk-management, and reporting structures. The law raises accountability to both operational teams and executive leadership, creating a more unified, EU-aligned cybersecurity framework across Germany. 

As regulatory expectations tighten, organizations will need faster threat visibility and stronger security operations. Cyble, ranked the #1 Cyber Threat Intelligence Technology by Gartner Peer Insights, offers AI-native tools that help companies identify vulnerabilities, monitor new cyber threats, and strengthen resilience, critical capabilities under NIS-2. 

Organizations preparing for NIS-2 compliance can benefit from Cyble’s AI-powered security ecosystem and are encouraged to explore its free external threat assessment and personalized demo to understand how these capabilities support stronger, regulation-ready defenses. 

References: 

• https://www.recht.bund.de/bgbl/1/2025/301/VO.html?utm_source=chatgpt.com 

• https://www.gesetze-im-internet.de/bsig_2025/BJNR12D0B0025.html?utm_source=chatgpt.com 

• https://digital-strategy.ec.europa.eu/en/policies/cyber-solidarity?utm_source=chatgpt.com 

The post New NIS-2 Law in Germany Expands Cybersecurity Oversight and Introduces Heavy Fines  appeared first on Cyble.

Cyble – ​Read More