Companies Suffered Damage from Cyberattacks and Are Sceptical About NIS-2
Information Economy
23.02.2026
ZEW Survey on Damage Caused by Cyberattacks and on the Implementation of the New EU Directive
Approximately one in seven companies in the information economy and one in eight companies in the manufacturing sector suffered damage from cyberattacks over the past year, a representative survey by ZEW Mannheim finds. The survey questioned close to 1,100 companies in December 2025 and January 2026. The EU Directive on Network and Information Security (NIS-2) is intended to strengthen cybersecurity. However, its implementation is viewed critically by the majority of the German companies affected by the new regulation.
“Smoothly functioning IT systems are essential for the business operations of most companies. The recent hacker attack on Deutsche Bahn highlights the cyber threats companies are exposed to daily,” explains Dr. Daniel Erdsiek, director of the study and member of the ZEW “Digital Economy” Research Unit. “In the information economy, which includes IT service providers, nine per cent of companies report having suffered downtime due to cyberattacks in the past year. In the manufacturing sector, seven per cent of companies experienced such business disruptions.”
Around four to five per cent of companies report having suffered financial losses, with direct ransom payments occurring somewhat less frequently (around one to two per cent). Around three per cent of businesses had to cope with the loss or leakage of sensitive data.
Larger firms are affected more frequently
“The frequency of harmful cyberattacks reported by companies is related to their size. Especially larger firms with 100 employees or more report that they suffered damage from cyberattacks in the past year: 20 per cent of companies in the information economy and 17 per cent in the manufacturing sector,” says Erdsiek.
NIS-2 Directive aims to improve cybersecurity
In view of this situation, the EU’s NIS-2 Directive tightens cybersecurity requirements for companies. While the first NIS Directive mainly covered operators of critical infrastructures in areas such as energy and health care, NIS-2 includes significantly more, and also smaller, companies from additional sectors. Among these are digital service providers and companies in the chemical and food industries. The directive defines minimum standards, introduces reporting obligations for security incidents and strengthens sanctioning regulations. The corresponding German implementation law came into force on 6 December 2025. Affected companies and organisations are required to register with the Federal Office for Information Security (BSI) by 6 March 2026.
“Approximately 57 per cent of the companies in the information economy and manufacturing sector that consider themselves affected by NIS-2 state that they already comply with most of the new rules,” says Dr. Eliza Stenzhorn from ZEW’s “Digital Economy” Unit. At the same time, however, 17 per cent say that, at this point, they tend not to fully comply with the requirements or fail to meet them altogether.
Around half of the companies expected to be affected believe that the directive will strengthen cybersecurity among companies in Germany. “Many firms recognise the benefits of the NIS-2 Directive but believe its practical implementation within companies will be a challenge. Around 60 per cent of companies consider the administrative burden to be too high and the reporting requirements too extensive. A similar number of companies also believe that the potential sanctions are too severe,” says Stenzhorn.
1,100 companies surveyed on cyber risks
The data from December 2025 and January 2026 were collected as part of the ZEW Information Economy Report. For this purpose, the researchers surveyed around 1,100 companies in Germany. The participants are companies from the manufacturing sector and the information economy which compromises the ICT sector as well as media service providers and knowledge-intensive service providers. Around 200 of the surveyed companies indicated that they are likely to be affected by the NIS-2 Directive.
