The BSI report for 2025 (as of October 2025) is out.1 There is not much fundamentally new. Here the key points, with some context:
- The threat level remains high and stable.2
- Misconfiguration of systems and software jumped from 28% in the previous period to 44%.3
- Web-facing attack surfaces are in a “concerning state”.4 The scope includes all reachable IPs under .de domains.
- EDR and similar security tools do not provide sufficient protection. They remain ineffective against common attack patterns and can be bypassed with so-called EDR killers, according to Heise.5
- Small and medium-sized businesses are increasingly targeted by ransomware groups. The report calls this a “fundamental misjudgment” of risk by those in charge.6
Questionable self-praise
This is also typical for the BSI: Self-praise about supposed wins against international cybercrime and improved protection of critical infrastructure. That sounds odd when the same report states:7
In almost all sectors, more incidents were reported during the reporting period than in the previous one.
This does not point to better protection or higher resilience. It reflects better visibility due to stricter reporting requirements, both nationally (KRITIS) and at the EU level (e.g. NIS2, DORA).
At a smaller scale, this reminds me of a typical SME. One of my first steps there is often to walk through the IT landscape with a label printer and build a proper inventory.8 Then comes monitoring and reporting. That is where the BSI seems to be right now, yet it already calls this progress and claims this as victory.
Despite the increasing number, every reported incident is a success: in every managed and reported disruption we see the operators’ effort to deal with a potentially increased threat level and to address the consequences of outages as effectively and quickly as possible.
Add to that the fact that the BSI now runs its reporting platform on AWS,9 it looks like a strategic and political failure. Especially when in the meantime both, the EU and the German government have been pushing for open source and digital sovereignty.10
A more realistic assessment would be more useful:11
Fewer than half (49%) of regulated KRITIS operators have an adequate level of maturity in their ISMS and BCM.
Fewer than half (47.5%) of all reachable .de IP addresses have no security issues. Many expose sensitive metadata or known vulnerabilities.
And it remains unclear why the BSI suggests that IPv4 hosts are less secure than IPv6. Ports and software vulnerabilities do not care about the IP version. Most systems, including this blog, support both.
It is frustrating that the full report is not available as a complete PDF for download. Only the first eight pages and a context-free dashboard are provided. You need to navigate through their pages.
Public sector and administration
Given the BSI’s own numbers, the draft version of the updated KRITIS law feels like a step in the wrong direction. The AG KRITIS response puts it bluntly:12
Excluding large parts of the federal administration and the entire state-level administration from the KRITIS framework is irresponsible.
States and municipalities will be allowed to decide for themselves what is critical and what’s not. We have already seen where this ends, for example for 45.000 affected households in Berlin.13 And it seems, no lessons learned from the largest IT infrastructure failure in Germany, which affected 1.4 million people in NRW.14
SMEs: everyone is a target, many do not realize it
The report says it clearly:15
Many lack not only the knowledge and skills for IT security, but even the basic understanding that they are attractive targets for cyberattacks. This is likely due to a fundamental misjudgment of the threat situation. (…) For cybercriminals, neither revenue nor industry are decisive factors. What matters is that the effort of the attack is justified by the expected return.
This “low-hanging fruit” has been the same for decades: Windows, Office, and Active Directory. Often configured the same old fashion way, poorly, by admins and service providers. Small changes to infrastructure or software choices already may lead to major security improvements.16 The BSI should mark this point more clearly, but it fails here clearly.
Increasing politicization
The report also shows growing politicization. It highlights efforts to strengthen right-wing narratives and spread fear about the future, driven by Russian and now US actors aswell. That is not controversial. We have been in a hybrid information war for years, not just since Russia’s invasion of Ukraine in 2014.17
Still, parts of the report read as if they are written through a political lens. You can see it in throwaway lines like “…including the online presence of Bavarian authorities”.18 TThis reference adds nothing to the context, yet it is included anyway. If you can read between the lines which party and region the current interior minister comes from, that is not a good sign.
Official ransomware numbers for 2025
The report lists 950 reported ransomware incidents in Germany in 2025.19 The real number is likely higher. That averages to about 2.6 compromised Windows AD environments per day. These systems are the primary target of modern ransomware. They are the main attack vector across German IT landscapes.
Four years ago, I argued that one company per day in Germany effectively gets taken offline.20 Looking at the trend, that estimate still holds:
Data leaks
When I read about cases where three quarters of a country’s population have their personal data exposed on the dark web, I usually think of developing countries. The BSI report shows that 72% of German citizens are already affected by data leaks. The following chart breaks this down further:21
Email accounts as a risk
According to the BSI, the number of compromised email accounts has increased by 72%.22 While looking for possible correlations, I found a similar trend: the share of companies in Germany using paid cloud services grew from 51% in 2021 to 65% in 2025. This mainly refers to Microsoft Azure and Office 365.23
Correlation is not causation. Still, I do not see many other metrics with a similar increase in that range. If there are better explanations, feel free to correct me.
Overall, there is little reason for optimism. The problems are not just technical. They are rooted in governance failures and how organizations approach risk, ISMS, and security in general.
The positive takeawayf or today: It’s weekend!
Best regards,
Tomas Jakobs
https://medien.bsi.bund.de/lagebericht/de/zusammenfassung-und-bewertung/ ↩︎
https://medien.bsi.bund.de/lagebericht/de/gemeldete-schwachstellen-in-softwareprodukten/ ↩︎
https://medien.bsi.bund.de/lagebericht/de/vorworte-und-fazit/ ↩︎
https://medien.bsi.bund.de/lagebericht/de/gefaehrdungslage-der-kleinen-und-mittleren-unternehmen/ ↩︎
https://medien.bsi.bund.de/lagebericht/de/gefaehrdungslage-der-kritischen-infrastrukturen/ ↩︎
https://blog.jakobs.systems/micro/20210817-asset-management/ ↩︎
https://medien.bsi.bund.de/lagebericht/de/systematik-der-lagebewertung/ ↩︎
https://ag.kritis.info/2025/11/27/stellungnahme-zum-referentenentwurf-des-kritis-dachgesetz-mit-stand-03-11-2025/ ↩︎
https://en.wikipedia.org/wiki/2026_arson_attack_on_the_Berlin_power_grid ↩︎
https://blog.jakobs.systems/blog/20240926-sit-desaster-nrw/ ↩︎
https://medien.bsi.bund.de/lagebericht/de/zusammenfassung-und-bewertung/ ↩︎
https://blog.jakobs.systems/blog/20240506-service-tips-windows/ ↩︎
https://bpb.de/kurz-knapp/hintergrund-aktuell/287565/bla/ ↩︎
https://blog.jakobs.systems/micro/20221025-geplatzte-ads/ ↩︎
https://surfshark.com/research/data-breach-monitoring/quarterly-analysis ↩︎
https://ec.europa.eu/eurostat/databrowser/view/isoc_cicce_use/default/table?lang=en ↩︎