“CYBERSECURITY AND RESILIENCE 2026 – NIS2 AND KRITISDACHG IN PRACTICE”: FOLLOW-UP REPORT ON THE 2ND BBH CYBERSECURITY CONFERENCE

Critical infrastructures are under threat. This is the bitter reality. Cyberattacks, system failures and physical threats to critical infrastructure are no longer abstract scenarios. Germany, in particular, is in the focus of hybrid attacks. This January, a targeted attack on a network node led to a power outage in south-west Berlin that lasted several days. This perfectly illustrates just how vulnerable the energy infrastructure is. Incidents such as this one make it to the front pages. Many threats, however, remain hidden from the public eye. In particular energy suppliers, grid operators and infrastructure service providers know this all too well. The 2nd cybersecurity conference that took place in the Berlin offices of the BBH group addressed these issues and was very well attended. Lawyer and BBH partner Prof. Dr. Ines Zenke welcomed the guests with the following words: “Cyberattacks, physical threats to critical infrastructure and system failures are no longer abstract scenarios. They are reality. Today, we will be speaking with practitioners who deal with these issues in their day-to-day business, who bear the responsibility, make decisions and must take action in case of an emergency.”

Lawyer and BBH partner Thomas Schmeding currently focuses on providing legal advice in times of crisis and carrying out NIS2 training courses. In his opening speech, he points out that “hacker attacks” now cost German companies more than €202 billion per year (Bitkom Study on Economic Security 2025). The frequency of such attacks is reaching alarming levels. One of the reasons for this increase is artificial intelligence. “AI-based systems/models are becoming increasingly efficient at identifying vulnerabilities.” As regards the possibility of German and European companies to gain access to such AI solutions themselves for their own protection, he used Anthropic’s Mythos model as an example and stated: “We are entering a new phase of using AI. This is a phase in which systems can no longer be assessed only on the basis of criteria such as data protection, licences or tokens; they must also be viewed in terms of power and control.”

PANEL 1: HOW CAN COMPANIES ENSURE THAT THEY ARE PREPARED FOR CYBERATTACKS AND PHYSICAL ATTACKS – NIS2 IMPLEMENTATION AND PHYSICAL RESILIENCE THROUGH THE LENS OF COMPANIES

The first panel discussion explored how companies get ready for cyberattacks and physical attacks, focusing on the practical implementation of the NIS2 Directive.

Sylvia Borcherding, CCO and CHRO at the electricity transmission system operator 50Hertz Transmission GmbH, emphasised: “In future, we must give resilience even more careful consideration when designing and planning our grid infrastructure. Today, the security architecture for operating the transmission system is based on the n-1 principle. Given the current threats, however, this will not be sufficient in the future. In the framework of business continuity management, we check interfaces with service providers right from the outset of the commissioning to ensure they meet, for example, the requirements of the NIS2 Directive.”

Claudia Rathfux, managing director of NBB Netzgesellschaft Berlin-Brandenburg mbH & Co. KG, which operates one of Germany’s largest gas distribution systems, stated: “In the event of an attack, we and our business partners are dependent on one another. This dependence offers an opportunity that we must exploit to a greater extent than before in order to ensure a more consistent and confidential exchange of information relevant to our security and critical incidents. At the end of the day, we are all in this together.”

Dr. Gerhard Holtmeier, chairman of the management board of DEW21, Dortmunder Energie- und Wasserversorgung GmbH, stressed: “We must consistently prioritise IT as costs will otherwise get out of hand. We need an integrated approach here. Ultimately, the costs of physical security and cybersecurity are part of the overall costs.”

Fachvorträge: Technische Lösungen und rechtliche Rahmenbedingungen

Lars von Thienen, managing director of business process solutions GmbH / Aequitas Group, spoke about the rapid recovery following an AI-based cyberattack. His company supports clients in digitalising and optimising their business processes in times of crisis. He, too, stressed: “We are operating a system the complexity of which we no longer understand. There are vulnerabilities that we do not even know of but which AI can detect within a few minutes.”

Thomas Königstein, strategic sales development manager at the IT security provider genua GmbH, presented practical solutions for secure remote maintenance in the energy sector, where any access can pose a risk. He stated: “There is an urgent need for action both regarding systems directly connected to the internet and those that can be indirectly targeted by cyberattacks.”

Lawyer Alexander Bartsch, partner counsel at BBH, subsequently spoke of the need to rethink the disclosure requirements for energy and infrastructure companies and to reassess the approach: “A new balance must be struck between the interest in the disclosure of data on critical infrastructure and its protection from cyberattacks and acts of sabotage. This is also a matter to be addressed by the Federal Network Agency and the legislator.”

PANEL 2: IN CASE OF AN EMERGENCY – LESSONS LEARNED AND POTENTIAL SOLUTIONS

The early afternoon was dedicated to specific reports on emergencies, the detection of attacks, resilient approaches and requirements for crisis communication. The panel was hosted by Thomas Schmeding and BBH Consulting board member as well as BBH partner Dr. Andreas Jankiewicz.

Dr.-Ing. Frederik Giessing, member of the management team of 450connect GmbH, which builds and operates the 450 MHz radio network that is highly available, remains reliable even during major disruptions and the goal of which is to digitalise Germany’s critical infrastructure operators, talked about “secure communication as the backbone” and emphasised: “It is precisely in a crisis that communication is the key to bringing the situation under control. We need to dispel the myth that communication is always readily available – instead, we have to ensure that a backup system is in place in case the public mobile network is disrupted.”

Stephan Ilaender, CTO of Stackit GmbH, represented an exclusively European cloud provider certified according to the BSI’s Cloud Computing Compliance Criteria Catalogue (C5) that demonstrates how critical data feeds can be protected through confidential computing without the risk of access from third countries. He stressed: “We should perceive digital sovereignty as a strategic competitive advantage.” We must not blindly outsource control over sensitive data and critical IT infrastructures to non-European corporations. A digital arms race is already underway, and our goal is to establish a sovereign hyperscaler in Europe.”

Klaus Mochalski, managing director of Rhebo GmbH, a company offering industrial network monitoring and anomaly detection for an early-stage reporting of attacks on control systems of energy suppliers, shared the lessons learned in his more than 10 years of work in detecting attacks on critical infrastructures. He explained: “We are lured to believe that the OT environment is secure since we happen to see only a few attacks. However, based on our observations, state actors are getting their attack tools ready to go.”

Prof. Dr. Christian Haas, director of the Institute for Complex Systems Research in Frankfurt am Main, which focuses, among other things, on resilience strategies in socio-technical infrastructures, shed light on assimilative versus accommodative resilience strategies: “People are the greatest vulnerability, but also the greatest asset when it comes to security. That is because we are capable of recognising threats. Neurobiology calls this “error-related negativity,” employees can sense when something is amiss. The important thing is that they feel integrated into the organisation.”

In his presentation titled “Where the systems fall silent, leaders must speak out”, Christoph Hausel, crisis communication specialist and managing director at element C, urged that “with regard to internal and external communication, organisations should know how to respond to a crisis: at least once a year, they should simulate scenarios, get ready and clarify who is authorised to which piece of information. This ensures that organisations are very well equipped in case of an emergency.”

BBH partner and lawyer Thomas Schmeding recapped the day and invited the participants to attend the subsequent NIS2 training course mandatory for members of management bodies. How do companies ensure that they meet the rising cybersecurity and resilience requirements? Why is the implementation of the NIS2 Directive stalling? How can companies protect themselves effectively against attacks? What is to be done in case of an attack? How do companies collaborate productively with public authorities? When it comes to information and disclosure requirements, is “less more”? How do we safeguard digital sovereignty in the face of rapid technological change and an evolving threat landscape? These are the hot topics we discussed and which we need to keep on the agenda.