Cybersecurity is a key task for the high-tech industry – and the defense sector is no exception. The focus is not only on defending against attacks on know-how or theft of intellectual property, but also on the security and resilience of weapon systems and components. Cybersecurity must be embedded in processes and exist as a capability of the respective product. To put it bluntly, firewalls and encryption protocols will determine security and sovereignty in the future. Cybersecurity is a basic prerequisite for ensuring innovation and defense capabilities.
Focus on the defense industry
The threat situation in cyberspace is tense and dynamic. State and non-state actors are specifically targeting companies in the defense industry – whether for espionage, sabotage, or to prepare hybrid attacks. Due to its strategic importance, the defense industry is a particularly attractive target for cyberattacks: digital technologies, networked systems, and software-based components have long since become the backbone of modern armaments and military services. And it is not only the companies themselves that are the focus of attention, but above all their products and services, which they provide to the German Armed Forces and friendly armed forces of other nations. The industry is the target of a steadily growing number of cyberattacks that aim not only to cause economic damage but also to weaken the national and European security architecture.
Cybersecurity as a legal obligation
The protection of IT systems and processes, networks, and programs against cyberattacks—in short, cybersecurity—is primarily dictated by business sense. Attacks against a company's own IT infrastructure have a direct impact on the availability of systems and processes. In the worst case, the company's productivity can be completely paralyzed or know-how can be leaked in an uncontrolled manner.
The obligation to ensure cybersecurity is increasingly being imposed by law, either directly as a specific obligation or indirectly as best practice or as an obligation via supply chains. Companies – especially those with security-relevant significance – are obliged to implement appropriate technical and organizational measures for IT security.
At the heart of this is the European NIS 2 Directive (Directive (EU) 2022/2555), which, with its implementation into German law through the "Act Implementing the NIS 2 Directive and Regulating Essential Features of Information Security Management in the Federal Administration" (NIS 2 Implementation Act), sets a new standard for cybersecurity. In future, not only operators of critical infrastructures, but also "important" and "essential" facilities will be subject to the extended cybersecurity obligations.
Companies that are obligated parties or suppliers to these entities are subject to comprehensive requirements. They must establish risk management, take technical and organizational measures to defend against cyberattacks, report security incidents, and actively manage their supply chains. The defense industry is particularly affected by this, as its products and services are often classified as security-critical and generally exceed the thresholds for classification as an "essential" or "important" facility.
With the European Union's Cyber Resilience Act (Regulation (EU) 2024/2847, CRA), the cybersecurity of products with digital elements is becoming the focus of regulation for the first time. Manufacturers, importers, and distributors must ensure that their products meet basic cybersecurity requirements throughout their entire life cycle. This applies not only to traditional IT products, but also to embedded systems, software, and networked components used in modern weapon systems, communication platforms, and sensor technology. The CRA requires manufacturers to manage vulnerabilities, provide regular security updates, and prove the integrity of their products. Although there is an exemption for the defense industry in Article 2(7) CRA, this does not apply to dual-use goods.
Companies must also identify and minimize risks in their supply chain, including cyber risks. Anyone who purchases intermediate products, software, or services from third parties must ensure that these do not provide any gateways for attackers. Responsibility for cybersecurity cannot be outsourced; it remains with the client.
The legal obligations can be divided into two main areas: the obligations of companies as organizations and the requirements for the products and services they manufacture.
Implementation requires commitment
As a result of legal obligations—both direct and indirect—companies in the defense industry must take various measures. These include establishing and operating a comprehensive information security management system (ISMS) and identifying, assessing, and addressing cyber risks, for example through regular penetration tests, vulnerability management, and red teaming.
Technical and organizational measures such as access controls, network segmentation, encryption, and monitoring are just as mandatory as the establishment of an incident response process. Employees must be regularly trained and sensitized, because the human factor remains one of the biggest vulnerabilities. If a serious security incident occurs, it must be reported to the relevant authorities – in Germany, this is usually the BSI. Anyone who violates this obligation risks fines and exclusion from procurement procedures.
Another key aspect is supply chain management. Companies must select their suppliers and service providers according to cybersecurity criteria, contractually oblige them to comply with minimum standards, and conduct regular audits. Responsibility for security does not end at the factory gate, but extends across the entire value chain. In practice, this means that, for example, a medium-sized manufacturer of defense electronics must not only have its own development and production environment certified according to industry standards in the best case, but also require corresponding evidence from its suppliers.
The handling of security-related information must also be provided for in security management. In particular, employees who perform security-sensitive activities (i.e., all employees who have access to classified information at the VS-Confidential level or higher, for example) are subject to increased requirements, such as undergoing a security check as a rule.
The requirements for products and services are at least as high. Products must increasingly be developed according to the principle of "security by design." This means that security aspects must be incorporated into the design and development from the outset. Products must not offer any unnecessary vulnerabilities, must be regularly checked for weaknesses and provided with security updates, and updates must be provided throughout the entire life cycle of the product. Even though the CRA does not apply to pure defense equipment, as with NIS-2, there are indications that clients and major players are adopting certain principles as "industry best practice" and simply treating legal requirements as contractual obligations.
The requirements of clients – above all the German Armed Forces, but also other government and industrial partners – often go beyond the minimum legal standards. Additional standards are required in tender documents, contracts, and technical specifications.
No delegation of responsibility
Obligations to ensure cybersecurity are part of the general duty of legality of management (Section 93 (1) AktG, Section 43 GmbHG) and are specified in industry-specific standards.
The obligation to defend against cyberattacks is therefore unavoidable for companies in the defense industry. It arises not only from their own interest in protecting their know-how and reputation, but is also enshrined in a multitude of laws and standards. The requirements apply to companies as organizations as well as to their products and services. Clients and partners demand evidence, audits, and continuous improvement. Those who neglect cybersecurity not only jeopardize their own existence, but also national security.
The NIS 2 Implementation Act explicitly places responsibility on management: delegating responsibility or simply ignoring cybersecurity requirements leads to personal liability (Section 38 NIS 2 Implementation Act). Cybersecurity has become a strategic management task.
