IT Security Regulatory Update | November 2023

Focus: IT security situation in Germany, risk management in the cloud context, Cyber Resilience Act

Highlight from November 2023

Cyber threat level higher than ever

In its report on the state of IT security in Germany in 2023, the Federal Office for Information Security (BSI) summarizes the threat situation and approximates it to be higher than ever before.

Pia Streicher

“Stay up to date with our monthly regulatory update on IT Security Management!”

The increasing threat situation in cyberspace

Every year, the BSI publishes its report on the state of IT security in Germany. The need for increasing security has already become apparent in recent years. In line with this, the threat of cyber extortion has now grown from the biggest threat to “cybercrime as a service”. The BSI considers the situation in 2023 to be more serious than ever before.

The top 3 threats in the economy are:

  1. Ransomware,
  2. dependencies in the IT supply chain, and
  3. Vulnerabilities and open or incorrectly configured online servers.

The BSI assumes that around 70 new vulnerabilities are discovered in software products every day. Compared to the previous reporting period, this represents an increase of around 25%.

A black book lies on a wooden table. On the book is written "Agenda" in silver capital letters.

The BSI is particularly serious of the increasing professionalization of attackers. Offers in the form of “cybercrime as a service” require a corresponding movement on the other side. In concrete terms, this means above all an increase in resilience and the active shaping of cyber security by all those involved.

Nevertheless, the BSI believes that it makes sense to continue driving forward digitalization in order to ensure a high level of IT security in the long term and maintain Germany’s competitiveness as a business location.

You can find the BSI status report here on its website. The BSI has also published a two-page summary of the key findings, which you can find here here.

Source: Federal Office for Information Security – BSI,

Risks in the cloud – BIS’s supervisory perspective

The Bank of International Settlements (BIS) has published a paper on dealing with risks in the context of cloud services. The authors take the supervisory perspective and examine in particular the supervision and monitoring of critical cloud service providers (CSPs) in the financial sector.

The cause for the paper is the increasing use of cloud services by financial companies, especially for critical services. It can also be assumed that the frequency of use will continue to increase even further. The main danger of this increasing use is that a major operational disruption at a CSP can lead to critical services of financial companies being interrupted. If a CSP is used extensively by several institutions, this can lead to systemic consequences. This situation is intensified by the dominance of a few CSPs in various sectors.

The prevailing approach to regulating CSPs does not adequately address these risks, but instead places the responsibility on individual financial companies to manage their risks appropriately. BIS concurs that this lacks a systemic perspective that can also recognize and manage overarching concentration risks – at an overarching level. Thus, this paper addresses various possible supervisory frameworks.

You can find the paper here on the BIS website.

Source: Bank for International Settlements –

EU Parliament and Council negotiate final version of the Cyber Resilience Act

Due to the increasing impact of cyber attacks on digital products, the EU considers it important to ensure the security of digital products. As a result, the Cyber Resilience Act (CRA) was drafted, which imposes cyber security obligations on all products with digital elements. The proposal introduces the principles of cybersecurity by design and by default and imposes a duty of care for the entire life cycle of products.

The Council and Parliament are currently negotiating the final version of the text.

The EU Parliament’s briefing on the legislative act and the current status of the legislative process can be found here on its website.

Source: © European Union, 2022 – EP

The BSI’s assessment of the threat situation in IT underlines the importance of regulatory requirements for IT. Be it BAIT, VAIT and sister regulations or DORA, the topic of cyber security and dealing with cyber risks in general is an ongoing trend.

We at ADWEKO are happy to assist you with the implementation of DORA and other requirements.

talk to
Pia Streicher!

Pia Streicher