Key Takeaways
- Cyberattacks cost German firms over €200 billion in 2025 (≈4.5 % of GDP), illustrating the massive economic toll of insecure software.
- Many breaches succeed because known vulnerabilities remain unpatched, reflecting a market failure where vendors lack sufficient incentive to invest in security.
- Current cybersecurity policy mainly treats symptoms (incident response, defenses) rather than the root cause—software insecurity itself.
- Effective mitigation requires a regulatory mix: product‑safety standards, liability rules for known flaws, and cybersecurity obligations for software‑service providers.
- The EU has introduced initial rules, but enforcement is patchy and substantive gaps remain, especially concerning manufacturer liability.
- Germany should push for a comprehensive EU product‑liability directive for software and empower the BSI to sanction non‑compliant firms.
The Escalating Threat Landscape
Cybersecurity incidents have evolved from isolated annoyances to systemic threats capable of destabilizing nations. Adversarial states routinely deploy cyber operations to cripple critical infrastructure, exfiltrate state secrets, and undermine military logistics. Simultaneously, cybercriminal groups target businesses of all sizes, extracting ransomware payments and stealing personal data. The rising frequency and sophistication of these campaigns mirror society’s growing dependence on digital networks, making cyberspace protection a prerequisite for national security, economic stability, and democratic freedoms.
Quantifying the Economic Impact
In 2025 German companies suffered cyber‑related losses exceeding €200 billion, roughly 4.5 % of the nation’s gross domestic product. This figure dwarfs many traditional risk categories and shows how deeply cyber risk is woven into the economy. Notable incidents include a Russian operation in December 2025 that came within a hair’s breadth of disabling parts of Poland’s power grid, and later discoveries that Iranian actors were preparing assaults on U.S. water‑treatment facilities following similar Chinese incursions against American targets in 2024. Such examples demonstrate that cyber threats can cross borders and jeopardize essential services and public safety.
Known Vulnerabilities as the Core Enabler
A significant share of damaging incidents succeeds only because software products contain known, unpatched vulnerabilities. Vendors often ship code with flaws that appear in public vulnerability databases, yet many customers fail to apply available patches. The persistence of these weaknesses is not accidental; it reflects a structural mismatch between the incentives of software producers and the security needs of their users. When a flaw remains unaddressed, attackers can exploit it to gain footholds, move laterally, and execute the high‑impact operations described above. Thus, insecure software lies at the root of many cybersecurity crises.
Market Failure and Vendor Incentives
The reluctance of vendors to invest in robust security constitutes a classic market failure. Developing secure software entails higher upfront costs—rigorous code reviews, extensive testing, and ongoing patch management—while the benefits are often externalized. Customers may not be willing to pay a premium for security, especially when the perceived risk of attack feels uncertain or when competitors offer cheaper, less‑secure alternatives. Consequently, firms prioritize short‑term profitability and feature speed over long‑term resilience, leaving known flaws uncorrected. Without external pressure, the private sector lacks sufficient motivation to internalize the societal costs of insecure code.
Why Current Policies Fall Short
To date, cybersecurity strategy has focused on defending against incidents after they occur: firewalls, intrusion‑detection systems, incident‑response teams, and information‑sharing platforms. While valuable, these measures treat symptoms rather than the disease. They do not alter the underlying incentives that allow vulnerable software to proliferate in the first place. As a result, the cycle repeats: new flaws are discovered, exploited, and patched only after damage has been done. Breaking this pattern requires shifting focus upstream to the software development lifecycle and holding producers accountable for the security of their products.
The Regulatory Toolkit Needed
A comprehensive policy response should combine three complementary strands. First, product‑safety law can impose baseline security requirements that software must meet before market entry, similar to standards for automobiles or medical devices. Second, product‑liability regulations would make vendors legally responsible for damages arising from known vulnerabilities they fail to remedy, creating a financial incentive to invest in secure coding. Third, cybersecurity obligations for providers of software‑as‑a‑service (SaaS) and cloud platforms would mandate continuous monitoring, timely patching, and transparent reporting of security incidents. Together, these measures align private incentives with public safety and close the gap that attackers currently exploit.
EU Initiatives and Remaining Gaps
The European Union has already taken steps in this direction. The Cybersecurity Act, the proposed AI Act’s security provisions, and sector‑specific rules (e.g., for financial services and critical infrastructure) introduce baseline security expectations and conformity‑assessment procedures. However, implementation varies across member states, and many regulations target operators of essential services rather than the software manufacturers themselves. Moreover, liability regimes remain fragmented, and enforcement mechanisms lack harmonized sanctions. Consequently, significant regulatory gaps persist, leaving room for vendors to evade responsibility and for insecure software to circulate freely within the single market.
German Leadership and BSI Enforcement
Germany, as Europe’s largest economy and a hub for software innovation, is well positioned to champion a stronger EU framework. The federal government should actively advocate for a comprehensive product‑liability directive that covers software, ensuring that victims of cyber‑induced harm can claim compensation directly from negligent vendors. Simultaneously, the Federal Office for Information Security (BSI) must be equipped with the authority and resources to impose meaningful fines on companies that violate existing cybersecurity rules, such as those outlined in the IT‑Security Act. By coupling legislative pressure at the EU level with rigorous domestic enforcement, Germany can create a deterrent effect that encourages vendors to prioritize security throughout the product lifecycle.
Toward a Secure Digital Future
Ultimately, the security of software is inseparable from the broader goals of security, freedom, and prosperity that guide Germany’s national strategy. Resilient code keeps critical infrastructure operational, protects personal data, and allows businesses to innovate without fear of disruptive cyber shocks. Regulating software safety and liability does not stifle innovation; rather, it raises the baseline of trust necessary for a thriving digital economy. By addressing the root cause—insecure software—through coordinated European regulation and decisive national action, Germany can help safeguard its citizens, its enterprises, and the democratic values that underpin its society.