TL;DR

  • 70% of economic damage in German businesses now comes from cyberattacks — over €200 billion annually
  • 50%+ of companies believe AI won't significantly change the threat landscape — they're wrong. Attackers are already using AI to automate phishing and exploit scripts
  • NIS2 compliance isn't just IT's problem — it requires governance-level commitment, with personal liability for management
  • SMEs face a perfect storm: legacy systems, skills shortages, and shadow IT creating hidden vulnerabilities

The €200 Billion Wake-Up Call

Cyberattacks aren't an IT nuisance anymore. They're a macroeconomic burden. According to Schwarz Digits' Cyber Security Report 2026, cybercrime costs the German economy over €200 billion annually [1]. That's production losses, ransoms paid, reputational damage, and long-term competitive disadvantages from lost know-how.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​​​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​

‌‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​​‌‌​​‌​

For a small or medium business, the math is brutal. A ransomware attack doesn't just mean a cleanup cost — it can halt production for weeks, jeopardize supply contracts, strain credit lines, and permanently damage customer relationships. Insurers adjust premiums. Regulators impose stricter oversight. Resources you'd invest in growth get tied up in crisis response instead.

The 70% figure is the alarm bell: seven out of every ten euros of registered economic damage in Germany now trace back to cyberattacks [1]. Cybersecurity has become as critical to business survival as energy costs and skilled labor availability.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​​​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​​‌‌​​‌​

Related: Cyberattacks Are Now the #1 Threat to Your Business

The AI Misconception Gap

Here's the most dangerous finding from the report: more than half of companies surveyed assume AI applications won't significantly alter the threat landscape [1].

This is a strategic blind spot.

Attackers are already using AI to automate and personalize attacks at scale. Phishing emails can now be generated in perfect business language, incorporating industry-specific references and corporate jargon that bypass traditional spam filters. Exploit scripts can be assembled without requiring deep technical expertise. The barrier to entry for sophisticated attacks has collapsed.

Economically, AI reduces marginal costs on both the attack and defense sides [1]. Whether it becomes an advantage or a disadvantage depends entirely on governance, architecture, and management decisions. Companies treating AI as a marketing buzzword rather than a core security capability are missing the defensive window.

The same AI tools threatening your business also offer protection:

  • Anomaly detection systems can identify unusual patterns in network traffic, login behavior, or data access that human analysts miss
  • User and Entity Behavior Analytics (UEBA) flags deviations from typical user behavior for early intervention
  • Automated playbooks in security orchestration platforms can isolate systems and protect backups within seconds of detecting a threat

The question isn't whether AI changes your threat landscape. It's whether you're using it on defense before attackers use it against you.

Related: AI Isn't Building New Attack Playbooks — It's Running Old Ones 44% Faster

Why SMEs Are Flying Blind

Small and medium enterprises face structural vulnerabilities that larger organizations have already addressed. The report identifies three compounding factors [1]:

1. Legacy systems and organic growth Many SMEs built their IT incrementally — specialized solutions, custom integrations, and network structures that evolved without a consistent security architecture. Patching is sporadic. Authorization concepts are patchy. The result is a Swiss cheese of hidden vulnerabilities.

2. The skills shortage SMEs, especially in regional areas, struggle to attract specialized security expertise. Limited IT teams are overloaded with operational tasks, leaving strategic security and governance issues neglected. Shadow IT — self-implemented tools and cloud services without central control — proliferates in the gaps, creating undocumented attack vectors.

3. Underestimating NIS2 There's a risk that businesses treat NIS2 compliance as a checkbox exercise: policies written, audits scheduled, but actual vulnerabilities left unaddressed. The directive explicitly targets governance-level responsibility, with personal liability for management — not just the IT team [1].

Without sufficient resources and commitment, companies resort to "symbolic politics": formal documentation without meaningful security improvement. This is the worst of both worlds — compliance costs without resilience benefits.

NIS2: Burden or Strategic Investment?

The crucial question is how your business interprets NIS2. The report outlines two scenarios [1]:

Scenario 1: Minimal compliance You treat the directive as a bureaucratic burden. You fulfill the bare minimum, document everything diligently, but marginally alter your actual security posture. Cyberattacks continue to cause significant damage while you invest time and money in reporting instead of hardening.

Scenario 2: Strategic opportunity You use NIS2 as a catalyst to modernize outdated IT structures, digitize processes, and upgrade security architectures. Early investment positions you as a reliable, resilient partner to customers and suppliers. In a world where supply chain risks increasingly influence procurement decisions, demonstrable cyber resilience becomes a competitive differentiator.

The economic logic favors Scenario 2. The question isn't whether you should address cybersecurity and NIS2 — you must. The real management decision is whether you treat it as a cost center or a strategic investment in competitiveness and trustworthiness.

What Your Business Can Do Today

The Schwarz Digits report emphasizes that NIS2 compliance cannot be managed as a purely IT project. It requires governance-level commitment [1]. Here's where to start:

1. Assess your position Which sector are you in? What NIS2 thresholds apply? Which category do you fall into? This determines your specific obligations.

2. Build or expand your Information Security Management System (ISMS) Define roles, processes, and responsibilities. Systematic risk analysis of critical business processes, protection requirements, authorization concepts, backup strategies, and incident response processes all need documentation.

3. Include your supply chain Contractual clauses on security standards with vendors. Segmented networks. Clear rules for remote access. Regular audits. Your vendors' vulnerabilities are now your vulnerabilities.

4. Make cybersecurity a standing management agenda item Threat landscape updates, incident reports, audit results, and improvement measures should be part of your regular management cycle — not an annual PowerPoint.

5. Bridge the skills gap strategically External service providers can help, but only if integrated into a clear governance structure. Responsibility can't be outsourced — only execution.

The Bottom Line

Cybersecurity is no longer an IT project. It's a business resilience prerequisite. The €200 billion annual cost to the German economy proves that cyberattacks are now a systemic risk to business operations [1].

Your competitors will face the same NIS2 obligations. The ones who treat compliance as a strategic upgrade rather than a bureaucratic burden will gain a dual advantage: actual resilience and a market signal of reliability. In supply chains increasingly shaped by cyber risk, that signal matters.

Your business deserves security that works as hard as you do. Book a free consultation to build a resilience strategy that protects what you've built.consult.lil.business

FAQ

NIS2 applies to specific sectors and thresholds based on company size and industry. Many SMEs fall under the directive, especially if they operate in critical infrastructure sectors or supply chains. Check your country's NIS2 implementation to determine your obligations. The penalties for non-compliance include significant fines and personal liability for management.

Costs vary based on business size, sector, and current maturity. The Schwarz Digits report emphasizes viewing security as an investment, not a cost — the €200 billion annual economic damage from cyberattacks in Germany alone shows that the cost of inaction far exceeds the cost of prevention [1]. A phased approach starting with critical assets and governance is typically most cost-effective.

AI is changing cybersecurity roles, not eliminating them. Automated systems handle routine tasks like log analysis and threat detection, allowing human experts to focus on strategic governance, incident response, and architecture. The skills shortage means businesses need more security professionals, not fewer — but the required skill set is evolving toward AI-assisted security operations.

The Schwarz Digits report identifies three compounding risks: legacy systems with inconsistent patching, shadow IT from unauthorized cloud services, and the cybersecurity skills shortage [1]. Together, these create hidden vulnerabilities that attackers exploit. Governance-level commitment and a systematic ISMS are the most effective defenses.

NIS2 doesn't explicitly require ISO 27001 certification, but the standard provides a proven framework for building the Information Security Management System (ISMS) that NIS2 demands. Many businesses find ISO 27001 certification a practical pathway to NIS2 compliance while gaining a market-recognized security credential.

References

[1] Schwarz Digits, "The Cyber Security Report 2026 — A rude awakening for SMEs," Schwarz Digits, 2026. [Online]. Available: https://xpert.digital/en/cyber-security-report

[2] NIS2 Directive, "Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union," Official Journal of the European Union, 2022.

[3] Bitkom, "Digitalisierung und Cybersecurity," Bitkom Research, 2025.

[4] German Federal Office for Information Security (BSI), "State of IT Security in Germany," BSI, 2025.

[5] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[6] ENISA, "Threat Landscape 2025," European Union Agency for Cybersecurity, 2025.

[7] World Economic Forum, "Global Cybersecurity Outlook 2025," WEF, 2025.

[8] McKinsey & Company, "Cybersecurity in the age of AI," McKinsey Digital, 2025.

[9] Gartner, "Top Security and Risk Management Trends for 2026," Gartner, 2026.

TL;DR

  • Cyberattacks cost businesses over €200 billion every year — that's like losing a whole country's worth of money
  • More than half of businesses think AI won't change anything — but bad guys are already using AI to trick people
  • Your business needs a security plan, not just security software
  • New rules called NIS2 mean business owners are personally responsible for security

What Is This Report About?

Imagine someone broke into your store and stole everything. Now imagine that happening to thousands of businesses, every single day. That's what cyberattacks do.

A new report from Schwarz Digits (a big German tech company) found that cyberattacks now cause 70% of all money problems for businesses [1]. In Germany alone, that's over €200 billion every year — more than many countries make in a year.

This isn't just about big companies. Small businesses get hit too. And when they do, it can shut them down for weeks. They lose customers. They lose money. Sometimes they never reopen.

The Big Mistake Everyone's Making

Here's the scary part: more than half of businesses think AI (artificial intelligence) won't change anything for security [1].

They're wrong.

Think of AI like this: imagine a burglar who could break into 1,000 houses at the same time, instead of just one. That's what AI lets bad guys do in computers.

They use AI to:

  • Write fake emails that look exactly like real ones from your bank or boss
  • Create computer programs that break into systems automatically
  • Figure out your passwords by trying thousands of combinations per second

These aren't genius hackers. They're regular people using AI tools to do things that used to take experts years to learn.

The Good News: AI Protects You Too

The same AI that bad guys use? You can use it to protect yourself.

Think of it like hiring a security guard who never sleeps, can watch 1,000 security cameras at once, and notices when something looks weird — like someone trying a door at 3am.

AI security tools can:

  • Watch your business computers 24/7 for suspicious activity
  • Spot fake emails that look real
  • Lock down your systems automatically if something bad happens
  • Back up your files so you can't lose them

The question isn't whether AI will change security. It already has. The question is: will you use AI to protect yourself before bad guys use it against you?

Related: AI Attacks Now Steal Your Data in 72 Minutes

Why Small Businesses Are in Danger

You might think: "I'm too small to be a target."

Here's why that's wrong:

1. You have old computers and systems Big companies update their security all the time. Small businesses often use old software because it works and they don't want to change. But old software has holes — like leaving your back door unlocked because "it's always been unlocked."

2. You don't have a computer security expert Big companies have teams of people whose whole job is security. Small businesses might have one IT person who's also fixing printers and setting up WiFi. They're too busy to think about security plans.

3. Your employees use tools you don't know about This is called "shadow IT." Someone signs up for a free cloud storage service to share files. Another person downloads a free app for their phone. Nobody told the IT person. Nobody checked if it's safe. Now bad guys have a way in that nobody's watching.

What Is NIS2? (And Why You Should Care)

There's a new law in Europe called NIS2. It stands for "Network and Information Systems."

Here's what it means for you:

Business owners are personally responsible.

Not the IT person. Not the tech company you hired. You. The business owner.

If your business gets hacked and you didn't follow the rules, you can be fined. A lot. And in some cases, you can be personally sued.

The good news: NIS2 isn't as scary as it sounds. It's basically asking you to:

  • Have a security plan (like having a fire safety plan)
  • Know what important data you have and where it is
  • Have backups in case something goes wrong
  • Check your security regularly
  • Make sure your vendors and suppliers are secure too

Think of it like health inspections for restaurants. Annoying? Sometimes. Necessary? Absolutely.

What You Can Do Right Now

You don't need to spend millions. You don't need to be a computer genius. Here's how to start:

1. Make a list of what matters most What data would destroy your business if you lost it? Customer information? Financial records? Product designs? Write it down. That's your "protect at all costs" list.

2. Back it up If you have backups, hackers can't hold your data hostage. Use the 3-2-1 rule: 3 copies, 2 different types of storage (like a hard drive AND the cloud), 1 copy offsite.

3. Use strong passwords (and a password manager) Every account needs a unique password. Use a password manager so you don't have to remember them all. Turn on two-factor authentication (where it sends a code to your phone) everywhere you can.

4. Train your people Your employees are your first line of defense. Teach them to spot fake emails. Tell them to ask if something seems weird. Make it OK to say "I think this might be a scam."

5. Get help if you need it If you don't have a security expert, hire one. Even for a few hours to review your setup and make a plan. It's cheaper than recovering from a hack.

The Most Important Thing

Security isn't a product you buy. It's a habit you build.

Lock your doors. Back up your files. Think before you click. Teach your people to do the same.

Do these things consistently, and you'll be ahead of most businesses — including big ones with huge security budgets.

Need help building a security plan that fits your business and budget? Book a free consultation. We make security simple.consult.lil.business

FAQ

Yes. Hackers use automated tools to attack thousands of small businesses at once. They're not targeting you specifically — they're casting a wide net. Small businesses are actually easier targets because they often have weaker security.

Backups. If you have good backups, ransomware can't hurt you. Use the 3-2-1 rule: 3 copies, 2 types of storage, 1 offsite. Test your backups regularly to make sure they actually work.

It depends on your size and industry, but basic security (passwords, backups, training, antivirus) costs very little. The report shows that cyberattacks cost €200 billion annually — spending a few hundred dollars on security is like buying insurance for your house [1].

It happens. That's why you need: (1) backups so you can recover, (2) antivirus to catch threats, and (3) incident response so you know what to do. Training reduces clicks, but nobody's perfect.

No. AI is a tool, not a replacement. Think of it like a power drill — it makes the work faster, but you still need someone to use it. AI handles the boring stuff so human experts can focus on the important decisions.

References

[1] Schwarz Digits, "The Cyber Security Report 2026 — A rude awakening for SMEs," Schwarz Digits, 2026. [Online]. Available: https://xpert.digital/en/cyber-security-report

[2] National Cyber Security Centre (NCSC), "Small Business Guide," UK Government, 2025.

[3] CISA, "Cybersecurity for Small Business," Cybersecurity & Infrastructure Security Agency, 2025.

[4] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025.

[5] Australian Cyber Security Centre, "Essential Eight Maturity Model," ACSC, 2025.

[6] Google, "Working Securely," Google Workspace, 2025.

[7] Microsoft, "Security Baseline," Microsoft Learn, 2025.

[8] Small Business Administration (SBA), "Cybersecurity Resources," SBA, 2025.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation