Germany’s Federal Office for Information Security (BSI) reported on February 29, 2026, that data pertaining to critical infrastructure operators was compromised following a cyberattack targeting a software component used for vulnerability reporting.
The BSI confirmed the incident involved a breach of data related to companies designated as operators of essential services, known as KRITIS – a German acronym for “Kritische Infrastrukturen” (Critical Infrastructures). The compromised data included names, contact details, and information about the types of infrastructure operated by these entities. The BSI stated that no operational systems were directly affected by the attack.
The vulnerability reporting software, developed by a third-party provider, is used by KRITIS operators to submit information about security incidents and vulnerabilities to the BSI. The BSI is responsible for overseeing the cybersecurity of critical infrastructure in Germany, a mandate reinforced by the updated BSI Act which came into effect on December 6, 2025, implementing the EU’s NIS2 Directive.
The incident has prompted scrutiny of the security measures surrounding the collection and storage of sensitive data related to critical infrastructure. The Wirtschaftsrat der CDU, a business association affiliated with the Christian Democratic Union, issued a statement on April 3, 2025, emphasizing the increasing pressure on Germany’s KRITIS and the need for a comprehensive crisis protection plan. The association called for both financial investment and structural improvements to bolster digital resilience.
The NIS2 Directive, which aims to strengthen cybersecurity across the European Union, was enacted EU-wide in October 2022, giving member states until October 17, 2024, to transpose its provisions into national law. The BSI acknowledged that the data used in its latest assessment, published January 30, 2026, largely reflects the previous legal framework, with future reports to be aligned with the updated regulations.
According to data released by the BSI, the sectors represented among KRITIS operators include energy, transport, health, water, and information technology. The agency’s “KRITIS in Zahlen” report provides statistics on the distribution of critical infrastructure across these sectors, as well as data on the level of security measures in place and incident reporting rates.
Fraunhofer EMI, a research institute focused on cybersecurity, is coordinating the DYNAMO project, a Horizon Europe initiative aimed at improving the resilience of critical infrastructure to cyberattacks. The project focuses on developing and integrating tools for business continuity management and cyber threat intelligence, leveraging artificial intelligence to accelerate recovery processes and enable self-healing systems.
The BSI has not publicly identified the perpetrator of the cyberattack, and an investigation is ongoing. The agency has advised KRITIS operators to review their security protocols and remain vigilant for any suspicious activity. As of March 1, 2026, the BSI has not issued further public statements regarding the incident.
