The escalating threat landscape is driving a significant shift in how businesses approach cybersecurity. A recent study reveals that a substantial majority – 77 percent – of executives in Germany now feel personally responsible for the IT security of their organizations. This heightened sense of accountability comes as new regulations, like the EU’s NIS2 Directive, place greater emphasis on leadership oversight of cybersecurity measures.
Although top-level management is increasingly aware of their role, a gap exists in understanding responsibility throughout the broader workforce. The study, conducted by G Data CyberDefense, Statista, and brand eins, highlights that many employees are unclear about their individual contributions to a company’s overall security posture. This disconnect underscores the need for comprehensive cybersecurity awareness programs that extend beyond the executive suite.
The findings coincide with the implementation of the NIS2 Directive, a European Union regulation designed to strengthen cybersecurity standards across critical sectors. The directive, which came into effect on December 27, 2022, and requires member states to implement it into national law, explicitly positions strategic cybersecurity responsibility at the leadership level. Germany enacted the law on December 6, 2025, according to the Federal Government.
The study demonstrates a clear correlation between hierarchical position and perceived responsibility for IT security. 77 percent of CEOs feel strongly accountable, followed by three out of five department heads, nearly half of division managers, and 41 percent of team leaders. This suggests that the intensity of responsibility diminishes as you move down the organizational chart. Andreas Lüning, board member at G DATA CyberDefense AG, commented, “The NIS-2 Directive is having an effect: cybersecurity is now clearly a leadership task in the executive suites. Now we must consistently convey this sense of responsibility throughout the entire company – because true cyber resilience only arises when everyone understands IT security as part of their own task.”
Bridging the Cybersecurity Awareness Gap
While awareness of the importance of IT security is generally present, the study reveals a fragmented understanding of individual roles. One-third of employees feel only partially responsible, while 34 percent feel strongly responsible. However, a significant one-third feel little to no responsibility. This disparity highlights a critical opportunity for organizations to leverage the strong sense of accountability among management to foster a more robust cybersecurity culture.
The research indicates that building a strong cybersecurity culture isn’t solely about technical measures or policies. It requires empowering employees to recognize their own effectiveness in mitigating threats – whether it’s identifying phishing emails, using strong passwords, or reporting suspicious activity. The European Commission emphasizes that the NIS2 Directive aims to create a unified legal framework for maintaining cybersecurity across 18 critical sectors within the EU.
The study’s methodology involved a representative online survey of over 5,000 employees in Germany, conducted by G Data CyberDefense, Statista, and brand eins. Statista’s involvement ensured the reliability and validity of the results, drawing on a sample size significantly larger than the industry standard. The research similarly incorporated data from over 300 statistics to create a comprehensive reference work on IT security.
77 Prozent der befragten Geschäftsführungen in Deutschland fühlen sich persönlich sehr stark für die IT-Security ihres Unternehmens verantwortlich. (Image: G Data CyberDefense)
Looking Ahead: Strengthening Cyber Resilience
The increasing focus on cybersecurity at the executive level, driven by regulations like NIS2 and the forthcoming Cyber Resilience Act (CRA), is a positive step. However, sustained effort is needed to translate this awareness into tangible improvements in security practices across all levels of an organization. The German Federal Office for Information Security (BSI) is actively working to strengthen cooperation between the state and the private sector to address the significant challenges in IT security.
As organizations navigate the evolving threat landscape, prioritizing cybersecurity awareness training and fostering a culture of shared responsibility will be crucial. The next phase will likely involve a greater emphasis on implementing robust risk management measures and establishing clear reporting procedures for security incidents, as mandated by the NIS2 Directive. Continued investment in cybersecurity expertise and technology will also be essential to protect against increasingly sophisticated attacks.
What are your thoughts on the role of leadership in cybersecurity? Share your insights in the comments below.
:quality(90)/p7i.vogel.de/wcms/64/56/64568ea91127dd62878ac9e611ce2b28/g-20data-20andreas-20l-c3-bcning-cybersicherheit-20in-20zahlen-16-9-1200x675v1.jpeg){kind=link}