Massive Weaknesses in Government Data Centers, Says Bundesrechnungshof

Germany’s Bundesrechnungshof has sharply criticized the current state of cybersecurity in the federal administration. Der Spiegel quotes a document classified as confidential, which concludes that significant parts of the government’s IT infrastructure have serious security flaws and do not meet the minimum requirements of the Federal Office for Information Security (BSI).

The Bundesrechnungshof (BRH) is Germany’s supreme audit institution responsible for the federal government’s budgetary and economic oversight. It examines whether federal authorities, ministries, federal enterprises, and other public institutions are using taxpayers’ money properly, economically, and efficiently. It is independent of both the federal government and the Bundestag.

The report criticizes the lack of a central, cross-departmental information security control system. It also states that the existing security architecture must become more efficient.

Inadequate Governance  and NIS2 Preparation

Another point of criticism concerns the requirements of the NIS 2 Directive [1] [2] [3]. This introduces significant new obligations for federal authorities and KRITIS-related organizations – particularly with regard to prevention, documentation requirements, and BSI oversight. Many institutions are neither technically nor organizationally prepared for this.

The Court of Auditors welcomes the fact that the adjustment of Germany’s debt limit will allow targeted investment in cybersecurity. However, the investments are tied to the demonstrable effectiveness of the measures. In practice, this means only those who can prove their security measures lead to concrete improvements will receive future funding.

Increasing Pressure to Act

The report highlights growing pressure on public administration. The threat landscape continues to worsen, with annual damages in the hundreds of billions. The BRH is calling for a shift toward structured, data-driven, and sustainable security management.

The widespread failure is alarming. Serious weaknesses have been found in almost all data centers of German public authorities – with dramatic consequences for the security, resilience, and trustworthiness of the government’s IT infrastructure. Public authorities and KRITIS operators must take action now and introduce modern vulnerability management.

In many cases, there is not even an emergency power supply, and fewer than one in ten examined data centers meet the BSI’s minimum standards for high availability. According to the investigation, this is concerning: lack of redundancy, outdated systems, and insufficient reliability all jeopardize the functionality of critical infrastructure in the event of a crisis.

Over 180 Billion Euros in Damage Every Year

The damage is already being done: according to current figures, cyberattacks cause over 180 billion euros in damage every year in Germany. Acts of sabotage, hybrid attacks, and blackout scenarios have long been a reality – and the trend is rising.

However, the German BRH identifies many shortcomings: a lack of structured information security, cross-departmental and data-based IT risk management, and appropriate governance . Reliable information is lacking – without which it is impossible to realistically assess risk levels or progress in individual cases, let alone provide evidence.

Greenbone’s Vulnerability Management Helps

When it comes to implementing the right measures and proving their effectiveness, solutions like those offered by Greenbone come into play. Modern vulnerability management provides a decisive strategic advantage. Among other things, it provides a reliable, robust basis to support data-driven decision-making for administrators and management.

Greenbone’s OPENVAS automatically, continuously, and objectively detects, evaluates, and prioritizes vulnerabilities. This creates a reliable foundation for IT governance  structures – even in ministries, government agencies, and other public-sector enterprises. Vulnerability Management also ensures the essential transparency in times of growing accountability – thus becoming a mandatory component rather than a “nice-to-have.”

Greenbone Vulnerability Management reports contain CVSS ratings, trend analyses, and progress indicators. Authorities can use these not only for internal documentation but also to demonstrate measurable improvements to audit offices and ministries.

Equipped for NIS2

The new NIS2 directive tightens requirements for operators of critical infrastructure. It defines new responsibilities, expands BSI controls and reporting obligations, and specifies the software components to be used. As a result, more companies are dealing with the upcoming German version of the regulation.

Greenbone’s solutions actively support public authorities and KRITIS-related organizations in preparing for regulatory audits. Features such as automated vulnerability management, audit-proof reporting, and audit trails provide security, even under increasing regulatory control.

Webinars Help with Prevention – Now Is the Time to Act!

Greenbone customers receive concrete help when it comes to meeting BSI requirements in the data center, preparing for audits, and viewing vulnerability management as part of emergency preparedness. After all, prevention is always cheaper and more effective than crisis management.

The report by the German BRH is a wake-up call – and an opportunity. And because cybersecurity begins with visibility, Greenbone is the right choice. Contact us or attend our webinars – like the latest series for public authorities and KRITIS, offering in-depth information on implementing the NIS 2 Directive, data center hardening, and georedundancy, as well as on the basic structure of vulnerability control . Dates, content, and registration can be found on the website.