New: EU CAPTCHA – GDPR-compliant bot protection. Try it free for 3 months!
Home>
CDN (Content Delivery Network)
At one look
- 1. CDN: A Definition
- 2. How Does a CDN Work?
- 3. When is a CDN worth it?
- 4. What are the benefits of a CDN?
- 5. CDN and IT Security
- 6. CDN and Compliance: GDPR, NIS2, DORA, KRITIS
- 7. CDN Architecture in Detail
- 8. CDN and dynamic content
- 9. Industry Applications
- 10. Distinctions: CDN vs. Edge, Reverse Proxy, WAAP, Multi-CDN
- 11. CDN for Your Application: Next Steps
03
When is a CDN worth it?
Rule of thumb: As soon as performance, availability, or compliance go beyond simply “it has to work,” a CDN is worth considering. The following signs are clear indicators:
International or nationwide target audience – even within Germany, additional latency of 50–150 ms is possible without a CDN, depending on the routing path.
Peak loads are expected or have already occurred – campaigns, product launches, viral content, Black Friday, government deadlines.
High proportion of media files – videos, images, large PDFs.
SEO-relevant domain – Core Web Vitals (LCP, INP) affect Google rankings.
Regulated industry – KRITIS sectors, banks, insurance companies, public administration.
Existing DDoS or bot risks – CDNs absorb volume attacks at the edge.
When is a CDN generally not worth it?
For purely regional intranets with no internet traffic, for purely dynamic, personalized APIs with no caching potential, and for single-page apps with a very small asset footprint that are already served via high-performance hosting.
04
What are the benefits of a CDN?
4.1 Faster Load Times
In typical B2C and B2B setups, a well-configured CDN improves Time to First Byte (TTFB) by 30–70% for users outside the origin region. The Largest Contentful Paint (LCP)—one of the three Core Web Vitals—often improves by 20–40%, primarily due to the accelerated delivery of large images and fonts.
4.2 Reduced Origin Load and Bandwidth Costs
For static content, CDNs typically reduce origin traffic by 70–95%. Sample calculation for a medium-sized website with 50 TB of monthly traffic: With a 90% cache hit ratio, only 5 TB flows through your own hosting. This lowers both bandwidth costs and CPU load and reduces the required server capacity.
4.3 Availability Even Under Heavy Load
Sudden traffic spikes—such as those following a TV mention, a government deadline, or a DDoS attack—are handled at the edge rather than overwhelming the origin server. Premium CDNs achieve SLAs of up to 99.999% availability (≈ 5 minutes of downtime per year).
4.4 SEO and Conversion
Google has confirmed for years that page experience is a ranking factor. Studies such as Deloitte’s “Milliseconds Make Millions” report (2020) show that even a 0.1-second improvement in load time can increase the mobile conversion rate in retail by an average of 8.4%.
4.5 Scalability Without Investing in Your Own Infrastructure
Anyone looking to build their own global network would have to invest in hardware, peering agreements, and site operations. A CDN service provides this capacity as an OPEX—flexible, immediately available, and without CAPEX risk.
4.6 Compression and Format Optimization
Modern CDNs automatically deliver compressed content (Brotli, gzip) and, when necessary, convert images to modern formats such as WebP or AVIF. This saves additional bandwidth and speeds up delivery—especially on mobile devices with weak connections.
05
CDN and IT Security
Today, a CDN is rarely just a performance tool—it is the first line of defense for web infrastructure. The most important security-related features:
5.1 DDoS-Mitigation
Distributed denial-of-service attacks are absorbed at the edge before they reach the origin. The global capacity of modern CDNs is in the multi-Tbit/s range and exceeds any attack measured to date.
5.2 Web Application Firewall (WAF)
A WAF integrated into the CDN layer blocks OWASP Top 10 attacks (SQL injection, XSS, RCE) right at the edge. The advantage over an on-premises WAF is that it protects the origin even if it is no longer directly accessible.
5.3 Bot-Management
CDN-integrated bot management distinguishes between good bots (search engines, monitoring) and malicious bots (credential stuffing, content scraping, inventory hoarding). Modern solutions combine behavioral analysis, device fingerprinting, and ML-based risk scores.
Learn more about bot management
5.4 TLS Termination, Origin Security, and Zero Trust
TLS termination at the edge is a key security and trust point. Best practices include: end-to-end HTTPS, including between the CDN and the origin (known as “Full Strict” or “mTLS”), short certificate validity periods, automatic rotation, and HSTS preloading.
5.5 Rate Limiting and GEO-IP-Blocking
TLS termination at the edge is a critical security point. Both client-to-edge and edge-to-origin connections should therefore be protected with TLS, with strict certificate validation to the origin and mTLS where appropriate. Short certificate lifetimes, automated rotation, hardened TLS settings, and HSTS further strengthen security.
06
CDN and Compliance: GDPR, NIS2, DORA, KRITIS
For companies in the DACH region—and particularly for banks, insurance companies, operators of critical infrastructure, and public administration agencies—compliance is often the deciding factor when selecting a CDN.
6.1 GDPR and Data Residency
As soon as personal data (including IP addresses) flows through CDN servers, the GDPR applies. Three aspects are relevant:
Data Processing (Art. 28 GDPR): A data processing agreement must be concluded with the CDN provider.
Transfers to third countries (Art. 44 et seq. GDPR): If data is transferred to countries outside the EU/EEA, additional safeguards are required following the Schrems II ruling (ECJ C-311/18) and supplemented by the EU-US Data Privacy Framework (2023). Providers that process data exclusively within the EU or in Germany completely avoid this complexity.
TLS termination: The CDN provider sees the plain text of the delivered content. Confidentiality, integrity, and client segregation must be ensured both contractually and technically.
6.2 NIS-2
The EU NIS-2 Directive (Directive (EU) 2022/2555) significantly expands the scope of organizations subject to its requirements—to approximately 30,000 additional organizations in Germany alone, including small and medium-sized enterprises across 18 sectors. Implementation in Germany is carried out through the NIS-2 Implementation Act (NIS2UmsuCG). Requirements include risk management, supply chain security, and incident reporting obligations—a CDN with a verifiable security architecture makes compliance significantly easier.
6.3 DORA (Financial Sector)
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) has been in effect since January 17, 2025, and applies to virtually all financial firms as well as their critical third-party ICT service providers—explicitly including CDN and cloud providers. Banks and insurance companies must register their ICT service providers, comply with contractually defined minimum standards, and avoid concentration risks. Practical consequence: The CDN provider becomes a negotiating partner on equal footing—with audit rights, defined SLAs, and exit strategies.
6.4 Critical Infrastructure and Federal IT
Operators of critical infrastructure are subject to the BSI Act and must demonstrate compliance with state-of-the-art standards (BSI Act § 8a). The federal administration is also subject to the requirement for German or European cloud sovereignty. In this context, CDN providers based in Germany that process data exclusively in Germany and provide the necessary certifications have a clear advantage.
6.5 Relevant Testimonials and Certifications
BSI C5 | Catalog of Cloud Computing Compliance Criteria | Standard for the Federal Administration and KRITIS |
ISO 27001 | Information Security Management System | Across all industries |
PCI DSS | Payment card information | E-commerce, Banking |
IDW PS 951 | Internal Control System (ICS) | Banks, Insurance Companies, Mutual Funds |
07
CDN Architecture in Detail
For readers who want to gain a deeper understanding of the technical details—for example, to evaluate architecture or select a provider—this section explains the key concepts.
7.1 Anycast vs. Geo-DNS: How the Nearest Server Is Selected
CDNs use two common methods to route a user’s request to the correct edge server:
Anycast: All edge locations advertise the same IP address via BGP. Internet routing automatically selects the topologically—not necessarily geographically—nearest node. Advantages: fast failover in case of individual site failures, no dependence on DNS TTLs.
Geo-DNS: The DNS server responds to requests with different edge IPs depending on the IP geolocation of the resolver. Easier to operate, but less precise—especially if the DNS resolver is not located near the actual user.
Modern premium CDNs typically rely on Anycast, often combined with additional control mechanisms such as real-user measurement data.
7.2 Cache Hierarchy: Edge, Mid-Tier, and Origin Shield
High-performance CDNs do not operate on a single tier but rather in tiers. With a well-configured hierarchy, CDNs achieve origin offload rates of 80–95%—only 5–20% of all requests ever reach the origin server. This reduces bandwidth costs and protects the origin server even during peak loads.
Edge | Direct delivery to the user | 70-90% |
Mid-tier / Regional Cache | Aggregates requests from multiple edges | an additional 5–15% |
Origin Shield | Last cache layer before the origin | an additional 1–5% |
Origin | Authoritative source of the content | – |
7.3 What Happens Technically During a Request
An HTTP request via a CDN passes through several stages:
DNS resolution: The browser queries the domain name and receives the IP address of the nearest edge server (via Anycast or Geo-DNS).
TCP/TLS handshake: Established with the edge server instead of the distant origin—this alone often saves 100 ms or more.
Cache lookup: The edge server checks whether the requested content is fresh in the cache.
Cache hit: Immediate delivery from the edge. The origin is not contacted.
Cache miss: The edge queries the mid-tier or the origin directly, stores the result, and delivers it.
Response to the user: In Europe, response times under 50 ms are realistic with well-placed CDNs.
7.4 RAM vs. SSD Caching
Premium CDNs rely exclusively on RAM caching: Hot content is delivered directly from main memory, with latencies in the microsecond range. SSD-based caches are more cost-effective but noticeably slower. When selecting a provider, it’s worth specifically asking about this difference—it’s particularly noticeable with highly active caches and during peak loads.
7.5 TLS Termination and End-to-End Encryption
For a CDN to cache and deliver HTTPS content, it must terminate TLS encryption at the edge. This is a security consideration with compliance implications. Best Practices:
Full Strict / mTLS between the CDN and the origin – the connection is end-to-end encrypted and authenticated on both sides.
Short certificate validity periods and automatic rotation.
HSTS preloading to prevent downgrade attacks.
09
Industry Applications
9.1 Banking/Insurance
Online banking, claims portals, and application processes must be available 24/7, fast, and DORA-compliant. A CDN with integrated DDoS protection and WAF safeguards the applications, while data residency in Germany minimizes regulatory risks.
9.2 Public Sector
Government agencies must fulfill their obligation to provide information even during periods of extreme traffic spikes—such as elections, tax filing deadlines, or crisis communications. A CDN alleviates the strain on backend infrastructure, which is often undersized.
9.3 Healthcare
Patient portals, online appointment scheduling systems, and telemedicine platforms process particularly sensitive health data as defined in Article 9 of the GDPR and are often subject to KRITIS requirements. A CDN with German data residency, integrated security, and verifiable compliance protects these applications from attacks and ensures availability even during peak loads—such as during vaccination campaigns, crisis communication, or application periods with deadlines.
9.4 E-Commerce
Conversion rates are highly sensitive to page load times. In addition, protection is needed against scraper bots that harvest product data, as well as against inventory-hoarding bots during limited-edition drops.
9.5 Streaming and Gaming
Here, the CDN isn't just an add-on—it's the foundation of the business. Adaptive bitrates, fast manifest routing, and low end-to-end latency define the user experience.
9.6 Software Providers
Patches, installers, and major updates must be delivered reliably worldwide. A CDN reduces the load on build servers and ensures predictable rollouts.
10
Distinctions: CDN vs. Edge, Reverse Proxy, WAAP, Multi-CDN
10.1 CDN vs. Edge Computing
A CDN delivers pre-generated content. Edge computing executes application logic close to the user—such as authentication, A/B testing, and geo-based personalization. Most modern CDNs offer both; today, the term “edge” describes a spectrum, not an either/or choice.
10.2 CDN vs. Reverse Proxy
A reverse proxy is a single server in front of the origin—usually in the same data center. A CDN is a globally distributed network of reverse-proxy-like edges. Architecturally related, but fundamentally different in terms of scalability and geography.
10.3 CDN vs. Cloud-Hosting
Cloud hosting provides servers and platforms (IaaS/PaaS) on which the origin runs. A CDN sits in front of these and offloads traffic from them. The two complement each other—they do not replace one another.
10.4 CDN vs. WAAP
Web Application and API Protection (WAAP) is the term commonly used by Gartner to describe the combination of WAF, bot management, DDoS protection, and API security. Many CDN providers are also WAAP providers today—the distinction is more historical than technical.
10.5 Single-CDN vs. Multi-CDN
Multi-CDN refers to the parallel use of multiple CDN providers with dynamic traffic steering. Advantages: redundancy, regional optimization, and greater negotiating leverage. Disadvantages: significantly higher complexity, increased contractual and compliance overhead, and more challenging cache consistency. Multi-CDN is typically only worthwhile for petabyte-scale volumes or when very high availability requirements are in place.
Frequently Asked Questions About CDN
A content delivery network (CDN) is a network of locally distributed servers that are connected to each other via the internet. This reduces the distance between the user and the content to be delivered and a website can be delivered faster, e.g. with the help of caching.
About the author
Stefan Bordel
Senior Editor
About the author
Stefan Bordel has been working as Editor and Technical Writer at Myra Security since 2020. He is responsible for the strategic development and editorial management of all content formats – from website content and specialist publications to whitepapers, social media communication, and technical documentation. In this role, he combines solid expertise from IT journalism with in-depth technical understanding in the field of cybersecurity. As a long-time Linux enthusiast, he closely follows developments in the IT industry both professionally and personally.