“Data Control and Availability Are Imperatives, Not Just Recommendations.”

The threat of overload attacks has been steadily increasing for years. Since the start of the war in Ukraine, the risk of attacks by politically motivated actors has risen dramatically. According to the European Union Agency for Cybersecurity (ENISA), four out of ten cyber incidents in Europe are now attributable to DDoS attacks. In 41 percent of these attacks, a political or activist motive is suspected. Myra's Security Operations Center (SOC) recorded a 25 percent increase in malicious requests last year alone.

In an interview with cybersecurity expert Prof. Dr. Dennis-Kenji Kipker, we discuss the challenges and areas of action this presents for companies and what needs to be considered from a compliance perspective in particular.

Prof. Dr. Kipker, the DDoS attacks of recent weeks have once again demonstrated how vulnerable digital infrastructures in Germany are. In your opinion, what are the biggest challenges for companies in defending against such attacks?

Dennis Kipker: From the attacker's point of view, DDoS attacks are a simple and effective method of targeting online processes and websites and causing social unrest. The widespread availability of cybercrime-as-a-service offerings, where attacks can be booked for little money, further exacerbates the situation.

On the other hand, defending against DDoS attacks is extremely complex. Especially at the application level, malicious data streams cannot be easily distinguished from valid data streams. For this reason, specialized service providers are typically used for defense.

And this is where the challenge begins. We must bear in mind that DDoS protection is no longer a purely technical issue – it is about supply chains, compliance, liability, and digital sovereignty. This is because, in order to defend against overload attacks – for example, through traffic analysis and filtering – service providers must look deep into the data traffic and intervene. This entails not only technical risks, but also significant compliance risks. This is particularly true when personal or business-critical data is involved. As a company, I have to ensure that the service providers I use are trustworthy and comply with all regulatory requirements in order to minimize liability risks and guarantee system availability. The basis for this is sound risk management, on the basis of which the service provider is thoroughly checked through due diligence.

Working with international service providers often raises questions for German and European companies. This is especially true when the providers are based in the US, as different legal systems and understandings of data protection and national security collide here. What compliance risks does this create?

In practice, working with US providers carries significant risks, as these companies are primarily subject to US jurisdiction. Even if servers are located in the EU, US authorities can access data, or rather, order access to it – consider the CLOUD Act, FISA 702, or Patriot Act. The political developments in the US, which we are now seeing in Donald Trump's second term, are further exacerbating this problem.

At the same time, the legal basis for GDPR-compliant transatlantic data transfers is extremely fragile. The existing adequacy decision between the EU and the US is based solely on an executive order by Joe Biden, which can be revoked at any time by his successor. And Trump has already announced in his Agenda 47, his US presidential agenda, that he wants to essentially reverse everything Biden has done.

This process has already begun with the dismissal of the Democratic members of the Privacy Oversight Board, a central component of the EU-US Data Privacy Framework that serves as the basis for the current adequacy decision. Companies that rely on US service providers are therefore exposing themselves to significant compliance and liability risks.

Against this backdrop of compliance uncertainty, how should EU companies select their service providers with regard to availability and digital sovereignty in order to minimize regulatory and operational risks?

Companies should critically review their digital supply chain and specifically choose European providers that are both legally and technically aligned with the requirements of the European market. It is not enough to simply look at server locations in the EU; it is crucial that the operating company is also subject to European law.

This is the only way to ensure that data does not flow out of control and that the availability of business-critical systems remains guaranteed even in a crisis. Digital sovereignty means retaining control over your own data and processes – this is increasingly becoming an imperative, not just a recommendation. This year, we have seen how surprising changes in US customs policy can present companies and countries with unexpected challenges. The same unpredictability is something no organization can afford in its digital supply chain: When essential services threaten to disappear overnight, it's no basis for trusting collaboration.

What strategic advice would you give compliance managers and security officers to position themselves for the future in light of the current threat situation and regulatory developments?

My advice is clear: companies must reduce their dependence on non-European providers and consistently rely on European solutions. This applies not only to DDoS protection, but to the entire digital supply chain. Regulatory requirements – such as those imposed by the NIS 2 Directive or the Cyber Resilience Act – will continue to increase. Those who switch to European providers now will not only minimize compliance risks, but also promote the digital sovereignty and resilience of their own companies. This is no longer an optional step, but a necessity.