Trending Topics Cybersecurity – March 2026

March demonstrates once again that companies are grappling with growing dependence on service providers, regulatory pressure, and a persistently high volume of cyberattacks– particularly in the healthcare and social services sectors. According to a study by Lünendonk & Hossenfelder, the vast majority of companies consider it realistic that their cloud provider could unilaterally terminate their service, while nearly half still lack a robust exit strategy. Digital sovereignty is increasingly shifting from an abstract debate to a concrete, operational prerequisite for resilience, compliance, and business continuity.

The registration deadline for NIS-2 has passed

At the same time, regulatory pressure is mounting: By the official deadline, approximately 11,500 critical facilities had registered with the BSI under NIS-2, but an estimated 20,000 affected organizations remain unregistered. For many companies, this means that not only technical safeguards but also governance, reporting channels, and responsibilities have not yet been sufficiently implemented. The gap between formal obligations and actual readiness for implementation remains a key challenge for many organizations.

Focus on Healthcare

The situation is particularly stark in the healthcare sector. During penetration tests of practice management systems, the BSI found exploitable vulnerabilities in three out of four products examined and criticized, among other things, the lack of encryption during data transmission as well as outdated cryptographic methods. The cyberattack on ASB Saarland demonstrates just how quickly this can lead to real-world damage: There, attackers gained access to a server containing personal data of employees, applicants, and customers, including some particularly sensitive information. Added to this is the alleged AstraZeneca leak, a case that goes beyond traditional data protection issues. The group Lapsus$ claims to have compromised internal systems, source code, and cloud infrastructure.

The top IT security topics in March:

Bitkom: Companies Poorly Prepared for Hybrid Attacks and Prolonged Internet Outages

A Bitkom survey of 604 companies shows that business operations can be maintained for only about 20 hours on average during internet outages. Many companies expect future hybrid attacks combining physical sabotage and cyberattacks, but consider their own contingency planning to be inadequate. Greater resilience is required, for example through redundancies, business continuity management, and crisis drills.

Cloud dependency: Nearly half of companies lack a robust exit strategy

According to a study by Lünendonk & Hossenfelder, 83 percent of companies consider a unilateral shutdown by their cloud provider to be realistic, yet just under half have no Plan B. Multicloud or exit strategies are often only rudimentarily developed. This increases the risk of prolonged outages and compliance violations if services are unexpectedly lost.

Eon reports tenfold increase in cyberattacks on power grids

Energy provider Eon reports that it records hundreds of cyberattacks on its power grids every day. Over the past five years, the number has increased tenfold. This drastic rise underscores how significantly the threat landscape for utility infrastructures has worsened and how crucial digital security is.

BSI: Only 11,500 critical facilities registered under NIS-2 by the deadline

By the end of the registration period, approximately 11,500 facilities classified as critical had completed their NIS-2 registration with the BSI; an estimated 20,000 are still pending. This increases the pressure on remaining organizations to establish NIS 2-compliant governance, reporting channels, and risk management. Particularly critical utilities and large medium-sized companies should close gaps in the short term.

Practice management systems exhibit weaknesses in some cases

The BSI tested four practice management systems in medical practices and care facilities using penetration tests – a successful attack was possible in three of the products. Among other things, the tests revealed a lack of encryption procedures during data transmission as well as the use of outdated and therefore insecure encryption algorithms. The agency provides specific recommendations on architecture, authentication, and hardening to protect health data more robustly.

Dutch Ministry of Finance confirms cyberattack on internal systems

The Dutch Ministry of Finance has acknowledged an IT security incident. Several internal services for employees were affected; services provided by the Tax and Customs Administration and the Social Affairs Agency remained unaffected. The investigation is currently ongoing. The incident follows earlier attacks on Dutch government agencies attributed to state actors.

ASB Saarland after cyberattack: Employee and customer data leaked

The Arbeiter-Samariter-Bund Saarland was the target of a cyberattack in which attackers were able to access a server containing personal data of employees, applicants, and customers. According to the organization, data was likely downloaded, but operational services continued.

Suspected leak at AstraZeneca: Access to source code

The Lapsus$ group claims to have compromised AstraZeneca’s internal systems, source code, and cloud resources. Initial analyses suggest that at least some of the published data may be authentic; technical project information and employee data may also be affected. Even without evidence of patient data, a source code theft would be highly critical for the supply chain, IP protection, and follow-up attacks.

GVV Insurance: Cyberattack puts data of 2,600 customers at risk

GVV Insurance experienced unauthorized access to parts of its IT systems. Specifically, cached information was compromised; up to 2,600 customers may be affected. As a result, GVV’s online services were temporarily shut down and the relevant authorities were notified.

Cyberattack paralyzes medical technology company Stryker’s systems worldwide

Medical technology company Stryker reported a global disruption at locations in 79 countries following a cyberattack. Network systems and business-critical applications were affected. The hacker group Handala claimed responsibility for the attack and stated that it had stolen 50 TB of data and deleted more than 200,000 systems. Stryker stated that the incident had been contained. There were reportedly no indications of ransomware or impacts on medical devices.

FBI warns of state-sponsored phishing attacks on Signal and WhatsApp accounts

The FBI and CISA are warning of an ongoing phishing campaign targeting Signal and WhatsApp users, allegedly orchestrated by actors operating from Russia. The attackers pose as “Signal Support,” among other identities, request verification codes, and thereby take over accounts. Companies should enable security features in messaging apps, raise awareness, and establish reporting channels for suspicious support requests.

Federal Intelligence Service Plans New Cyber Center

TheGerman Federal Intelligence Service (BND) plans to expand its branch office in Bonn into a crypto-cyber technology center. Among other things, the center will conduct research on artificial intelligence and quantum computing. The goal is to strengthen the BND’s capabilities in the areas of cyber espionage and the decryption of complex encryption.

CCC uncovers data leak on legal platform

The Chaos Computer Club has identified a vulnerability on the legal platform Advocado that allowed unauthorized users to access copies of IDs, collection letters, and other documents. This affects particularly sensitive personal and financial data. The breach underscores that legal tech providers need strict access controls, penetration tests, and secure client portals.

Global botnets taken down: Investigators cripple Aisuru and Kimwolf

Law enforcement agencies from several countries have taken down two global botnets, Aisuru and Kimwolf, which consisted of millions of hijacked IoT devices and Android TV boxes. Among other things, the networks were used to launch DDoS attacks and disguise criminal traffic; seizures and arrests are intended to disrupt the operators’ structures in the long term. Companies benefit from reduced attack traffic but should continue to consistently harden their IoT systems.

Interpol operation shuts down 45,000 malicious IP addresses and servers

In a global operation, Interpol shut down 45,000 IP addresses and servers used for phishing, malware, and ransomware. Authorities from 72 countries participated in the operation, and 94 suspects were arrested.

Zero-Day Vulnerability: Police Visit Companies in the Middle of the Night

Due to a critical vulnerability in the Windchill and ZeroPLM systems, several state criminal investigation offices dispatched police officers to affected companies. While the surprise visits caused some confusion, they were intended to ensure that companies took immediate countermeasures. The case demonstrates how seriously authorities now take zero-day vulnerabilities in industry-critical software.