German Businesses Face Rising Fraud Threats and Stricter Cybersecurity Laws in 2026

German companies are confronting significant cybersecurity and fraud challenges in 2026, driven by a surge in fraudulent activities and the implementation of strict new EU regulations. The Chamber of Industry and Commerce (IHK) for the Middle Lower Rhine recently warned local businesses about highly convincing scam emails appearing to come from the Federal Central Tax Office (Bundeszentralamt für Steuern, BZSt). These emails, sent from the address '[email protected]', demand payment of fines for alleged disclosure violations and include attachments to increase their authenticity, posing a serious fraud risk to recipients.

At the same time, thousands of German companies face the mammoth task of complying with the new NIS-2 cybersecurity law that took effect at the end of 2025. The legislation extends stringent IT security responsibilities to around 30,000 businesses, including medium-sized enterprises with at least 50 employees or annual revenues of 10 million euros. Under the law, cybersecurity is no longer merely a technical issue but a matter of top management accountability, with personal liability imposed on executives.

Companies are required to implement comprehensive risk management systems aligned with cutting-edge standards, conduct regular security assessments, establish emergency response plans, and secure their supply chains. Crucially, the leadership must personally oversee these measures rather than delegating them entirely to IT departments. Registration with the Federal Office for Information Security (BSI) and timely reporting of security incidents—within 24 hours for major players—are obligatory, with tight deadlines to meet.

Violations of the new rules carry steep penalties, including fines up to 10 million euros and personal liability. Additional EU regulations such as DORA, targeting the financial sector since January 2025, and the Cyber Resilience Act, which stipulates security requirements for digital products, further amplify the regulatory landscape.

The combined pressure of sophisticated fraud attempts and the demanding NIS-2 compliance framework marks 2026 as a pivotal year. German businesses must enhance their cybersecurity postures and maintain heightened vigilance against scams to protect themselves from financial loss and regulatory sanctions. The IHK's recent alert serves as a critical reminder of the evolving threat environment and the expanded responsibilities companies face under the new EU cybersecurity regime.