German Companies Face IT Modernization Challenges Amid EU Cyber Resilience Act Deadline

German firms struggle with costly IT modernization amid looming EU Cyber Resilience Act compliance requiring rapid vulnerability reporting.

    Key details

  • • 80% of German companies see legacy systems as an economic barrier, but 86% believe their core apps remain viable for five years.
  • • 73% of companies are modernizing IT systems; cost and expertise barriers slow progress for others.
  • • Agentic AI can reduce modernization costs by 30-60% and accelerate processes.
  • • The EU Cyber Resilience Act enforcement begins September 11, 2026, with strict incident reporting and heavy fines for non-compliance.
  • • Many companies currently lack adequate preparation for CRA requirements, risking penalties without improved monitoring and reporting systems.

German companies are grappling with significant IT modernization hurdles just as the EU Cyber Resilience Act (CRA) enforcement approaches in September 2026. A recent study by adesso SE reveals that 80% of firms acknowledge legacy systems impede their economic success, yet 86% believe their core applications will remain adequate for the next five years. This contrast highlights a reluctance to modernize, primarily due to high costs (53%), lack of internal expertise (35%), and fears of operational disruptions (31%). Currently, 73% of companies are actively modernizing their IT, with another 24% planning to start, driven in part by difficulties integrating new technologies like artificial intelligence (AI). The retirement of experienced staff exacerbates the pressure as crucial legacy system knowledge disappears. Oliver Kowalke of adesso emphasizes the transformative potential of "Agentic AI," which can accelerate modernization processes and lower costs by 30-60%, making urgent updates more feasible.

Simultaneously, the CRA mandates the first reporting obligations to start on September 11, 2026. Under this regulation, companies must report active vulnerabilities and serious security incidents to the European Union Agency for Cybersecurity (ENISA) and national Computer Emergency Response Teams within tight deadlines: an initial warning within 24 hours, detailed reporting within 72 hours, and a final remediation report within 14 days. Failure to comply risks fines up to €15 million or 2.5% of global annual revenue, whichever is greater. However, analysis by cyber security firm Cycode shows many German companies are ill-prepared due to unclear incident-reporting responsibilities, unrealistic response time estimates, fragmented monitoring systems, and insufficient inventories of digital products.

Jochen Koehler, Vice President of EMEA Sales at Cycode, stresses the importance of comprehensive monitoring, structured reporting, and regular crisis drills to comply effectively with the CRA and avoid punitive measures. As companies face these dual pressures—overhauling costly and complex legacy IT systems, while meeting stringent cyber security compliance—they must accelerate modernization efforts aided by new AI technologies and establish robust vulnerability management frameworks.

This convergence of IT modernization challenges and urgent regulatory compliance underscores a critical period for German businesses to enhance both technological agility and cyber resilience before the September deadline.

This article was translated and synthesized from German sources, providing English-speaking readers with local perspectives.

Source comparison

The key details of this story are consistent across the source articles

The top news stories in Germany

Delivered straight to your inbox each morning.