Let’s take a look at what has been going on in the first third of 2025 in the field of information security in a number of different organizations - both nationally and internationally.

A few selected organizations

First, we look at the publications of some organizations from the beginning of the year to around the end of April 2025. At this point, we would like to point out that this is not a complete and comprehensive survey of all publications. We simply want to give a brief overview of what we found interesting. Press releases on organizational changes or announcements of an “open day” were excluded for this article.

BSI

The Bundesamt für Sicherheit in der Informationstenik is a German federal authority and deals with information security and digitization issues for public institutions, commercial enterprises and private individuals.

Some of you may be familiar with the annual report on the state of IT security in Germany. For example, we look at BSI publications and press releases irregularly throughout the year. This is also due to the localization of KRITIS tasks within their organization and the still current NIS2 topic with effects on many national organizations and companies - i.e. customers or potential customers of ours.

At the Munich Security Conference, the BSI contributed to the topic of AI and its potential influence on democracy. In the wake of Crowdstrike in connection with Microsoft operating systems, the BSI took action and investigated the incident. Drones have come under scrutiny as a cyber threat - in principle, research and development is currently being stepped up in this area to make these technologies usable in a wide variety of forms. A fairly central “technical guideline” on crypto procedures was updated with regard to post-quantum cryptography and, in addition to the suggestion of regular data backups against the backdrop of “World Backup Day”, tailored offers for cyber security topics were made to the target group as part of the German Senior Citizens’ Day.

No issue of the biannual BSI magazine has yet been published in 2025. This year’s Cyber Security Day will take place in the middle of the month - an agenda of content will be provided. We are particularly looking forward to NIS2 news. Together with ZenDIS (“Center for Digital Sovereignty in Public Administration”), the BSI has published a strategy paper for “Secure Software Supply Chains” (refers to software supply chains in public administration). A new version of the guidance for “KRITIS verification procedure” (essentially terms for auditing KRITIS-compliance) was published, as was a working aid on the “Secure software lifecycle”. In addition, basic protection profiles for small/medium airports and public road passenger transport (subway, streetcars, buses, etc.) were published. A document on opportunities and risks in the context of generative AI models was also updated. Final documentation on the SIKIS project (“Security features of hospital information systems”) has been made available. In the context of (KRITIS) verifications, a document for maturity and implementation level assessment was also published.

NCSC

The National Cyber Security Centre is an organization of the United Kingdom with the purpose of advising and supporting the public and private sector. The aim is to prevent cyber security threats.

A research paper on reducing “unforgivable” errors was published, strategies for migrating to post-quantum cryptography were presented, new regulations for critical sectors were announced, new guidelines for securing edge devices were published, information for high-risk groups at risk of digital surveillance was compiled and risks for critical systems in relation to emerging AI threats were outlined.

ENISA

The European Network and Information Security Agency of the European Union is concerned with achieving a high level of cyber security. Its purpose is to strengthen the ability to defend against cyber-attacks and to increase confidence in cyber security with the aim of ensuring the smooth functioning of the internal market.

At the beginning of the year, ENISA published its work program for 2025-2027. Prominent topics in this document are the Cybersecurity Act and the NIS2 directive. The threat landscape in the financial sector, the maturity assessment of critical sectors and the threat landscape in space (in particular satellites) were also addressed.

CISA

The American Cybersecurity and Infrastructure Security Agency is responsible for protecting the various levels within the American administration.

CISA started the year with a report regarding a cyber security incident in the treasury department. They also dealt with publications about the security posture of schools. Reports on meetings of SAFECOM (emergency responders and elected representatives from various levels of government) and NCSWIC (coordination for cooperation between the individual states) were published. A press release on CISA’s own Red Team was issued. Awareness was raised regarding the resilience of integrated information and communication supply chains. A joint warning with the NSA regarding the use of “fast flux” networks by attackers was published and various clarifying information relating to the CVE (Common Vulnerabilities and Exposures) program was provided.

NIST

The American National Institute of Standards and Technology deals with standardization processes, among other things. At this point, the NIST is the publisher of various cyber security standards relevant to the USA.

A reference profile (also available in German) for consumer IoT products has been published. Supply chain security was also addressed here at the start of the year. Other topics included the future security of the Web3 paradigm and establishing a stronger link between business impact analyses and risk prioritization and response. A status report on the fourth round of the post-quantum cryptography standardization process can also be found. Work on CSF 2.0 (Cyber Security Framework) continues, in particular translations and incident response recommendations in the context of cyber security risk management. In addition, an annual report for the 2024 fiscal year can be found for the NIST Cybersecurity and Privacy Program.

Considerations / Conclusion

In our view, there are overlaps in the topics considered by the various organizations. Post-quantum cryptography, protection of (critical) infrastructures and securing supply chains are current topics in national and supranational publications. At the same time, there are also differences in the focus of the various countries.

From our analysis, we can see that Germany is focusing on pushing ahead with the delayed implementation of content for regulated companies (KRITIS document updates and pushing ahead with the implementation of European NIS2 requirements at national level). In America - perhaps due to the current situation - the focus was on continuing the CVE program and commenting on its own resource situation (using the example of the CISA Red Team, among others).

Reading between the lines, one reads time and again about efforts to improve the links and interaction between the various stakeholders - both at national and international level. The EU stretches an umbrella over the individual member states of the economic area. But even within the individual states, the aim is to achieve the smoothest possible coordination between the individual countries and national authorities in order to drive forward cyber security issues.

At the end of the day, we believe it is worth taking a look at the publications of the organizations that directly affect you. But it also makes sense to think outside the box, as the various standards and norms used centrally in the individual economic areas are mutually beneficial. In the past, anyone who wanted to get to grips with the so-called “Zero Trust” paradigm at an early stage could read up extensively on the American standards. Many of the contents of the relevant NIST publications are nowadays also referenced in BSI publications when it comes to this topic.