Jochen Michels, Director Public Affairs, Europe, Kaspersky
Following the end of the ruling coalition in Berlin, German voters are expected to head to the polls on 23 February 2025. The German federal elections will determine the direction of the EU's largest economy and most populous state. Like other highly industrialized nations with advanced infrastructure and a strong digital sector, Germany faces significant cybersecurity threats from ransomware, cybercrime, sabotage, and espionage. Kaspersky believes that strengthening cybersecurity and resilience is a shared responsibility among policymakers, public administration, businesses, academia, and civil society. A cooperative approach is essential for developing and implementing effective cybersecurity policies. In this context, increasing cybersecurity and resilience must be a political priority.
For over 25 years, Kaspersky has contributed its expertise to combating cyber threats in Germany, Europe, and worldwide. Ahead of the upcoming federal elections, the company has prepared an Impulse Paper with the following recommendations for cybersecurity policy in the next legislative period:
1. Human-Centered Approach: Sustainably Increasing Cybersecurity Awareness and Expertise
Strengthening resilience begins with a focus on people. As cyber threats grow increasingly complex, companies face the challenge of creating efficient and well-structured cybersecurity teams. Improving the quality of essential skills demands a coordinated and sustained effort. Broad awareness of cyber threats must be fostered, and targeted development of cybersecurity knowledge and expertise should be prioritized. At the same time, improved cooperation between educational institutions, industry, and the public sector is essential. This should be complemented by targeted promotion of cybersecurity training measures, particularly tailored to the needs of SMEs. Women should also be encouraged to take on roles and responsibilities in cybersecurity.
2. Cooperative and Coordinated Implementation of EU Cybersecurity Regulation
Achieving a robust and consistent level of cybersecurity across the EU requires a harmonized approach to implementing EU digital legislation, such as the NIS2 Directive. Germany should actively champion this effort to ensure a unified framework that benefits all Member States. Nationally, a clear regulatory structure is necessary to support businesses, particularly those with international operations, enabling consistent and effective cybersecurity practices across Europe.
3. Promoting Transparency and Trust in Cybersecurity Solutions
To enhance security, policymakers should introduce stronger transparency requirements for cybersecurity solution providers to demonstrate their trustworthiness. This could include independent audits of source codes, assessments of software and hardware development processes, coordinated vulnerability management, and certifications in line with international standards. Kaspersky has developed and implemented numerous measures within the framework of its Global Transparency Initiative and is willing to share its experience with interested stakeholders.
4. Enhancing Collaboration in Cybersecurity
Collaboration between all stakeholders including public and private sectors as well as cross-border initiatives is key to strengthening cybersecurity. Trust-based and coordinated disclosure of vulnerabilities should be encouraged beyond existing European cybersecurity regulations. National initiatives should be internationalized and consolidated at the European level to leverage synergies. Public-private partnerships (PPPs) should be supported to develop effective defenses against cyber threats and improve awareness.
5. Development of Cybersecurity, Competition and Procurement Policies
Germany and Europe must foster robust cybersecurity ecosystems that involve all relevant stakeholders. Kaspersky recommends a balanced policy approach that includes (i) evidence-based technical regulation of the ICT supply chain, with a focus on security and resilience, (ii) the establishment of attractive investment frameworks, and (iii) prioritizing security-by-design principles. The German Federal Office for Information Security (BSI) should expand its role beyond advising federal ministries to actively support all affected institutions with scientific and technical expertise.
6. Promoting Standards and Ethical principles for the Use of AI in Cybersecurity
In line with Kaspersky’s ethical principles on the use of AI, the company emphasizes the need for ethical standards and guidelines for AI usage in cybersecurity. These should focus on transparency, security, and human oversight to ensure the responsible implementation of AI in cybersecurity practices.
7. Promoting Responsible Cybersecurity Research
To strengthen cybersecurity, Kaspersky supports promoting responsible research while protecting researchers from legal risks associated with identifying vulnerabilities. German laws related to cybercrime should be structured to encourage ethical IT security research. Researchers who report vulnerabilities to manufacturers or the BSI in good faith should be shielded from criminal prosecution, civil claims, or legal threats, recognizing their contributions to improving cybersecurity.
