Growing Cyber Threats for Municipal Companies
The digital threat landscape for municipal companies has intensified significantly in recent years, making municipal cybersecurity a critical priority. Despite rising risks, major security gaps remain — as cybersecurity expert Chris Kubecka emphasized in a recent interview with “Die Zeit”. Utilities, municipal IT providers, and public service operators are increasingly targeted by professional threat actors, including cybercriminals and nation-state actors involved in hybrid warfare.
The ransomware attack on Colonial Pipeline in the United States demonstrated the vulnerability of the infrastructure and the severe impact cyber attacks can have on municipal systems. The incident halted a major fuel supplier and resulted in a ransom payment of 4.4 million dollars. Such cases reveal how attractive municipal infrastructure is to cybercriminals and highlight the urgent need for comprehensive cybersecurity strategies to ultimately protect municipal infrastructure and maintain public services.
Germany ranks among the four most attacked countries worldwide, according to the Microsoft Digital Defense Report. The critical infrastructure sector, which includes many state and local governments, is especially affected. Attacks increasingly target systems with outdated or incomplete IT security measures, and they are becoming more complex and professional every year. This underscores the importance of implementing regular cybersecurity training, adopting a custom cybersecurity plan, and leveraging cybersecurity toolkit resources to assess cybersecurity preparedness and minimize risks.
Rising IT Security Requirements Under the NIS2 Directive
Alongside the expanding threat, regulatory requirements are also increasing. The NIS2 Directive, which introduces new cybersecurity requirements for municipal companies and local administrations, is currently making its way through German legislation (NIS2UmsuCG); final adoption is expected by the end of 2025 or early 2026.
For municipal enterprises, this means reassessing their security structures and modernizing them where necessary to meet the stringent demands of cybersecurity and infrastructure security standards. Many organizations will need to introduce or upgrade their Information Security Management Systems (ISMS) and demonstrate, with verified documentation, that they meet the expected standards for cybersecurity and NIS2 compliance. Certificates and security evidence are becoming an essential part of this process, not only to satisfy internal needs but also to meet the expectations of authorities and auditors. Well-known standards such as ISO/IEC 27001 help reduce risk, provided they are genuine, validated, and current. Past incidents have shown repeatedly that supposed security can be deceptive when documentation is incomplete or falsified, exposing potential vulnerabilities and increasing the risk of attacks.
Suppliers: The Underestimated Cybersecurity Risk
One of the most vulnerable points regarding cybersecurity in municipalities lies with external partners. Weaknesses frequently occur not in an organization's own systems but at the interfaces to external service providers. This was evident in the cyberattack on Stadtwerke Bruck in Austria, where an insecure connection to third-party software was exploited.
Even more concerning are incidents where partners intentionally deceive their clients. Hidden communication modules have been discovered in Chinese solar inverters, allowing unauthorized access and bypassing firewalls. In another case in the financial sector, a partner organization supplied forged ISO certificates, creating a false sense of security that ultimately led to severe data loss and reputational damage. Such examples underscore how crucial trust, transparency and verified security documentation are across the supply chain.
The Problem: Lack of Oversight Weakens IT Security in Municipal Infrastructure
Many municipal organizations still lack a systematic overview of their certificates and security documentation. Files are often scattered across email inboxes or stored in unstructured folder systems, resulting in incomplete visibility over versions, validity periods and intended usage. As a consequence, certificates may expire unnoticed, may not apply to specific use cases or may have been replaced without the knowledge of key stakeholders.
These issues extend beyond cybersecurity and affect other areas such as quality and sustainability management as well. A tragic example is the cable car accident in Lisbon in 2025, where an unsuitable cable was used. The certification did not cover funiculars or passenger transport. In addition, the maintenance documentation was incomplete and faulty.
The Solution: Digital Platforms as the Key to Municipal Cybersecurity
To regain control over documentation and simultaneously meet the requirements of NIS2, BSI specifications, and relevant ISO standards, municipal organizations increasingly rely on digital platform solutions. These platforms provide a secure and centralized way to manage certificates, exchange documentation, and ensure that only verified, accurate, and up-to-date information is used, supporting municipal cyber resiliency.
For such systems to be effective, documents must be uploaded directly by accredited auditors or certified testing authorities, ensuring their authenticity and compliance with infrastructure security agency standards. They also need to be stored in an audit-proof manner to prevent undetected manipulation. Validity periods and scopes must be monitored automatically, allowing organizations to respond proactively before certificates expire, thereby minimizing cybersecurity risks. Access to documents should be regulated individually so that sensitive information can be shared securely across the supply chain, while all partners must undergo verification such as KYC (know your customer) checks to confirm their integrity. Automated notifications ensure that every relevant stakeholder is informed when trust documents are updated. Additionally, the platform should integrate seamlessly into existing training, reporting, and analysis tools to avoid creating isolated processes and to align with regular cybersecurity training.
Kevla TrustDocS is an example of a platform that incorporates exactly these capabilities and supports municipal companies in strengthening their cybersecurity documentation and compliance work, ensuring adherence to information technology standards and legal liabilities related to data breaches.
Conclusion: Why Municipal Companies Must Act on Cybersecurity Now
The threat is real and continues to grow. Municipal companies must act now to protect their infrastructure, their data and the trust of their communities. Digital platforms like Kevla provide the transparency, efficiency and robust cybersecurity standards that modern protection mechanisms require.
By investing in digital documentation management today, organizations not only safeguard themselves but also strengthen the resilience of their partners and the citizens who depend on reliable public services.
