The federal audit office finds that the Autobahn GmbH is not adequately prepared against cyberattacks. In a confidential report, the auditors state that the company has failed to consider essential aspects of related decisions, such as information and cyber security, sovereignty, and long‑term economic viability, as strategic goals. They add that, given the heightened security situation since Russia’s attack on Ukraine, the company has not investigated whether these heightened IT security requirements have affected its IT strategy.
The state‑owned company manages traffic across more than 13,000 kilometres of highway-including control centres and tunnel command centres-using digital systems. A successful cyberattack could manipulate traffic signs, incapacitate tunnels and disrupt supply chains. In a military crisis, functioning highways would also be crucial for the transport of troops and material through Germany.
According to the report, the company still lacks a clear overall IT responsibility. The auditors criticize that the Autobahn GmbH has not assigned a single organisational unit the central, overarching responsibility for IT. Instead, “three different executive teams” have been responsible. External auditors and internal reviewers’ recommendations have not been consistently implemented; the company has left it to individual branches to resolve the issues.
