Cybersecurity needs secure software – PubAffairs Bruxelles

https://www.pubaffairsbruxelles.eu/opinion-analysis/cybersecurity-needs-secure-software/

Publish Date: 2026-06-12 09:18:00

Source Domain: www.pubaffairsbruxelles.eu

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.
Cybersecurity incidents cause harm – for example, when adversarial states paralyse critical infrastructure or steal sensitive data. Many such incidents are only possible because many software products have known vulnerabilities. Software vendors could fix these, but they have little incentive to invest in the security of their products. To date, cybersecurity policy and protective measures have primarily addressed the symptoms of insecure software, rather than the root cause, namely software insecurity itself. This calls for regulation, specifically in the areas of product safety law, product liability regulations, and cybersecurity requirements for providers of software services. The European Union (EU) has already adopted initial rules, but regulatory gaps remain, and it is unclear whether member states will strictly enforce them. The German government should therefore now advocate for comprehensive European product liability regulations for software, and the Federal Office for Information Security (BSI) should impose fines on companies that violate existing rules.
Cybersecurity incidents cause significant damage. In 2025, cyberattacks cost German companies more than 200 billion euros, equivalent to 4.5 per cent of gross domestic product. Particularly serious are attacks on critical infrastructure: In December 2025, a Russian cyber operation came close to paralysing parts of Poland’s energy infrastructure. In the spring of 2026, it became known that Iranian actors were preparing attacks on the water sector and other critical infrastructure in the United States, after the People’s Republic of China had carried out similar operations against US targets in 2024. Furthermore, Chinese and Russian actors have used cyber operations to spy on and sabotage Western armed forces and their suppliers and service providers, or to restrict the availability of services. Russian intelligence services also regularly use cyber operations to obtain sensitive information from civilian targets. Last but not least, cybercriminals pose a threat to the German economy, particularly small and medium-sized enterprises (SMEs), as well as to public administration. In short: in digitalised societies, cybersecurity is a necessary prerequisite for “security, freedom, and prosperity”, the current German government’s guiding principle.
Many cybersecurity incidents are only possible in the first place because software products contain known vulnerabilities. A key reason for this is that software vendors currently have little incentive to invest the time and money needed to make their products secure. This is a market failure.
About the author
Dr Alexandra Paulus is an Associate in the International Security Research Division and Head of the Cybersecurity and Digital Policy Research Cluster at SWP.