Public administrations and KRITIS (Kritische Infrastrukturen) operators face constant digital stress. Every new interface boosts efficiency while enlarging the attack surface. Attacks on transport, energy, or public authorities prove that cyber resilience is a prerequisite for the ability to act. Complex infrastructures need an integrated approach with AI-enabled threat detection, security operations, zero trust, and secure cloud architecture.
Sabotage of critical infrastructure, targeted cyber attacks on transport and energy companies, and coordinated campaigns against public institutions—the security situation in Europe has changed significantly. Digital systems are often subjected to geopolitical tensions. Attacks are no longer used solely to gather information, but also to destabilize.
Every day, millions of citizens rely on functioning local and long-distance transport systems, stable energy and water supplies, digital administrative services, and medical infrastructure. If these systems fail or are manipulated, the result is not just technical damage, but a loss of trust in the government's ability to act.
At the same time, digital transformation is accelerating the expansion of networked infrastructures. Cloud services, on-premises systems, external service providers, specialist procedures, and industrial control systems exist in parallel. The public sector operates in federal, historically evolved structures with different responsibilities, budgets, and levels of security maturity.
The attack surface grows with every new interface. Complexity increases with every additional integration. And with every successful attack, adversaries take up more sophisticated approaches. The crucial question is therefore no longer whether an attack will occur, but when and with what impact.
How can the state's ability to act be ensured when threats are automated, scalable, and increasingly supported by artificial intelligence (AI)?
Many security architectures in the public sector were designed for a different threat situation. They are perimeter-oriented, reactive, and strongly rule-based. Individual protection mechanisms—firewalls, signature recognition, and selective audits—have long been sufficient to ward off known attack patterns.
But today's threats are more dynamic. Attackers are distributed, automated, and often supported by AI. They combine technical vulnerabilities with social engineering, use legitimate access, and move laterally through complex system landscapes.
At the same time, modern infrastructures generate enormous amounts of data—log files, network flows, identity movements, cloud activities. This wealth of information overwhelms manual evaluation processes. Security managers are faced with a flood of alerts, combined with a shortage of specialists and increasing expectations of fast response times.
As a result, not every threat is immediately visible. Not every alert is prioritized. And not every measure is effective across organizations. Resilience therefore requires a paradigm shift—away from isolated protection mechanisms and towards continuous, intelligent monitoring and integrated response processes.
The EU cybersecurity agency ENISA1 reports that 4,875 security incidents were reported between July 2024 and June 2025—affecting public administration, transport, energy, digital infrastructure, financial service providers, and industry. This analysis shows the growing attack surface of critical digital systems.
In the same ENISA report, 77% of reported incidents are DDoS attacks—where public services and infrastructures are temporarily paralyzed. Ransomware incidents are less frequent, but often have a greater economic and operational impact.
The BSI Situation Report 20252 shows that Germany records an average of 119 new IT security vulnerabilities every day—an indication of how quickly attack surfaces are growing and traditional defense models can be overwhelmed.
Parallel to technical incidents, the EU Threat Landscape Report 2025 warns: “Geopolitical tensions and complex threat patterns dominate the cyber environment. Both state-sponsored and criminal actors are increasingly using automated and AI-supported methods, which further exacerbate the challenges for public institutions and KRITIS.”
AI alone does not ensure resilience. It only becomes effective when it is embedded in an integrated security architecture. This is because AI is data-driven, and today, data is generated in distributed, hybrid infrastructures.
Public administrations and KRITIS operators are increasingly working with cloud services, federated data centers, industry-specific applications, and external service providers. Security-relevant information is generated simultaneously across networks, identity management systems, endpoints, operational technology (OT) environments, and cloud platforms.
For AI to reliably detect threats, these data sources must be consolidated, structured, and analyzable in real time. Secure cloud architectures enable this scalability by bundling security data, standardizing policies, and creating uniform visibility across organizational boundaries.
Only this combination of cloud infrastructure, continuous monitoring, managed detection and response, and AI-supported analysis creates a security model that can keep pace with the speed of modern attacks.
Resilience, therefore, not only means recognizing attacks, but also integrating security processes in such a way that prevention, detection, and response are seamlessly interconnected.
In many cases, AI is regarded as a key technology for modern security architectures. However, AI does not operate in isolation. It is only as strong as the structures in which it is embedded.
If data sources are fragmented, interfaces are inconsistent, and responsibilities are unclear, even the most advanced analytical systems remain blind to correlations. AI can only detect anomalies if it has access to consolidated, high-quality, and continuously available data.
This is particularly relevant for the public sector and KRITIS operators: security processes must be standardized, identities clearly managed, network flows centrally monitored, and cloud environments consistently integrated.
Resilient security architectures therefore combine:
Only on this basis can AI recognize patterns, prioritize threats, and derive actionable recommendations.
Resilience is therefore not created by a single tool, but by the interplay of architecture, automation, and human expertise.
The T-Systems Cyber Defense Center shows how an integrated resilience approach can be implemented in the public sector. More than one billion security-relevant events from over 3,000 data sources are analyzed there every day—from government networks and KRITIS environments to cloud infrastructures and networked system landscapes.
This data originates from firewalls, identity systems, endpoints, network segments, cloud platforms, and industrial control environments. Together, they create a continuous, cross-organizational view of the situation—a prerequisite for identifying complex attack patterns at an early stage.
At this scale, purely manual evaluation is no longer feasible. AI-supported analysis mechanisms take over pre-structuring: they correlate events, detect deviations from normal behavior, and prioritize potentially critical activities.
For example, several seemingly inconspicuous login attempts from different regions, combined with unusual data queries and parallel network movements, may appear harmless when viewed in isolation. However, when analyzed as a whole, a pattern emerges—such as an incipient lateral attack or a targeted preparation for data exfiltration.
This is precisely where AI-supported pattern recognition comes into play. It reduces false positives, consolidates information, and provides a reliable basis for real-time decision-making.
Another component is the continuous monitoring of the external layer of public networks—comparable to a digital “smoke detector”. Suspicious downloads, known malicious code signatures, or unusual communication patterns are identified at an early stage. Automated processes can isolate affected segments or temporarily restrict access before an incident spreads.
At the same time, humans remain an integral part of the process. Security experts in the security operations center (SOC) evaluate AI-supported analyses, make prioritization decisions, and implement coordinated countermeasures.
The result is not an isolated defense system, but a continuous security architecture with:
This creates operational resilience—not as a single measure, but as a continuously evolving security ecosystem.
Technology alone is not enough. The interplay of clear responsibilities, standardized processes, and a security culture that sees resilience as an ongoing task is very important.
In this context, digital sovereignty means more than just data sovereignty. It describes the ability to operate one's own infrastructure in a controlled manner, make security decisions independently, and keep critical systems functioning even under stress.
For authorities, federal states, municipalities, and KRITIS operators, resilience thus becomes a strategic management tool. It creates trust among citizens, strengthens economic stability, and increases resilience against geopolitical tensions.
The central perspective for the coming years is therefore not just “How do we respond to attacks?”, but rather: “How do we design security architectures so that they keep pace with the speed of digital transformation?”
Resilience is not a final state. It is an ongoing process—supported by technology, expertise, and the clear aspiration to operate digital infrastructures confidently and responsibly.
Effective cyber resilience in the public sector is not achieved through individual measures, but through integrated security architectures. T-Systems combines technological platforms with operational security expertise.
Zero trust and identity management: End-to-end identity verification, role-based access concepts and consistent segmentation of sensitive administrative and KRITIS systems.
Cyber defense center and integrated SOC services: Centralized situational awareness, analysis of billions of security-relevant events per day, and coordinated response processes for authorities and KRITIS.
1 ENISA Threat Landscape 2025, ENISA, 2025, ENISA
2 The state of IT security in Germany in 2025, BSI, 2025, BSI
