The Federal Court of Auditors says that the Autobahn GmbH is not adequately prepared to defend against cyberattacks. In a confidential report, auditors note that the company failed to treat key elements of relevant decisions-such as information and cyber security, sovereignty, and long‑term economic viability-as strategic objectives.
With the heightened security environment that has followed Russia’s invasion of Ukraine, the firm has not examined whether the increased IT security requirements affect its overall strategy. The state‑owned company manages traffic on more than 13,000 kilometres of highway through digital systems, including control centres and tunnel management centres. A successful cyberattack could manipulate traffic signs, shut down tunnels, and severely disrupt supply chains. In a military crisis, functional motorways would also be critical for moving troops and materiel across Germany.
The auditors point out that the company still lacks a clear overall responsibility for IT. No single organisational unit has been given the central responsibility for IT matters. Instead, three separate management teams have been involved, and external auditors and internal audit findings have not been consistently acted upon. The company has left it to the individual branches to address these issues.