Cyberattacks on universities have increased significantly in recent years, ranging from phishing attempts to state-sponsored operations. A new study by the HIS Institute for Higher Education Development (HIS-HE) systematically examines for the first time how the German federal states support their universities and universities of applied sciences. Based on document analyses and surveys of ministries of science and Computer Emergency Response Teams (CERTs) from the summer of 2024, a non-uniform picture emerges: While some states have established central strategies and contact points, others rely on the initiative of the universities themselves.
The study, published in HIS-HE Forum 3|2025, highlights that although CERTs are often responsible for universities, they are rarely used. Differences are apparent in the definition of responsibilities, the design of support services, and cooperation between institutions and state authorities. Legal requirements such as the EU NIS 2 Directive and state-specific IT laws frame the measures.
Threat Landscape and Legal Framework
Universities are considered attractive targets for attackers because they hold sensitive research data and often serve as testing grounds for attack methods. Cases are documented worldwide and in Germany, including 45 known incidents at German universities by March 2025. The Federal Criminal Police Office reports around 42 attacks on educational and research institutions from 2022 to 2024. The study emphasizes that a uniform recording is lacking: Without standardized definitions and reporting systems, threats, motives, and damages can only be assessed inaccurately.
Information security encompasses the protection of data regardless of the medium and integrates technical, organizational, and personnel measures. IT security focuses on digital systems, while cybersecurity focuses on threats from networked spaces. In Germany, BSI standards are considered the basis, assuming confidentiality, integrity, and availability.
Federal Diversity: From Central Models to Networks
The analysis of the 16 federal states reveals six typical forms of support that differ in scope and implementation. Individual models, in which universities act autonomously, as well as central state offerings or networks, often dominate. In Bavaria, the state promotes HITS IS as a comprehensive service center, while Lower Saxony is building a cooperative network. North Rhine-Westphalia combines elements of all approaches. The willingness to provide funding often depends on past attacks; in states without known incidents, such as Thuringia or Mecklenburg-Western Pomerania, measures are more reserved.
Examples: In Schleswig-Holstein, 3.4 million euros were invested in IT security projects for universities, coordinated by the ITSH-edu working group. Thuringia relies on the IT Center for Universities (HS-ITZ) with a new central office for information security, which implements BSI standards and covers crisis situations. Many states use supra-regional CERTs like CERT-Nord or ThüringenCERT, but their use remains low.
Strategic Recommendations for Resilience
Cybersecurity is not an isolated IT problem, but a strategic field that concerns university management and ministries alike. Universities should establish crisis processes and clarify responsibilities, while ministries should provide central structures and funding. The study advocates for cross-state cooperation and knowledge transfer to build resilient systems. The HRK calls on the federal government to network, as threats are international.
Authors Mathias Stein, Maren Lübcke, and Harald Gilch from the HIS-HE University Management division see potential for learning processes in this diversity. The study aims to stimulate discussions at the university and state levels and provides state overviews for guidance. It is available as a PDF at www.his-he.de.
