CEO Warns of Cyber Attack Surge as EU Mandates Digital Invoices

Jane Enny van Lambalgen, CEO of an unnamed organization, has raised alarm about the potential surge in cyber attacks as companies shift towards digitally processable invoices, a change mandated by EU directive 2014/55/EU and German e-invoicing law from 2027. She warns that this shift could open a 'floodgate' for new cyber threats.

The Federal Office for Information Security (BSI) has reported a 28% increase in cyber attacks on German companies in 2024 compared to the previous year, underscoring the growing concern. Van Lambalgen criticizes the legislator for not adequately addressing the heightened cybersecurity risks associated with this regulatory change.

Currently, 78% of companies, predominantly in the SME sector, send invoices in PDF format. However, they will need to adapt to the new, digitally processable formats by the end of 2026. Over 90% of medium-sized industrial companies rely on Enterprise Resource Planning (ERP) systems as their digitalization backbone, making these systems a prime target for cybercriminals.

To mitigate these risks, van Lambalgen recommends employee training, secure ERP integration, closer collaboration between ERP and cybersecurity providers, and the implementation of a zero-trust architecture. She fears a 'flood of digital death invoices' from 2027, with computer viruses, ransomware, and other malicious software targeting invoice intake systems. Small and medium-sized enterprises, with 53% having inadequate security measures, are particularly vulnerable to these threats.

As companies prepare for the mandatory shift to digitally processable invoices, the cybersecurity landscape is expected to evolve significantly. With the potential for a surge in cyber attacks, businesses are urged to bolster their cybersecurity measures and adapt their strategies to protect against these emerging threats.