WOODLANDS ADVISORY
All articles
Strategy· 7 min

At the table with 1&1 — why the cyber market is tipping now, not in five years

On 30 June, Woodlands Advisory sat down with Robert Henninger, Head of Information Security at 1&1 — a group with roughly 16 million customer contracts and responsibility for meaningful parts of Germany's critical telecommunications infrastructure. Why the conversation was less a meeting than a confirmation. And what the IBM 2025 figures, NIS2, the EU AI Act, the CRA and DORA mean for the next few quarters.

Glass façade with a blue 1&1 logo — a 1&1 site in Germany, seen from the street.

On 30 June, Woodlands Advisory, a young boutique in the cyber space, sat down with Robert Henninger, Head of Information Security at 1&1.

A company with roughly 16 million customer contracts and responsibility for meaningful parts of Germany's critical telecommunications infrastructure, in open dialogue with a team that is still writing its story in the market.

For us this wasn't so much a "meeting" as a confirmation. The questions on the table at group level inside 1&1 are exactly the questions we work on every day with institutional investors, M&A advisors and growing portfolio companies. And those questions are becoming more urgent right now, for everyone.

Why now: the cyber market is tipping. Not in five years. Now.

The IBM Cost of a Data Breach Report 2025 marks a watershed moment:

  • Of the companies that experienced an AI-related security incident, 97% had no proper access controls in place for their AI systems.
  • 63% of affected organizations lack a mature AI governance policy — it is either missing entirely or still under development.
  • Companies that let Shadow AI run unchecked pay an average of USD 670,000 in additional breach cost — on top of the USD 4.44 million that a data breach already costs globally on average (IBM 2025, down modestly from USD 4.88M in 2024).

At the same time, the regulatory landscape is tightening from several directions:

  • Germany's NIS2 implementation law (NIS2UmsuCG) has been in force since 6 December 2025. No transition period; BSI registration in principle required by 6 March 2026 (BSI has granted a grace period until 31 July 2026). The regulated perimeter expands from roughly 4,500 to around 29,500 entities. Personal, non-delegable responsibility of management via §38 BSIG.
  • The EU AI Act was set to enter its sharp enforcement phase on 2 August 2026; the Digital Omnibus package currently in trilogue signals a deferral of the Annex-III high-risk obligations to 2 December 2027. Even with the deferral, the penalty structure remains tougher than GDPR ever was.
  • The reporting obligations under the Cyber Resilience Act begin on 11 September 2026; full compliance including CE marking and conformity assessment by 11 December 2027. It covers every product with digital elements placed on the EU market. Enforcement includes product recalls and EU market bans.
  • DORA has applied since 17 January 2025 — 2026 marks the shift to active supervision: BaFin follow-up audits, the first wave of TLPT designations, and the first concrete sanction proceedings. Industry surveys continue to place fewer than half of financial institutions in the fully-compliant camp. Sanctions can include temporary bans on senior managers and prohibition of specific ICT services.
  • Gartner forecasts that by the end of 2026, around 40% of enterprise applications will feature task-specific AI agents — up from under 5% today. An attack surface most security architectures were never built for.

And in the transaction market? Kroll, surveying 325 PE executives, measured an average financial impact of USD 2.1 million per cyber incident in portfolio companies; 26% of respondents reported reduced valuations or exit prices as a consequence. In prominent individual cases, valuations were cut by double-digit percentages practically overnight — Verizon–Yahoo 2017 at 7.25% of enterprise value as the cleanest reference; Uber–SoftBank 2018 at roughly 30% as the sharper extreme.

Anyone who does not start translating technical risk into robust business and financial impact today will lose access. Access to capital, to customers, and in some deals to the entry ticket itself.

Which is why the conversation with Robert happened

That is why we sat down with Robert. And why the conversation happened at eye level:

  • How do you translate technical risk into robust business impact?
  • How does AI-driven security hold up under a reality check — technically, economically, and in regulatory terms?
  • How do you prepare organizations for the coming wave of requirements without falling into compliance activism?

The difference between a listed group and a portfolio company approaching closing does not lie in the "what". It lies in the context, the speed, and the consequence of the decision.

This is the intersection where Woodlands works

Cyber Due Diligence for institutional capital in the DACH region. Private Equity, Venture Capital, Family Offices and M&A advisors who want to know what they are buying before a transaction — and how to protect it afterwards. Backed by a curated team of senior practitioners with cloud, identity, AppSec and compliance depth, and a structured partner network (including Vanta, Kertos, Aikido) — not outsourcing, not junior substitution.

If you have a concrete transaction in view, or a portfolio mandate where the cyber workstream doesn't get the depth it needs in the standard DD setup: book a 20-minute discovery call. Confidential, at eye level.

For readers who prefer the argument in more analytical form, we go into the mechanics in The €4 million question — how cyber due diligence moves the purchase price and in the Cyber Due Diligence in M&A webinar.


Thank you, Robert, for the open exchange. And for the confirmation: the right questions know no size class.

Share this article

LinkedInX · Twitter
Woodlands Advisory

Let us discuss your specific situation.

20 minutes. Confidential. Non-binding.

Schedule initial consultation →← Back to all articles