The performance offerings of some RWTÜV subsidiaries require special expertise in the area of cybersecurity. In discussions with the managing directors of CONSULECTRA, Torsten Brinker, of cetecom advanced, Andreas Ehre, and of apro.gmbh, Tobias Apel, it becomes clear that divergent customer structures necessitate contrary assessments, but also that different perspectives, work methods, and approaches can offer inspiration and enable synergies.
Cyber risks are on everyone's lips. It seems clear to everyone by now that everyone, from private individuals to companies to state institutions, must protect themselves from attacks. But is cybersecurity now truly understood as a strategic management issue, or is it delegated more as an IT task?
Torsten Brinker, CONSULECTRA: With our clients in the energy sector, we are already seeing that cybersecurity is increasingly being understood as a management responsibility. Accordingly, positions are being created internally to deal with this topic. Our experts are then brought in as a supplement when, for example, additional capacity is needed for projects or special questions need to be addressed.
Tobias Apel, apro.gmbh: I perceive this completely differently; the understanding is not yet there. From my perspective, companies and especially management continue to see cybersecurity as a customer or legal requirement, rather than a strategic goal. This can be seen primarily in the budgetary allocation for projects: they are usually calculated very low and are often only sufficient to ensure a basic level, but not to build cybersecurity as added value for the institution and thus as a strategic and customer-oriented goal.
Andreas Ehre, Cetecom advanced: Technically sophisticated attacks conducted via the networked world are often discussed. In such cases, the primary responsibility lies with IT management – and rightly so. IT must constantly adapt to new attack scenarios that may not even exist today but are already being further developed in hacker circles.
This is challenging for companies that do not research attack scenarios themselves. However, it underscores the importance of business leadership, IT management, and all employees familiarizing themselves with the risks. This protects both the company and every individual.
However, discussions about cybersecurity are often too narrowly focused on internet attacks. In reality, any interface to a system is a potential entry point – even the remote control of a smart TV. Therefore, security in networked systems is a pervasive issue and is neither solely a management nor an IT challenge, but must be understood as a cross-functional task.
What specific services or products does your company provide regarding cybersecurity? Consulting? Audits? Technical security solutions? For example, besides technical security, do you also offer strategic support, such as in the implementation of Information Security Management Systems (ISMS) or ISO 27001 certifications? To what extent do current security standards like NIS2 or BSI IT-Grundschutz flow into your work?
Tobias Apel, apro.gmbh: Institutions receive comprehensive IT security services from apro.gmbh. We design both organizational and technical IT security. This means in detail that apro.gmbh can support you from planning and implementation to operation. We specialize in BSI IT Basic Protection, BSI standards, and NIS2, primarily serving the healthcare and public administration sectors. Furthermore, we advise on digital sovereignty and the secure development of AI infrastructures.
Torsten Brinker, CONSULECTRA: CONSULECTRA advises and supports its clients in the establishment and operation of management systems for information security, business continuity management, and data protection. We also offer internal audits and comprehensive technical examinations such as vulnerability scans and penetration tests. This portfolio is rounded off by our expertise in creating security concepts and conducting risk assessments.
Of course, current developments such as NIS2 or the so-called KRITIS umbrella law also flow into our project work. The legal and regulatory requirements overall, especially for our core market of energy supply, the lifelines of our society, are continuously increasing, and with them the demand for competent advice and practical solutions.
Andreas Ehre, Cetecom advanced: At cetecom advanced, we approach the topic from a completely different direction: I deliberately pointed out vulnerabilities in my answer to the first question that can occur in almost all networked devices and apps. A sensor in a vehicle is also a networked component and a potential entry point. This is precisely where our cybersecurity services come in – embedded in our core business of testing and certifying innovative products.
As a company, we are taking on the requirements of NIS2 and BSI IT-Grundschutz. In our services, however, we focus particularly on the regulatory requirements for products. Relevant regulations here are especially the Radio Equipment Directive (RED) and the upcoming Cyber Resilience Act. We check whether our customers' products meet the requirements defined therein – through measurements in the laboratory, inspection of documentation, and, where necessary, also through evaluation of software code.
These guidelines increasingly also include requirements for processes and management systems within the developing companies. We also support our clients in fulfilling these requirements. We work with partner companies to ensure the separation of consulting and final certification.
The standards relevant to our services are therefore predominantly product-related, for example EN 18031 and EN 62443.
Cybersecurity and AI as Drivers of Change
How have your company's service offerings changed in recent years, particularly considering the increasing digital connectivity and threat landscape?
Tobias Apel, apro.gmbh: IT security is fundamentally the cornerstone of digital networking and must therefore always react to new threat situations. This systematic approach has not changed for apro.gmbh.
Andreas Ehre, Cetecom advanced: At cetecom advanced, on the other hand, a completely new service package has emerged in recent years. Initially, we offered seminars in which we explained the legal background of cybersecurity requirements.
Intensive engagement followed in the development and transfer of requirements from precursor standards, such as the IoT standard EN 303 645, in which the first security-relevant performance characteristics were defined. These experiences have been incorporated in an improved form into the currently applicable standards.
Today, we are one of the first Notified Bodies authorized to officially examine and confirm the cybersecurity of RED (Radio Equipment Directive) products as part of the CE conformity assessment. We accompany our customers from the very beginning: from the structured documentation of their products' cybersecurity, through testing in our ISO 17025 accredited test laboratory, to the conformity assessment.
Torsten Brinker, CONSULECTRA: In 2021, CONSULECTRA established its own „Information and IT Security“ business unit. Together with the other business units, we combine many years of industry experience in the energy sector with comprehensive knowledge of current security threats and appropriate protective measures. This exact combination is rare in the market and is increasingly appreciated by our customers.
What role does AI play in your work? Do you use AI-powered systems for attack detection or prevention? Or do you analyze customer needs, inquiries, or regulatory requirements using AI?
Andreas Ehre, Cetecom advanced: No one will be able to avoid modern technologies in the future. Large Language Models (LLMs) today support many employees in their daily work, for example, in analyzing and categorizing standards. However, the critical eye of the expert remains indispensable.
In cetecom advanced's software development processes, AI-powered solutions are particularly helpful in creating test sequences, thereby accelerating quality assurance. There are also very practical applications: In our biometrics labs, we generate AI-based fingerprints for testing. This allows us to create realistic test scenarios while ensuring we handle personal data confidentially, as we are no longer reliant on real fingerprints.
To prevent cyberattacks, we rely on the analysis tools of established specialists. Developing our own solutions in this area would be too ambitious from our perspective. We want to excel at what we do best. This clear focus strengthens our customers' trust in our services.
Tobias Apel, apro.gmbh: At apro.gmbh, we are currently working on building our own AI infrastructure to speed up the creation of policies, concepts, and support documentation. This LLM will be built on an open-source LLM within our open-source cloud. This solution is being developed and implemented as part of a bachelor's thesis by our working student.
Torsten Brinker, CONSULECTRA: The economy of energy is of particular, critical importance, so I must answer in a bit more detail: Of course, a new technology like AI will change our working world and business life, just as new technologies have done in the past; there is no doubt about that. The question, however, is where, when, and to what extent these changes will occur. Our current analysis of customer needs in the energy industry shows that while AI is recognized and cautiously observed by our customers, and there are initial project ideas, we do not yet see any significant developments or project needs, and we have not yet received any project inquiries.
This certainly has to do with the still widespread lack of knowledge about AI applications, on the one hand, and the obligation to data sovereignty, for example, of a network operator, on the other. The latter is a fundamental prerequisite for the stability of our networks and energy supply, purely from a physical standpoint.
Crucially, CONSULECTRA is not an IT systems house, IT implementer, AI solution developer, or provider itself, as Andreas also explained for cetecom advanced. And as a consulting firm, we have no direct influence on technological advancements at our clients. Our competencies lie rather in indirectly developing solution concepts through our very technically oriented, specialized consulting services, which are then, if they are convincing, commissioned and implemented by our clients. We therefore identify the need, often from a regulatory perspective, and assess the current situation and weaknesses, for example, in the IT landscape and processes. Subsequently, we search for the best available answer, service, or solution concept on the market for the client. Depending on the depth of the engagement, our support can extend to implementation.
Following this methodology, for which we are renowned in the energy market, we naturally also observe the needs for possible AI application use cases. This is a given and we must be capable of it! However, interest is currently rather reserved, presumably also because the energy industry's focus is currently on other major challenges, such as grid expansion, intelligent grid management, and the further integration of renewable energies. This can, of course, change – our competitors and we are observing the developments here with great interest.
In our own company, however, we began using AI in 2025 to gain experience. But here too, as a KRITIS company, our customers restrict us with security limitations and very narrow margins for AI use, and in some cases, it is even forbidden. This also reflects the caution of energy providers regarding AI use.
Therefore, our experience to date has been limited to areas of our own value enhancement, such as researching publicly available data, which in most cases already represents a time saving for us. Conclusion remains: Due to the very understandable security concerns of our customers mentioned above, we unfortunately cannot use AI for customer-specific projects with customer-specific information at this time.
The Path to the Future
What approaches does your company take to keep pace with the rapid development in the field of generative AI? Do you think that in the future your services, such as security architectures, KRITIS training and support, or certification services, will still be competitive without AI components?
Torsten Brinker, CONSULECTRA: In our assessment, AI will not lead to the displacement of our specific consulting and project management services within our client environment.
It is clear that AI will also provide support in our current complex services. However, in our opinion, the core benefit of AI models lies in the ultra-fast processing of mass data and their processing. Here, AI capabilities will quickly lead to cost savings, and this will soon be realized in the energy industry, for example, in customer service. Here, AI can quickly create added value and benefit.
In contrast, our very specific customer projects, which rely on the individual experiences of our consultants and planners and relate to custom individual tasks, require competencies that are currently anchored within individuals. Nevertheless, we are seeing developments here as well, because against the backdrop of demographic change, our specific knowledge will also need to be made available to a wider customer base more quickly and broadly in the future.
Andreas Ehre, Cetecom advanced: I also think generative AI will find its way into almost all processes – including inspection and certification services. But like Torsten, I say: certification will remain an expert decision based on deep technical knowledge and experience. However, the wealth of experience can be specifically utilized by analyzing existing data and certification databases.
AI systems can recognize patterns in a variety of historical certification cases and provide informed suggestions to the expert. This accelerates decision-making processes and early filters out irrelevant decision paths. The final decision and responsibility remain with the certification expert.
Companies that do not use such tools will find it difficult to offer their services with the quality and speed that the market expects in the future. AI components will therefore become an essential competitive factor.
Tobias Apel, apro.gmbh: Clearly, we all won't get around the „AI hype.“ Especially because this path also means a reduction in workload for our employees. However, as my colleagues have explained, where and in which areas the use of AI is truly sensible must be carefully examined and considered. I also don't believe that artificial intelligence will make security decisions for an institution in the future; however, it seems quite realistic to me that it will provide support in decision-making.
Where do you see Germany in international comparison – are we technologically well-positioned? How would you assess the current state of cybersecurity in German companies in general or with your clients specifically?
Tobias Apel, apro.gmbh: From my perspective, Germany is far from having an acceptable technical setup. The entire infrastructure across the country must primarily focus on processes for digitalization, which need to be simplified. We see with our clients that they are generally aware of cybersecurity, but from a professional standpoint, they need to allocate higher budgets against the backdrop of the increasing threat landscape. However, we are observing instead that some clients who were affected by a threat situation have forgotten about this incident relatively quickly.
Andreas Ehre, Cetecom advanced: I would like to refrain from making general statements here, as I am not as deeply involved in all areas of cybersecurity as Tobias is.
However, we clearly see with cetecom advanced's customers – they primarily come from Germany and Europe – that cybersecurity is constantly gaining in importance. The demand for our related services is continuously increasing. Of course, current regulations contribute to this, but even the announcement of the Cyber Resilience Act has triggered a significant shift in thinking in many companies.
When it comes to securing one's own IT infrastructure, it's unlikely anyone today seriously believes they will be spared from cyberattacks. I actually assume that IT experts in companies are aware of their challenges and master them as far as possible - even if Tobias observes otherwise here. Our parent company RWTÜV can be cited as an example: In recent years, it has increasingly invested in companies for which cybersecurity or AI are part of their daily business. This creates a foundation from which other companies in the RWTÜV Group - and thus also cetecom advanced - can benefit.
Torsten Brinker, CONSULECTRA: An objective comparison is of course difficult, but significant investments have been made in recent years, particularly in our core industry, the energy sector, to improve cybersecurity. Nevertheless, failures of critical infrastructure, even in Germany, demonstrate how vulnerable these systems continue to be. One hundred percent protection will not be possible. Therefore, it is all the more important that, in addition to all technical protection measures, we also develop emergency plans to remain operational in the event of a failure. It is secondary whether the failure is caused by a cyberattack, a technical defect, or a natural event.
The RWTÜV Group – Role Model and Pioneer
How can the RWTÜV Group contribute to improving cybersecurity in Germany? Do you see potential for synergy within your companies and also the other subsidiaries?
Tobias Apel, apro.gmbh: I believe that the RWTÜV Group can make a valuable and sustainable contribution to improving and shaping cybersecurity and strengthening digital resilience solely through participation in relevant committees (Bitkom, TeleTrust, etc.).
Torsten Brinker, CONSULECTRA: CONSULECTRA has particular experience with cybersecurity consulting regarding specific aspects of the energy industry, such as risk management in grid control, secondary technology, or power plant technology.
However, since cyber risks are not limited to individual sectors of our society in principle but exist universally, our services can also be offered to other parts of the economy to a certain extent. I do believe that in the medium term, we could also leverage a more holistic sales approach within the RWTÜV Group for the cross-sector marketing of individual group services.
In the short term, from CONSULECTRA's perspective, we can of course contribute our aforementioned services and experience in cybersecurity throughout the entire RWTÜV Group to enable the group's resilience.
Andreas Ehre, Cetecom advanced: I also believe that the RWTÜV Group bundles a number of companies for whom safety, quality, and reliability are the core business – increasingly also in the digital space. Many subsidiaries are directly involved in cybersecurity, critical infrastructures, or the secure use of AI. This expertise is available to the entire group and could also become a lever for strengthening cybersecurity in Germany.
For cetecom advanced, the exchange with these specialized cybersecurity and AI companies within the RWTÜV Group is particularly valuable. We draw on their expertise when it comes to specific questions about IT infrastructure, attack detection, or the secure design of processes. Conversely, we contribute our experience from product testing, standardization, and certification.
This is how synergies are created: We can offer our customers a broader, coordinated portfolio of services – from a secure IT environment to a certified, compliant product. Bundling these competencies within a group builds trust in the market and helps companies think about cybersecurity holistically.
And finally, a recommendation: What is the most important step any company should take immediately towards greater cyber resilience?
Torsten Brinker, CONSULECTRA: Clearly: Updates and security patches must be installed immediately after they are released!
Andreas Ehre, Cetecom advanced: The most important step, in my view, is to create transparency about one's own risks, and not just in IT, but along the entire value chain. This includes an honest assessment: Which systems are networked? Where are there external interfaces? Which data is particularly sensitive and requires protection?
On this basis, prioritized measures can be derived – from simple organizational steps such as awareness-raising and clear responsibilities to technical security mechanisms and tested, secure products. A company that knows its critical assets and vulnerabilities can invest strategically and remains capable of action even in an emergency.
Cybersecurity is not a one-time project, but an ongoing process. Therefore, the first concrete step is to anchor this topic as a fixed component of corporate governance – with clear responsibilities, regular reviews, and the willingness to learn from incidents.
Tobias Apel, apro.gmbh: Exactly. The comprehensive inventory, assessment, and ultimate establishment of a Business Continuity Management System (BCMS) should be the highest priority in any institution's cyber resilience strategy. The reason for this is obvious: Many institutions do not adequately understand their own business processes and therefore cannot assess which of their business processes are actually critical. Consequently, they can neither be adequately protected nor secured with appropriate measures to ensure a rapid restoration of equivalent operations in the event of a threat. For me, this would be the most important step!
7 Facts …
…to CONSULECTRA
- CONSULECTRA is a consulting and planning company in the utility and energy industry and has been part of the RWTÜV Group since 2005. The company, managed by CEO Torsten Brinker, is headquartered in Hamburg, with another branch in Düsseldorf.
- Their areas of expertise include the planning and design of energy plants and grids, consulting services in grid operations and grid and system management for utility companies, consulting in the area of information and IT security for KRITIS companies, and energy industry strategy consulting.
- CONSULECTRA's clients include municipal utilities, regional suppliers, industrial and research companies, traffic network operators, transmission and distribution network operators, and power plant operators.
- In the business area of Planning & Project Engineering for Energy Facilities & Grids, CONSULECTRA provides planning, project engineering, and construction supervision for the erection of cable and overhead line routes, switchgear, and the planning of charging infrastructure in energy grids.
- In the area of consulting services for network and operational management, CONSULECTRA handles the conception, implementation, and modification of network control systems in network and system management, as well as other IT systems in the energy industry.
- In the field of information and IT security, CONSULECTRA offers critical infrastructure companies management consulting services for the implementation of ISMS standards, BCMS standards, including security analyses or penetration tests to increase robustness and resilience.
- In the field of Energy Industry Strategy Consulting, the focus is on business segment development for utility companies, digitalization support, cooperation management, change management within companies, and consulting on process and organizational optimization.
... to apro.gmbh
- Tobias Apel is the Managing Director of apro.gmbh, an IT consulting firm that has been part of the RWTÜV Group since 2022.
- The colleagues from Erfurt specialize in technical and organizational IT security and are active in, among others, the KRITIS sectors of public administration, defense, and healthcare.
- apro.gmbh supports compliance with national and international security standards. Additionally, the company plans, configures, and establishes high-security and high-availability infrastructures.
- The portfolio includes specialized security products from the areas of managed services and digital sovereignty.
- The security experts at apro.gmbh also offer individual services for data centers.
- To maintain business operations and IT processes in special (crisis) situations, BCM (Business Continuity Management) professionals advise clients primarily from the healthcare sector.
- In addition to consulting, apro.gmbh offers vulnerability management and Extended Detection and Response (XDR) services.
... to cetecom advanced
- cetecom advanced has locations in Essen and Saarbrücken and is the testing and certification company of the RWTÜV Group.
- Customers are manufacturers of technology products with and without radio technologies, who are supported from the initial idea to market launch.
- The company ensures that products can be approved worldwide, meaning they receive all necessary tests and certifications. This involves checking whether devices comply with all important standards and regulations, for example, regarding safety, radio technology, or quality.
- cetecom advanced specializes in modern technologies such as radio technologies (including radar, UWB), automotive emergency call systems (eCall), smart cards, and contactless payment. The security of networked devices is also tested to protect them from hacker attacks.
- The company, led by Managing Director Andreas Ehre, also supports the development of new testing rules as a member of international expert committees.
- The testing laboratories are certified to the highest quality standards and enjoy the utmost trust from customers and authorities.
- Overall, cetecom advanced is an important partner for technology companies looking to bring their products to market safely, reliably, and quickly.