Müssen wir wirklich auf jede CVE reagieren?

Nein. Sie müssen jede CVE bewerten — und das in einem definierten Zeitrahmen. Eine Schwachstelle in einer Komponente, die Sie nicht einsetzen, ist nicht Ihr Problem; eine in einer Komponente ohne öffentliche Exposition ist ein anderes Problem als eine internet-facing. Ohne SBOM und ohne automatisiertes Monitoring ist diese Bewertung nicht systematisch möglich — dann wird jede CVE zur Hero-Aktion. Mit den richtigen Tools ist die Bewertung in Minuten gemacht.

Wie schnell ist „schnell genug“ für eine Patch-Pipeline?

Das hängt vom Schweregrad und der Exposition ab. Faustregel für internet-facing Critical-Vulnerabilities: maximal 7 Tage von CVE-Veröffentlichung bis ausgeliefertem Patch. Für aktiv ausgenutzte Schwachstellen: deutlich weniger, idealerweise 24–48 Stunden. Wenn Ihre Pipeline diese Tempos heute nicht trägt, ist die Patch Wave die schlechteste Zeit, das herauszufinden.

Was, wenn unsere Software-Lieferanten langsamer sind als wir?

Das ist die unangenehmere Frage. Sie können Ihre eigene Pipeline auf Tempo trimmen, aber wenn ein kritischer Lieferant (CMS, ERP, Payment-Provider, Analytics) erst nach Wochen patcht, sind Sie über die Lieferkette exponiert. Maßnahmen: dokumentierte SLAs für Sicherheits-Patches in Lieferanten-Verträgen, alternative Anbieter pro kritischer Komponente identifiziert, dokumentierte Mitigation-Optionen (WAF-Regeln, Feature-Flags) für Worst-Case-Szenarien.

Reicht Auto-Update für unsere Compliance-Pflichten?

Auto-Update ist ein Tool, kein Compliance-Beweis. Sie brauchen nachweisbare Kontrolle: welche Versionen liefen wann, welche Patches wurden wann angewendet, wer hat das verifiziert. Das ist im Prinzip mit jedem ordentlichen Asset-Management-Tool machbar — aber Auto-Update allein ohne Logging und ohne Reporting reicht für CRA, NIS2 und ISO 27001 nicht.

Wann lohnt sich externe Hilfe?

Wenn Sie nach dem Lesen merken, dass Ihre Pipeline mehrere der drei oben genannten Maßnahmen nicht trägt — und Ihr Team ohnehin keine Bandbreite hat, um sich daneben in CRA-Detail-Anforderungen einzuarbeiten. Ein dreiwöchiger Audit (siehe CI/CD-Sicherheitsaudit) bringt eine ehrliche Standortbestimmung mit konkretem Maßnahmen-Katalog. Danach entscheiden Sie, ob Sie selbst umsetzen oder begleiten lassen.

Patch wave: what the NCSC warning means for German mid-market businesses

The UK's NCSC has warned of an incoming wave of security-critical patches. What does that mean for mid-market IT teams — and for the upcoming compliance pressure of the EU Cyber Resilience Act?

1. May 2026

Summary in 90 seconds

The UK National Cyber Security Centre (NCSC) is warning of a 'patch wave' — an influx of security-critical software updates that organisations will have to deploy across their stacks in the coming months. Three concrete actions: minimise your attack surface now, get your patch pipeline up to speed (critical patches within seven days, actively exploited within 24–48 hours), enable automation where possible. For German mid-market businesses, a second layer applies: from 11 September 2026, the EU Cyber Resilience Act turns patch speed into a compliance obligation. Anyone not testing today whether their pipeline can deliver risks having two problems instead of one in four and a half months.

What the warning means in practice — and what we're doing about it

Fanned stack of cream-coloured index cards on a dark oak desk, next to a closed laptop and a coffee cup, the Mosel valley subtly visible through the right-hand window — metaphor for a queue of incoming patches being worked through methodically.

What the NCSC warning says

The UK National Cyber Security Centre has published a blog post that's unusually direct in tone. In essence: a 'patch wave' is coming — a clustering of security-critical software updates that organisations will need to deliver and roll out over the coming months. The NCSC names three concrete preparation measures, applicable regardless of organisation size:

Attack surface management. Identify and reduce internet-facing and other externally-exposed systems now — starting at the perimeter, then working inwards, including cloud instances and on-premises environments.
Upgrade your patching strategy. Patch fast, frequently, and at scale — including across your supply chain. The NCSC expects an influx of updates across all severities, with a significant share critical.
Automation, where available. Prioritise hot patching without service disruption. Enable automatic updates for embedded devices to reduce the load on support teams.

What the NCSC doesn't spell out: anyone who doesn't have these three points under control today is in for a very uncomfortable summer.

Why this affects German mid-market businesses

A UK authority primarily addresses British organisations. But the underlying technical realities cross borders. Linux kernel vulnerabilities, OpenSSL patches, container base image updates, browser vulnerabilities — they affect stacks regardless of national authority structures.

For German mid-market businesses, a second layer applies. Under the Cyber Resilience Act (Regulation 2024/2847), an EU-wide obligation kicks in on 11 September 2026 to report actively exploited vulnerabilities to the EU Single Reporting Platform within 24 hours. So anyone who doesn't know today how fast their stack can react to a critical CVE has a compliance problem on top of the technical one in four and a half months.

Three measures we recommend to mid-market customers

1. Maintain an attack surface inventory — not just servers

Most mid-market organisations underestimate their attack surface. 'We have three servers' — but on top of that come 14 SaaS accounts with administrative access, 22 container images from three registries, 47 browser extensions across the workforce, and a VPN gateway that hasn't seen a major upgrade in 18 months. The NCSC recommendation 'internet-facing first, then inwards' only works if the inventory is complete in the first place.

Concrete steps: an automated asset inventory (CMDB module or a dedicated tool) drawing from Active Directory, the hypervisor registry, cloud console APIs and container registries. Plus a quarterly visual review against the external shadow-IT realities.

2. Test the speed of your patch pipeline

The more important question than 'can we patch?' is: 'Can we deliver critical patches within seven days, without hero mode?' Most mid-market pipelines can't — not from technical inability, but because they've never been tested under realistic load.

Test exercise: Take a 12-month-old major version of one of your products and try to ship a synthetic critical CVE patch in 10 days. If the pipeline for the old version is no longer working because two maintainers have left and the CI config got lost in Confluence — you know the problem. Fix it before the patch wave hits.

3. Automation, where it pays off

Hot patching doesn't work everywhere, but where it does (Linux kernel with live patching, browser auto-updates, container rolling restarts), it should be enabled. For embedded devices: whoever designed the update mechanisms — they need to be active today, not when the first CVE shows up in the field.

Plus: SBOM monitoring against the relevant databases, dependency update bots like Renovate with auto-merge for non-critical patch bumps, CVSS-score-based triage instead of hand sorting, cosign-signed releases as standard. These aren't exotic tools any more — they're industry standards every serious stack in 2026 has set up.

How we handle this ourselves

A recommendation without your own practical experience is hollow consultancy. We use what we build.

Concretely: we generate CycloneDX SBOMs per build, sign our container images with cosign, run vulnerability scans automatically against current databases, prioritise patches by CVSS score without manual triage, keep our patch pipeline up to speed with Renovate, and have our 24-hour vulnerability reporting procedure documented and rehearsed. The pipeline isn't spectacular — it's reliable.

For the recently discussed CVE-2026-31431 ('Copy Fail') in the Linux kernel crypto API, we rebuilt and rolled out the affected container images within one working day — not because we're heroes, but because the pipeline is built for exactly that.

Frequently asked questions on patch wave preparation

Do we really have to react to every CVE?+

No. You have to assess every CVE — and within a defined timeframe. A vulnerability in a component you don't use isn't your problem; one in a component without public exposure is a different problem from an internet-facing one. Without an SBOM and without automated monitoring, this assessment isn't systematically possible — then every CVE becomes a hero action. With the right tools, the assessment is done in minutes.

How fast is 'fast enough' for a patch pipeline?+

It depends on severity and exposure. Rule of thumb for internet-facing critical vulnerabilities: maximum seven days from CVE publication to delivered patch. For actively exploited vulnerabilities: significantly less, ideally 24–48 hours. If your pipeline doesn't deliver these speeds today, the patch wave is the worst time to find that out.

What if our software suppliers are slower than us?+

That's the more uncomfortable question. You can trim your own pipeline for speed, but if a critical supplier (CMS, ERP, payment provider, analytics) only patches after weeks, you're exposed via the supply chain. Measures: documented SLAs for security patches in supplier contracts, alternative providers identified per critical component, documented mitigation options (WAF rules, feature flags) for worst-case scenarios.

Is auto-update enough for our compliance obligations?+

Auto-update is a tool, not a compliance proof. You need verifiable control: which versions ran when, which patches were applied when, who verified that. In principle this is feasible with any decent asset management tool — but auto-update alone without logging and without reporting isn't sufficient for CRA, NIS2 and ISO 27001.

When does external help pay off?+

When you find while reading this that your pipeline doesn't carry several of the three measures above — and your team has no bandwidth alongside to work through the CRA detail requirements. A three-week audit (see CI/CD Security Audit) brings an honest diagnostic with a concrete action catalogue. After that, you decide whether to implement yourself or be accompanied.

If the patch wave catches you by surprise

The next few months will be uncomfortable for many mid-market IT teams. If you find while reading this that your pipeline doesn't carry the three measures above, a 30-minute first call is the lowest-threshold next step. No pitch, no follow-up email sequence, no standard sales route.

30-minute slot, available online. →