The European Union is strengthening the cyber security of its member states. The NIS-2 (Network and Information Security) Directive was published by the EU on 27 December 2022 and entered into force on 16 January 2023. As a directive on measures for a high common level of cyber security in the Union, the NIS-2 Directive aims to create a uniform level of protection for critical infrastructure network and information systems. With expanded and clearly defined critical sectors compared to the previous NIS Directive of 2016, NIS-2 must be transposed into national law by 17 October 2024. 17 October 2024 is thus also the deadline for implementation in the company, as NIS-2 provides for significantly fewer degrees of freedom for implementation in the member states.
With the extension of the scope to additional sectors, the cybersecurity level of the affected institutions will be put to the test. Companies are urged to take action now and assess their affectedness as well as their preparations for NIS-2 against this directive. Additional regulations for individual sectors (including DORA for financial service providers as well as the directive on the resilience of critical facilities (CER)) are being prepared in parallel and are to interact coherently in the future.
KPMG approach
Companies must take appropriate and proportionate measures based on comprehensible risk management. These measures should be based on a holistic and threat-oriented management approach aimed at preventing security incidents or minimising their impact.
Chart (in German only)
Dr. Michael Falk
Partner, Consulting, Cyber Security
KPMG AG Wirtschaftsprüfungsgesellschaft
Wilhelm Dolle
Partner, Consulting, Head of Cyber Security
KPMG AG Wirtschaftsprüfungsgesellschaft
Our approach begins with an analysis phase in which we examine the impact of the guidelines on your company. We then conduct a readiness assessment in the identified affected areas of the company. On this basis, we define the necessary measures to successfully meet the requirements.
Our defined individual packages of measures cover important areas such as governance, cooperation with authorities including notification and reporting obligations and regulatory monitoring during implementation. In addition, we offer workshops and training on NIS-2 and other related EU directives in the field of cyber security. So that we ensure that your implementation meets the requirements and synergies are used.
Furthermore, we offer you the possibility to take advantage of individual service packages as required. You have the option of selecting those that best fit the specific requirements of your company.
Your advantages
- Identification of the degree of impact in various business areas as well as concrete recording of direct and indirect effects in regulated sectors.
- Insights into the current status and necessary steps to improve cyber security as well as the implementation of NIS-2 requirements.
- Building a robust cyber security framework and best possible outcomes in terms of implementation of NIS-2 measures.
- Meeting regulatory obligations and responding effectively to incidents and crises to ensure network and information security
- Integration of specific national regulatory requirements and government practices
Impact analysis & scoping
The Affectedness Analysis allows companies to determine the level of NIS-2 affectedness. Product features, services and customers are assessed to determine levels of concern and to create a cluster of concerns.
Based on the results of the analysis, a concrete NIS-2 scoping is then carried out.
Welcome to KPMG's NIS-2 analysis
This impact analysis analyses whether and to what extent your company is affected by the NIS2 Directive. It is possible to be either directly affected or not affected. This analysis only relates to the NIS2 Directive and is aimed at companies.
A company is any business entity that carries out an economic activity, regardless of its legal form. This includes, in particular, self-employed persons and family businesses that carry out craft or other activities, as well as partnerships or associations that regularly carry out an economic activity.
Click here for the impact assessment under the NIS2 Directive. This impact assessment serves to estimate the extent of the impact on your organisation as a potentially essential or significant organisation. This analysis is limited to the NIS2 Directive and its requirements for affectedness.
Disclaimer: This is not a final assessment, but a non-binding initial assessment. It should be noted that the regulations of the Member States may provide for a different scope of application.
KPMG NIS-2 Readiness Assessment
In our NIS-2 Readiness Assessment, we evaluate the current status of the regulatory security measures and develop a prioritised roadmap for more security in your company.
In doing so, we take into account the individual cyber risk of your company, current better practices for implementation and the sustainability of the measures introduced. We are guided by the state of the art and adapt the implementation recommendations to the strategic goals of the company.
Cyber Governance
In cyber governance, KPMG focuses on supporting companies in actively mitigating risks and implementing appropriate security measures. This includes the entirety of structural and procedural organisation, clearly defined responsibilities and thus a framework in which responsibilities for decision-making are comprehensibly anchored in the organisation. The appropriate involvement of the bodies at management level must be taken into account as well as responsibilities in operational security processes.
Regulatory monitoring for implementation
We help you prepare for the different regulatory requirements. To do this, we identify the countries relevant to the company, analyse national regulations, regulatory practice and use this to create a regulatory inventory.
Reporting to the authorities
Our offer includes the identification and assessment of existing security incident processes as well as the involvement of relevant stakeholders in security incident management. We analyse and evaluate existing processes and develop a customised reporting process. In doing so, we define criteria for the assessment of incidents and create a concept for reporting information security incidents to authorities.
Workshops and trainings
With our customised workshops and trainings, specifically tailored to your needs and for different target groups, we ensure that participants receive the knowledge they need to effectively implement NIS-2 in their respective areas.
In these trainings, we provide general recommendations for optimising internal processes and increasing efficiency and synergy. Our experts conduct the workshops and trainings to provide you with practical insights and valuable knowledge.