NIS-2 Directive: How companies can improve their IT security

The European Union is strengthening the cyber security of its member states. The NIS-2 Directive (Network and Information Security) was published by the EU on December 27, 2022 and came into force on January 16, 2023. As a directive on measures for a high common level of cybersecurity in the Union, the NIS 2 Directive aims to create a uniform level of protection for the network and information systems of critical infrastructures. With expanded and clearly defined critical sectors compared to the previous NIS Directive of 2016, NIS-2 must be transposed into national law by October 17, 2024. October 17, 2024 is therefore also the deadline for implementation in companies, as NIS-2 provides significantly less freedom for implementation in the member states. 

With the extension of the scope of application to additional sectors, the cybersecurity level of the affected facilities will be put to the test. Companies are encouraged to take action now and assess their impact and preparations for NIS-2 against this directive. Additional regulations for individual sectors (including DORA for financial service providers and the Directive on the resilience of critical entities (CER)) are being prepared in parallel and should work together coherently in the future. 

Companies must take appropriate and proportionate measures based on comprehensible risk management. These measures should be based on a holistic and threat-oriented management approach aimed at preventing security incidents or minimizing their impact.

Our approach begins with an analysis phase in which we examine the impact of the guidelines on your company. We then carry out a readiness assessment in the identified affected areas of the company. On this basis, we determine the measures required to successfully meet the requirements.

Our defined individual packages of measures cover important areas such as governance, cooperation with authorities, including notification and reporting obligations, and regulatory monitoring during implementation. In addition, we offer workshops and training on NIS-2 and other related EU directives in the area of cyber security. This enables us to ensure that your implementation meets the requirements and that synergies are exploited.

We also offer you the option of taking advantage of individual service packages as required. You have the option of selecting those that best suit the specific requirements of your company.

The impact analysis enables companies to determine the degree to which they are affected by NIS-2. Product features, services and customers are evaluated in order to determine the degree of impact and create an impact cluster. 

Based on the results of the analysis, a concrete NIS-2 scoping is then carried out. 

In our NIS-2 Readiness Assessment, we evaluate the current status of the security measures required by regulation and develop a prioritized roadmap for more security in your company. 

We take into account the individual cyber risk of your company, current better practices for implementation and the sustainability of the measures introduced. We are guided by the state of the art and adapt the implementation recommendations to the company's strategic goals.

In cyber governance, KPMG focuses on supporting companies in actively mitigating risk and implementing suitable security measures. This includes the entirety of structural and procedural organization, clearly defined responsibilities and thus a framework in which responsibilities for decision-making are comprehensibly anchored in the organization. The appropriate involvement of bodies at management level must be taken into account, as must responsibilities in operational security processes.

We help you to prepare for the various regulatory requirements. To do this, we identify the countries relevant to the company, analyze national regulations and official practice and use this to create a regulatory inventory.

Our services include the identification and evaluation of existing security incident processes and the involvement of relevant stakeholders in security incident management. We analyze and evaluate existing processes and develop a tailor-made reporting process. In doing so, we define criteria for assessing incidents and create a concept for reporting information security incidents to authorities.

With our tailored workshops and training courses, which are specifically tailored to your needs and for different target groups, we ensure that participants receive the knowledge they need to effectively implement NIS-2 in their respective areas.

In these training courses, we provide general recommendations for optimizing internal processes and increasing efficiency and synergy. Our experts conduct the workshops and training sessions to provide you with practical insights and valuable knowledge.