Skip to main content
Contact
Submit RFP

      The European Union is strengthening the cyber security of its member states. The NIS 2 Directive - NIS stands for Network and Information Security - was published by the EU on 27 December 2022 and came into force on 16 January 2023. It replaces the previous NIS Directive from 2016.  

      NIS-2 changes the information security requirements for companies and critical infrastructure facilities. Significantly more companies are now affected by the directive and the framework for fines has been significantly increased - to the level of the European data protection regulation EU GDPR. Fines amount to up to 10 million euros or 2 per cent of global annual turnover.

      NIS-2: List of particularly critical sectors published

      With NIS-2, the EU is making a further attempt to raise the level of cyber security in the EU. While Germany had already formulated national requirements for critical infrastructures with the IT Security Act in 2015 - and therefore before the first NIS Directive - implementation in other member states has progressed more slowly. The EU wants to avoid these divergences in further implementation. In particular, the scope of application will be defined much more specifically.

      For the first time, a distinction is made between entities in the categories "essential" and "important", which are subsequently subject to different requirements in some cases. The distinction is primarily based on newly defined thresholds - details are set out in Art. 3 of the directive.

      The sectors affected are listed in Annex 1. The sectors with high criticality include energy, transport, banks, financial market infrastructures and digital infrastructures. Public administration is also explicitly mentioned here. The category of other critical sectors includes postal and courier services, providers of digital services, as well as manufacturers of medical devices, machinery and vehicle construction. The scope of application of NIS-2 will therefore bring changes compared to the KRITIS sectors known in Germany and the IT Security Act.

      NIS-2 will apply in Germany from autumn 2024

      NIS-2 must now be transposed into national law by national legislators by 17 October 2024 and will apply from 18 October 2024. In Germany, the IT Security Act 2.0 and the KRITIS ordinances are expected to be revised. An initial draft bill for a KRITIS umbrella law and the IT Security Act is expected before the parliamentary summer break in 2023.

      Companies should act now and assess their impact and any implementation gaps on the basis of the existing directive. KPMG provides support in analysing the impact and in planning and implementing the NIS-2 requirements.

      Ready to talk? Contact us.

      More KPMG insights for you

      Increased cyber threat - study confirms deceptive sense of security

      Survey on IT threats, defence mechanisms, investments and risk management.
      Learn more
      Tent on a frozen lake

      Your contacts