Skip to main content
Contact
Submit RFP

      In 2026, NIS-2 crossed the threshold from a compliance requirement to a management responsibility: with the new BSI Act, the European framework has been transposed into German law since December 2025, and responsibility for cyber risks now lies directly with senior management. Establishing reporting channels, securing supply chains and demonstrating the management of cyber risks – along with maintaining evidence of this – will become a short-term obligation, whilst at the same time presenting an opportunity to structurally realign governance, risk and technology.

      It is precisely this dual perspective that our experts analyse in the white paper ‘NIS-2 as a European resilience framework’: They contextualise the paradigm shift, highlight the national divergences between Member States, analyse the typical gaps in existing security programmes and derive a practical governance model.

      Ready to talk? Contact us

      Download the report now (in German only)

      picture_as_pdf

      Studie

      NIS-2 as a European resilience framework

      Please complete the form below to receive the KPMG publication:

       

       

       

      NIS-2 at a glance: Key insights for decision-makers

      The white paper demonstrates that the regulatory transformation is already having a significant impact on governance. The NIS 2 Directive explicitly makes cyber security a management responsibility and establishes uniform minimum standards to ensure a common level of security for medium-sized and large enterprises in the EU. At the same time, national variations are emerging that pose particular challenges for companies operating internationally.

      Facts, figures and data that businesses should be aware of

      • With the NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), the revised BSI Act (BSIG) came into force on 6 December 2025, making the NIS 2 requirements directly binding in Germany – without a transition period.
      • The scope covers organisations from 18 sectors which, based on defined thresholds, are classified as particularly important or important organisations (Section 28 BSIG).
      • Section 30 BSIG defines ten mandatory risk management measures – ranging from risk analysis and supply chain security to encryption.
      • The reporting system under Section 32 of the BSIG follows a three-stage process: early warning within 24 hours, notification within 72 hours, and a final report after one month.
      • Of particular relevance are Section 38 of the BSIG (duties and personal liability of senior management), Section 30 of the BSIG (risk management) and Section 32 of the BSIG (reporting obligations) – supplemented by the obligation to register with the BSI under Section 33 of the BSIG.

      How organisations can manage their NIS 2 implementation

      Practical experience shows that transparency is the first step: only once it is clear which entities in which country fall under NIS-2 can priorities and responsibilities be reliably defined. This forms the basis for a modular model comprising a European baseline framework and country-specific overlays, underpinned by a three-tiered collaboration between senior management, the group level and local implementation.

      Our authors demonstrate how senior management can actively fulfil their responsibilities and make management training a mandatory requirement, how incident processes can be coordinated, and how records can be maintained in a manner that is auditable across the EU. The key here is not maximum centralisation, but consistency where NIS-2 requires it – because those who proactively utilise the framework gain not only compliance, but also lasting resilience and strategic agility.

      Interested in our services? Contact us

      Digitalisation in accounting 2025/2026

      Current insights into the technological transformation in companies - focus topic AI

      Download now
      Abstract representation

      Your contacts