The NIS2 Directive is approved in the EU and will be implemented in local legislation no later than October 2024. It will require affected companies to have a much stronger focus on risk management towards surrounding societies, involvement from top management and awareness about potential imposition of large fines and accountability for in-compliance.
Failing to comply with upcoming NIS2 requirements can lead to the imposition of fines of up to 10 million EUR or 2% of global annual turnover (whichever is highest) and regulators may also have the power to render top management accountable for any compliance breaches.
As some of these requirements relates to the impact a potential breach and the following disruption of their services will have on the surrounding societies, the risk management focus is bound to turn towards this aspect instead of only aiming for internal goals such as growth, revenue, market share and the like.
Many organisations are looking at how they can be best prepared for the local legislation of the NIS2 Directive coming into force in 2024. There will be requirements both in terms of the level of cyber and information security as well as regarding supervision and reporting.
Among these requirements, top management will have a more specific responsibility for maintaining and approving the governance structures, risk assessments, etc. and can also face personal sanctions for lacking compliance.
A more comprehensive list of requirements can be supplied, but some of the more common issues organisations face are:
Governance structures:
- Reporting.
- Compliance & policies.
- Decision making.
Top management involvement:
- Knowledge.
- Accountability.
- Risk control.
Coordination:
- Risk management.
- Knowledge sharing.
- Reporting.
- Assessments/test.
Supply chain risk management:
- Legal conditions.
- Scoping.
- Cross border organisations.
- M&A’s.
How we can help you with NIS2:
We assist organisations to assess their current status and preparedness for NIS2, creating guidelines and roadmaps to close the gaps towards NIS2, improving their management of cybersecurity risks, etc. We can assist in identifying, assessing, and improving business processes that are vital to business continuity and thus to business operations and in cases, to the smooth operation of important societal functions.
We are also able to track considerable synergies and vantage points between NIS2 and other regulations, like GDPR and DORA.
Contact us and read more here
Martin Povelsen
Partner, Digital Risk
KPMG in Denmark