Submit RFP
      In connection with the transposition of the CER directive, i.e. the Directive on the Resilience of Critical Entities, the Emergency Act has been amended, as a result of which the range of essential services, their providers, and the authorities responsible for ensuring the continuity of essential services is being expanded.

       

      Deadline: Essential service providers must prepare a risk analysis and plan by 31 December 2026.

      Book a consultation
      #

      Why is it important to think about resilience more broadly?

      error

      Threats to society

      Both the private and public sector are vulnerable to various external threats arising from military as well as non-military activities by hostile countries. In recent years, the use of non-military methods in particular has forcefully come to the fore. Society as a whole must take account of the surrounding environment and constantly adapt to new potential threats in order to ensure the continuation of normal conditions.

      gpp_maybe

      Information influence

      Dissemination of misinformation and shaping public opinion


      Risk mitigation:
      We map information flows and create a plan to prevent misinformation

      diversity_2

      Psychological operations

      Psychological pressure and destabilisation of society

      Risk mitigation:
      We raise employee awareness and draw up a crisis communication plan to reduce the impact of influence activities

      psychology

      Non-military measures

      Measures that use diplomatic, economic and social pressure

      Risk mitigation:
      We analyse vulnerabilities and create a resilience plan

      error

      Military measures

      Direct military force and armed conflict

      Risk mitigation:
      We prepare risk scenarios and a crisis management framework

      If your institution has been designated as an essential service provider, KPMG can help with the following

      We offer comprehensive support to meet the requirements for essential service providers and to ensure continuity.
      gpp_maybe

      Mapping regulatory obligations

      Mapping regulatory obligations and deadlines in accordance with the new legislation.

      finance

      Assessment of investment needs

      Assessing the expected investment needs for meeting the requirements and preparing a timetable.

      support

      Mapping support schemes

      Mapping state support or incentives in this area.

      emergency

      Risk analysis and plan preparation

      Preparing a risk analysis and plan, involving the key stakeholders.

      Risk analysis and plan for essential service providers

      In the risk analysis of an essential service provider, the resources of critical activities and the threats and measures associated with them must be described. The plan must set out the requirements for implementing the measures and the recovery plan.

      Risk analysis for essential service providers

      A comprehensive risk analysis in accordance with the National Risk Assessment (NRA).

      1. Description of the resources of critical activities
      2. Identification of the threats associated with them
      3. Description of preventive measures
      ETO riskianalüüs

      Resilience plan

      A structured plan that sets out the recovery plan for high-risk scenarios.

      1. Preparing a recovery plan
      2. Conditions for implementing the measures and putting the plan into use
      3. Compliance with regulatory requirements
      ETO riskianalüüs

      Broad-based assessment

      Preparing the risk analysis and plan provides an opportunity to assess the provision of the service more broadly.

      1. Assessment of the risks affecting service provision
      2. Mapping the necessary resources
      3. Ensuring data security
      ETO riskianalüüs

      Additional services to improve continuity

      Preparing the risk analysis and plan gives the institution the opportunity to take a broader look at the risks affecting service provision and the resources and know-how needed to mitigate them. In addition to regulatory requirements, other stakeholders, including customers and partners, also expect the services provided by the institution to be resilient and the parties’ data to be secure.

      • Crisis specialist (PCEB) trainings

        Professional training for managing crisis situations

      • Independent audit

        As an independent auditor, KPMG assesses organisations’ compliance with the E-ITS or ISO 27001 standard.

      • External crisis manager service

        Suitable where the institution itself lacks a role responsible for crisis tasks.

      • Technical testing

        Carrying out testing services to identify system weaknesses and map areas that need improvement.

      • Implementation of E-ITS or ISO 27001

        Implementing the requirements of the Estonian information security standard or the ISO 27001 standard.

      • Non-cyber incident management

        A comprehensive approach to preventing and managing physical and operational incidents.

      #
       
      KPMG has experience in improving continuity.
       

      For the past 3 years, KPMG has been helping to implement the Directive on the Resilience of Critical Entities for essential service providers in various EU countries. As a result, we have both local and international experience as well as best practices from critical sectors.

      Contact us