Understanding the NIS2 Directive: the importance of risk assessment

The implementation of the second Network and Information Security (NIS2) Directive marks a pivotal moment in cybersecurity regulation, underscoring the management body’s critical role in enhancing organizations’ cyber threat resilience. By mandating a comprehensive framework for digital infrastructure protection, the NIS2 Directive places significant responsibility on the shoulders of top executives and board members.

The management body must not only ensure compliance but also foster a culture of proactive cyber risk management. This strategic emphasis aims to strengthen and protect the digital landscape against evolving cyber challenges.

The NIS2 Directive’s primary goal is to firmly embed cybersecurity in the responsibilities of top management. Although many regulations have emphasized executive accountability in recent years, organizations still struggle to fully integrate cybersecurity into their core management practices.

It’s essential that organizations approach the NIS2 Directive as a strategic organizational priority and not just an IT project. Senior management must actively drive effective cybersecurity governance alongside the necessary cultural and procedural changes to enhance overall cyber resilience.

Organizations currently face a myriad of new digital regulations stemming from the European Commission’s Digital Decade policy program. The aim is to ensure the digital infrastructure underpinning the new economy is built robustly and securely, with the associated risks mitigated.

Instead of perceiving each new regulation as a burden, we must recognize the strategic importance of the common thread that runs through these regulations: effective governance for data management and how data supports the business. Investing in strong governance frameworks not only ensures compliance but also enhances business operations and security overall.

Risk assessments form the bedrock of a comprehensive cybersecurity strategy, by identifying, evaluating, and prioritizing potential risks that could impact an organization's network and information systems. Under the NIS2 Directive, organizations must perform risk assessments to understand their vulnerabilities and develop targeted measures to mitigate them.

Rather than a one-time task, risk assessment is an ongoing process that requires regular updates and reviews. This sustained approach ensures emerging threats are promptly identified and addressed, ensuring the organization's cybersecurity posture is strong and resilient. 

To support the risk assessment process, the Luxembourg Ministry of Economy has developed MONARC, a powerful tool to help organizations identify and manage their cybersecurity risks. MONARC is part of a broader framework to ensure compatibility with future reporting requirements and aligns with SERIMA, a regulatory platform and reporting tool for security risks.

By leveraging MONARC, organizations can streamline their risk assessment processes and ensure their reports meet regulatory expectations. This can enhance the efficiency and effectiveness of their compliance efforts and reduce their administrative burden.

KPMG has amassed years of expertise in governance, regulations and risk management, which are key ingredients for solving the complex equation of cybersecurity compliance. Extensive hands-on experience spanning multiple business sectors allows us to perform meaningful risk assessments that effectively bridge the gap between IT and the business.

We offer a range of services to help organizations navigate the NIS2 Directive’s requirements, including:

• performing thorough gap assessments to identify areas where your current cybersecurity posture does not meet the NIS2 Directive’s requirements
• developing meaningful and practical roadmaps to achieve compliance and highlighting areas where projects can add value beyond regulatory adherence
• helping implement recommended measures to ensure the identified risks are mitigated effectively.

With our colleagues in KPMG Belgium, we can help organizations run assessments using the CyberFundamentals certification scheme, implement projects aligned with these measures, or both. 

Our team of 10 MONARC-trained consultants are ready to guide organizations through every step of the risk assessment process. Whether an organization is performing its first risk assessment or updating an existing one, our team can provide the necessary expertise and support to achieve comprehensive and accurate results.

In May 2024, KPMG Belgium held a NIS2 Directive webinar (PDF, 5.9MB) providing valuable insights and guidance. Building on this success, a Luxembourg webinar is planned to help our local stakeholders tackle the NIS2 Directive’s challenges and enhance their security posture through practical advice and solutions.

The NIS2 Directive significantly advances the European Union's cybersecurity framework. By strongly emphasizing risk assessments and the proactive management of cyber risks, it aims to create a more resilient digital environment.

Tools like MONARC, combined with expert guidance from firms like KPMG, can help organizations tackle the Directive’s challenges and build robust cybersecurity strategies.

As Luxembourg continues to advance its digital infrastructure, the NIS2 Directive will be a cornerstone to ensuring this progress is secure and sustainable.