Skip to main content
Contact
Submit RFP

      The European Union is strengthening the cybersecurity of its member states. The NIS-2 Directive (Network and Information Security) was published by the EU on 27 December 2022 and came into force on 16 January 2023. As a directive on measures for a high common level of cybersecurity in the Union, the NIS 2 Directive aims to create a uniform level of protection for the network and information systems of critical infrastructures.

      The NIS-2 Directive expands and defines critical sectors more clearly than the previous NIS Directive from 2016. It had to be transposed into national law by October 2024, which also marks the deadline for implementation in organisations. However, due to the new elections in Germany, the transposition law has not been published, which is why the exact date is still pending, until then the European directive applies.

      Evaluate impact and own preparations for NIS-2

      Extending the scope of application to additional sectors will put the cybersecurity level of the organisations concerned to the test. Organisations are encouraged to take action now and assess their impact and preparations for NIS-2 against this directive. Additional regulations for individual sectors (including DORA for financial service providers and the Directive on the Resilience of Critical Entities (CER)) are being prepared in parallel and should work together coherently in the future.

      They will be supported in taking appropriate and proportionate measures based on transparent risk management. These measures are based on a holistic and threat-oriented management approach that aims to prevent security incidents or minimise their impact.

      Ready to talk? Contact us
      assessment

      Do our free quick check and find out.

      Start quick check now

      KPMG approach

      Our approach begins with an analysis phase in which we examine which regulatory guidelines are relevant for your organisation. Based on this, a readiness assessment is carried out in the identified affected areas of your organisation. On this basis, the necessary measures are defined in order to successfully meet the requirements placed on your organisation.

      Our defined individual packages of measures cover important areas such as the implementation and governance of measures, cooperation with authorities, including notification and reporting obligations and regulatory monitoring. We also offer workshops and training on NIS-2 and other related EU directives in the area of cyber security. This ensures that your implementation meets the requirements and synergies are utilised.

      You also have the option of utilising individual service packages as required. You have the option of selecting those that best suit the specific requirements of your organisation.

      Interested in our services? Contact us

      Your advantages

       

      • Identification of the degree of impact in various business areas and concrete recording of direct and indirect effects in regulated sectors.

       

      • Insights into the current status and necessary steps to improve cyber security and implement the NIS-2 requirements

       

      • Building a robust cybersecurity framework and best possible outcomes in relation to the implementation of NIS-2 measures

       

      • Fulfilment of legal obligations and effective response to incidents and crises to ensure network and information security

       

      • Integration of specific national regulatory requirements and official practices

      The NIS-2 analysis by KPMG

      The NIS-2 impact analysis enables organisations to determine the type of impact of NIS-2. Product features, services and customers are assessed in order to determine the impact. A specific NIS-2 scoping is then carried out based on the results of the analysis.

      You can obtain an initial assessment of whether and to what extent your organisation could be affected by the NIS-2 Directive by clicking on the following link. This analysis serves as a starting point to understand the potential impact on your organisation and to plan initial steps to adapt to the requirements of the directive.

      Disclaimer: This analysis is not a final assessment, but a non-binding initial assessment. It should be noted that Member State regulations may provide for a different scope of application.

      Download

      NIS-2: For a higher level of security in Germany

      Download
      assessment

      Do our free quick check and find out.

      Start quick check now

      Our range of services

      • NIS-2 Readiness Assessment

        The NIS-2 Readiness Assessment is used to evaluate the current status of the security measures required by regulation and to develop a prioritised roadmap for greater security in your organisation. This takes into account the individual cyber risk of your organisation, current better practices for implementation and the sustainability of the measures introduced. This is based on the state of the art and the implementation recommendations are adapted to the strategic goals of the organisation.

      • Implementation of NIS 2 measures

        Based on the results of the readiness assessment, it is crucial to implement all necessary measures to achieve compliance with NIS-2. This includes the implementation of specific processes and technical measures (including asset management, supply chain management, network security) that meet the requirements of the directive. The integration of a GRC tool such as ServiceNow is ideal for sustainable and efficient implementation. This allows NIS 2 requirements to be systematically embedded in your organisation's existing processes. Implementation ensures that your organisation not only meets the legal requirements, but also improves its security standards and becomes more resilient to cyber attacks.

      • NIS-2 Regulatory Monitoring

        You will be helped to prepare for the various regulatory requirements. To this end, the countries relevant to your organisation are identified, national regulations with regard to NIS-2 and official practice are analysed and a regulatory inventory is created based on this. The national implementation requirements of the NIS-2 directive are continuously monitored for regulatory changes. Monitoring of other cyber security regulations is also offered, including CRA, DORA and the AI Act.

      • NIS-2 Governance

        Governance includes the management and monitoring of NIS-2 measures as well as the continuous monitoring and evaluation of the ISMS. The aim is to ensure that the existing security controls and measures are working as intended and provide the desired level of protection. Various methods such as KPIs, internal audits and benchmarking based on best practices are created for your organisation.

      • Reporting to the authorities

        Our services include the identification and evaluation of existing security incident processes and the involvement of relevant stakeholders in security incident management. You will receive an analysis and evaluation of existing processes and a customised reporting process. Criteria for evaluating incidents are defined and a concept for reporting information security incidents to the relevant authorities is drawn up.

      • Workshops and training courses for NIS-2

        Our customised workshops and training courses, which are specifically tailored to your needs and different target groups (e.g. supervisory boards), ensure that participants receive the knowledge they need to effectively implement NIS-2 in their respective areas.

        These trainings will provide you with a general understanding of the NIS-2 Directive, principles of risk management in the context of the NIS-2 Directive as well as practical tips, tricks, duties and responsibilities of your organisation.

      More KPMG insights for you

      Your contacts