Technology plays a key role in customer relations and workflows in retail these days. This is why retail is increasingly becoming a target for cyberattacks and cyber criminals. According to a study by KPMG dating back to 2023, 78% of retailers have registered a rise in cyberattacks, which illustrates the high risk.
The good news is many retailers have responded to this and started by undertaking one of the most effective measures – raising awareness among their employees and holding IT-security training.
No retailer, regardless of size or segment, should ignore the issue of cyber security. The need for comprehensive cyber security measures is as urgent as ever – be this for protecting payment data at the self-checkout, safeguarding the integrity of online transactions or for protecting customer data across the entire retail chain. Retailers have to constantly develop and improve their security concepts by investing in strategies and technologies that can effectively counter these digital threats.
The NIS 2 Directive takes cyber security in the European Union (EU) to the next level. It aims to create a consistent protection level for network and information security. Compared to the NIS Directive already adopted in 2016, which focused on the cyber security of critical infrastructures (KRITIS), the NIS 2 Directive has widened its scope. It covers not only the operators of critical systems but also of “particularly important facilities” (major companies in specific sectors, some companies regardless of their size and operators of critical facilities) and “important facilities” (major companies and medium-sized companies in many sectors). Since 16 January 2023 the NIS 2 Directive has been in force and has to be transposed into German national law by March 2025. Facilities that do not comply with these requirements face fines as high as EUR 10 million or 2% of their global annual sales, whichever is higher. For retail executives this is not only about compliance – it is about avoiding financial and legal consequences. Which raises the key question: how can you as a retailer find out whether the NIS 2 Directive relates to you?
Consider first whether your company operates in the EU and which sector it works in. For retailers, sectors such as “Digital Service Provider”, “Food Production, Processing and Distribution”, “Digital Infrastructure”, “Finance” can be of relevance. Rate whether your company is classified as “particularly important” or “important”, based on the role it plays within the critical infrastructure and the potential impacts of its shut-down. Check whether your company fulfils the size criteria for headcount and turnover set for this category. Finally, consider any exceptions, such as the classification as a small or medium-sized company, which could free your company from the NIS 2 requirements.
NIS 2 ready: how your company can get ready now
Do not wait for the national law to enter into force – start implementing the NIS 2 requirements even today. It is decisive to implement suitable measures on the basis of a comprehensive risk assessment. Bank on a holistic, threat-oriented strategy to avoid security incidents or mitigate their impacts.
How to get started:
Rate your current IT-security measures and identify weak spots to ensure NIS 2 compliance. Depending your respective business model you should focus on the following key areas:
Carry out a comprehensive risk analysis, implement back-ups, test your systems on a regular basis and use state-of-the-art encoding technologies to effectively protect your customer and transaction data. Establish protocols for reporting security incidents to a responsible body and immediately inform partners and stakeholders about serious failures. Also ensure you comply with all registration requirements to avoid potential fines.
The management has to actively monitor the implementation of these measures. Train your management and staff in the fields of data protection, cyber security and technology.
The implementation of these measures will not only ensure compliance but also strengthen your line of defence against emerging cyber risks. In the wake of digitalisation trends especially in payment systems, strong cyber security measures are of paramount importance. For retailers the following cyber trends are particularly relevant:
- Protecting payment data
- Securing online marketplaces and transactions
- Protecting customer data across the complete retail chain
The NIS 2 Directive calls for a high degree of cyber security in the EU. Verify your relevance within the framework of NIS 2 by analysing your operational scope, your sector-specific classification as well as possible impacts on critical infrastructure. A pro-active approach to the NIS 2 requirements will enable you to effectively minimise cyber risks, protect sensitive customer data and strengthen your customers’ confidence in you in the face of an increasingly digital market landscape. Act now to make sure your company is NIS-2 compliant and stays ahead in the digital era.
At the end of the day, no retailer can afford to neglect cyber security issues. By complying with the NIS 2 requirements early on you not only secure your systems but above all the foundation of your success: the trust of your customers and your business partners.
The Cybersecurity Hub at EuroCIS:
EuroCIS 2025, Europe's leading trade fair for retail technology, will feature a Cybersecurity Hub in Hall 9 for the first time, showcasing innovative solutions and technologies to tackle the growing challenges in the field of cybersecurity. The Cybersecurity Hub offers retailers the opportunity to learn about the latest developments in IT security and find solutions to effectively protect their systems and customer data. The Cybersecurity Hub is organised in partnership with KPMG. Exhibitors include KPMG, XM Cyber (Schwarz Group), ServiceNow and Saviynt.
About the author
Markus Limbach is a partner for Cyber Security & Resilience at KPMG AG and consults national and international organisations on Cyber Security, Information Security and Business Continuity & Resilience Management. With his comprehensive expertise he helps his customers guard against cyber threats and develop high resilience against digital attacks.
