The Network and Information Systems Directive 2 (NIS2) is the European Union's framework for enhancing cyber security across a number of critical sectors. It brings significant implications for the financial industry, demanding higher standards for managing cyber security risks.
NIS2 is the updated version of the original NIS Directive, introduced in 2016 to improve the cyber security of critical infrastructure across the EU. It sets out legal measures to boost the level of security of network and information systems that underpin key sectors. The update was prompted by the evolving cyber threat landscape and the increasing digitalisation of critical sectors, including financial services. NIS2 was adopted in December 2022, and pushed Member States to have transposed it into national law by October 2024.
Key differences between the original NIS Directive and NIS2:
The financial sector has always been a prime target for cyber-attacks due to the valuable assets and sensitive data it handles. With the increasing reliance on digital technologies, the risk of cyber-attacks is growing. NIS2 directly impacts the financial services industry by introducing stringent cyber security requirements, stricter oversight, and more robust incident reporting and responses.
Financial institutions, including banks, payment service providers, and insurance companies, must implement more stringent security measures under NIS2. This involves not only protecting their internal systems but also ensuring the security of third-party vendors and service providers, as supply chain attacks are a growing concern.
Under NIS2, organisations are required to report significant cyber security incidents within 24 hours of becoming aware of them. Financial institutions must have mechanisms in place to detect and report such incidents promptly, as failure to comply could result in fines or other penalties.
NIS2 mandates national authorities to monitor compliance and enforce regulations through audits, inspections, and penalties. This means financial services organisations must be prepared for regular scrutiny of their cyber security practices. The directive also empowers regulators to impose sanctions, including fines of up to 2% of global turnover.
Given the global nature of financial services, NIS2's emphasis on cross-border coordination between national authorities will streamline incident response and ensure more effective responses to cyber threats across the EU. Financial institutions operating across multiple Member States need to be prepared to align with these cross-border frameworks.
NIS2 applies to two categories of entities. Both categories must meet cyber security and reporting requirements, although the level of scrutiny may differ slightly. Given the significant interconnectedness in the financial sector, many players will find themselves covered under one of these categories:
Essential entities: These include sectors deemed critical to the economy and society. In financial services, this includes banks, insurance companies, payment service providers, and investment firms.
Important entities: These include sectors that, while not essential, are still important to the functioning of the economy. In financial services, this can apply to financial technology (fintech) firms, third-party service providers, and other ancillary players.
Having now been incorporated into national law, firms must act quickly to ensure compliance and enhance their cyber security postures:
Financial institutions should assess their current cyber security practices against the requirements outlined in NIS2. This includes identifying gaps in governance, incident detection, and response capabilities. A robust cyber security framework should cover data protection, network security, system resilience, and incident management.
Financial institutions rely heavily on third-party service providers, such as cloud providers and IT vendors. Under NIS2, organisations are responsible for ensuring the cyber security of their supply chains. This means conducting thorough due diligence on all vendors, setting clear security expectations, and regularly auditing their compliance with cyber security protocols.
One of the major challenges posed by NIS2 is the strict incident reporting timelines. Financial institutions must implement systems that can detect incidents promptly, assess their significance, and report them to the relevant authorities within the required timeframes. This involves enhancing monitoring capabilities, streamlining communication channels, and establishing clear reporting protocols.
For financial institutions operating across multiple EU Member States, harmonising incident response and cyber security practices across different jurisdictions will be critical. NIS2’s focus on cross-border cooperation means that firms need to ensure consistent cyber security policies and incident response strategies across their entire organisation.
NIS2 requires senior management to take a more active role in cyber security governance. Financial services firms should ensure that their board and executives understand the cyber security risks they face, and they should be involved in decision-making processes. Assigning accountability at the executive level is essential to comply with the directive.
Financial institutions should actively engage with regulators to understand their expectations under NIS2 and any specific national requirements that may apply now the directive has been transposed into law. Proactive communication with national authorities can help firms anticipate regulatory changes and adjust their strategies accordingly.
The NIS2 Directive is set to reshape the cyber security landscape for the financial services sector in the EU. With increased regulatory scrutiny, stricter incident reporting obligations, and higher standards for cyber security practices, financial institutions must take immediate steps to assess and enhance their cyber security frameworks. By focusing on supply chain security, incident reporting, and governance, the financial sector can not only ensure compliance with NIS2 but also strengthen its overall resilience against the growing threat of cyber-attacks.
Organisations that approach NIS2 as an opportunity to improve their cyber security practices will not only mitigate risks but also gain a competitive advantage in a market that increasingly values security and trust.
For more insight and guidance, contact Ankur Aeran.
