Financial Services
Contact

NIS2 Directive: Impact on the financial sector and new regulations

  • Published
  • 6 min reading
NIS2 Directive: Impact on the financial sector and new regulations

The NIS2 Directive introduces a new regulatory framework aimed at protecting critical infrastructure within the financial sector and strengthening cybersecurity across the European Union. As cyber threats continue to evolve, banks, insurance companies, and financial institutions must adapt to stricter security requirements, enhanced risk management, and mandatory incident reporting. This article explores how NIS2 will reshape the financial industry, who is affected, and what steps organizations should take to ensure compliance and resilience in the face of growing cyber risks.

Introduction to the NIS2 Directive

Digital transformation and increasing reliance on technology have introduced new challenges for the financial sector, particularly in cybersecurity. The NIS2 Directive addresses this issue and is now being implemented across the European Union. The directive requires EU Member States to establish national cybersecurity strategies to enhance their cybersecurity capabilities.

Background and overview

The NIS2 Directive is a landmark piece of legislation that establishes the first horizontal instrument for cybersecurity across the European Union (EU). It aims to enhance collective resilience against cyber threats by mandating stricter risk management, incident response and reporting, and information security practices. The directive applies to all sectors and industries, not just a select few, making it a comprehensive cybersecurity regulation. The NIS2 Directive is a key part of the EU’s cybersecurity strategy, aligning with the European Commission’s priority to prepare Europe for the digital age.

NIS2 Directive

What is the NIS2 Directive and what is its purpose?

The NIS2 Directive establishes a new legal framework for cybersecurity across the EU, aiming to enhance the security of networks and information systems in all member states. This directive is a response to the growing cyber threats that can destabilize key economic sectors and compromise citizens’ security.

The directive extends cybersecurity regulations, covering new sectors and entities that were previously unregulated. It imposes obligations on key entities, such as banks, insurance companies, and trust service providers, which play a critical role in the EU’s internal market.

The primary goal of NIS2 is to establish a high common level of cybersecurity, ensuring better protection against cyber threats and increasing the resilience of digital infrastructure. This allows member states to collaborate more effectively on risk management and incident response, fostering trust among citizens and businesses in digital systems. The directive aims to enhance cyber resilience by improving cybersecurity capabilities across various sectors.

Scope of the NIS2 Directive

The directive applies across all EU member states, imposing obligations on key and important entities.

  • Key entities include those classified as medium-sized enterprises, meaning they employ at least 50 people and have an annual turnover or balance sheet total of at least 10 million EUR. The directive also covers essential services such as energy, transport, and healthcare.
  • The directive also covers essential service operators and trust service providers, ensuring a high level of cybersecurity across the EU and protecting critical economic sectors from cyber threats. Additionally, cloud computing services are among the essential entities that must comply with the directive.

Who is affected by NIS2 regulations for essential entities?

For example, a small regional insurance company that previously did not focus on cybersecurity may now be required to implement security measures such as encrypting customer data and monitoring suspicious activity. This necessitates investments in technology and employee training while raising security standards.

The new regulations expand the range of affected entities. While the previous directive mainly focused on critical service providers such as energy, transport, and healthcare, NIS2 now includes a broader range of industries. The financial sector, including banking and insurance, is now recognized as crucial to the stability of the European economy. Social networking services platforms are also classified as relevant entities under the directive.

NIS2 Directive

Key Changes and updates

The NIS2 Directive brings many innovations and tightens the current regulations under its predecessor, the NIS Directive. One of the key changes is the expansion of the scope of application, which now covers around 300,000 institutions, compared to 20,000 companies previously. The directive also introduces new requirements for cybersecurity risk management measures, including the implementation of specific cybersecurity measures and the designation of a person responsible for cybersecurity. Additionally, the NIS2 Directive has an extraterritorial effect, applying the marketplace principle to essential or important entities that provide their services or carry out their activities within the EU, regardless of whether the entity has an establishment in the EU.

How does NIS2 affect the financial sector?

The directive introduces significant changes in how financial institutions operate. Banks and insurance firms will be required to:

✔ Conduct regular cyber risk analyses

✔ Implement appropriate preventive measures

✔ Deploy systems that monitor and detect suspicious activities in real time

Financial institutions must also ensure the security of their digital infrastructures to comply with the directive.

A key new requirement is the obligation to report cyber incidents to the relevant authorities within a specified timeframe. This means that financial institutions must have clearly defined crisis management plans to ensure swift and effective responses.

Cybersecurity risk management and compliance

Entities covered by the NIS2 Directive must meet several cybersecurity risk management requirements, including:

  • Implementing effective risk management measures, covering both technical and organizational aspects.
  • Ensuring network and system security through regular audits and updates.
  • Protecting data by implementing procedures to prevent unauthorized access and data loss.
  • Rapid response and notification of the relevant authorities in case of cybersecurity incidents.
  • Collaboration with other entities to ensure consistent and effective cybersecurity measures across the EU and national levels.
  • Assessing the cybersecurity posture of their suppliers to ensure supply chain security.

Incident response and management

The NIS2 Directive emphasizes the importance of incident response and management in ensuring the security of network and information systems. Article 32 and 33 of the directive require entities to implement specific cybersecurity measures, including incident response and reporting. The directive also establishes a network of Computer Security Incident Response Teams (CSIRTs) to exchange information on cyber threats and respond to incidents. Furthermore, the European cyber crisis liaison organisation network (EU-CyCLONe) is created to manage large-scale cybersecurity incidents or crises. The NIS2 Directive also requires entities to notify relevant national authorities of significant incidents, ensuring that incidents are reported and managed in a timely and effective manner.

NIS2 Directive

Preparing for the new regulations

Adapting to NIS2 requires a multi-faceted approach, involving legal, organizational, technical, and procedural measures. Financial institutions must take specific steps to ensure compliance with the new requirements. The NIS Cooperation Group helps facilitate strategic cooperation among EU Member States, the European Commission, and the EU Agency for Cybersecurity (ENISA).

Key Steps for Preparation:

  1. Hiring Cybersecurity Specialists – Experts will oversee the implementation and monitoring of security measures. Hiring cybersecurity specialists will enhance the organization's cybersecurity capabilities.
  2. Implementing Risk Management Systems – These will help identify, assess, and mitigate cybersecurity threats.
  3. Establishing a Dedicated Cybersecurity Team – A team to monitor and respond to security incidents.
  4. Developing a Risk Analysis and IT Security Policy – Covering incident handling, business continuity, and crisis management.
  5. Ensuring Data Backup and Recovery Procedures – Reducing the impact of potential cyber incidents.

✔ A well-prepared financial institution will not only comply with NIS2 but also enhance trust among clients and business partners.

Consequences of non-compliance

Failure to comply with NIS2 regulations can lead to severe financial and reputational consequences.

  • Key entities that do not meet their obligations may face fines of up to 10 million EUR. Non-compliance with national law transposing the NIS2 Directive can lead to severe penalties.
  • Important entities could be fined up to 7 million EUR.
  • Beyond financial penalties, non-compliance may result in loss of customer and partner trust, causing long-term reputational damage.

Penalties and enforcement

The NIS2 Directive transfers to member states the authority to establish administrative fines for violations of the directive by covered entities. These fines are similar to the GDPR’s and may amount up to €10 million or 2% of the total annual worldwide turnover in the previous fiscal year, whichever is higher. National regulatory authorities have the power to investigate potential violations of the NIS2 Directive, using various measures, including investigative measures for important entities after an incident has occurred. The directive also emphasizes the importance of cooperation between entities and supervisory authorities in ensuring compliance with the directive.

NIS2 Directive

NIS2: A challenge or an opportunity for the financial sector?

Although implementing new standards requires financial and organizational investment, NIS2 presents an opportunity to:

✔ Increase resilience against cyber threats

✔ Strengthen customer trust

✔ Ensure long-term business stability and security

The directive encourages the financial sector to take a leading role in cybersecurity, ensuring a safer and more secure digital environment across the European Union. Additionally, the directive encourages financial institutions to enhance their cyber resilience.

Conclusion and next steps

The NIS2 Directive is a comprehensive cybersecurity directive that aims to improve the overall security outlook of the EU. Organizations that qualify as important or essential entities under NIS2 should consider implementing stricter cybersecurity measures to protect their critical systems and services. EU member states are in the process of transposing the NIS2 directive to their own regulations, with a deadline of October 17, 2024, and the rules coming into effect from October 18, 2024. As the deadline approaches, entities should take steps to ensure compliance with the directive, including implementing cybersecurity risk management measures, designating a person responsible for cybersecurity, and establishing incident response and management procedures.

More about financial services

Lates Posts

Want to learn more?

Tell us about your business needs. We will find the perfect solution.

Fill out the form