EU NIS2 Directive for Financial Entities

The second iteration covers a broadened scope, providing the opportunity for compliant businesses to enhance their technical, operational and organizational risk management measures.  

And while the EU’s Digital Operational Resilience Act (DORA) takes precedence, this EU cybersecurity regulation still covers important aspects of cybersecurity compliance.

Learn more about the scope of the NIS2 Directive, and how to treat the regulation as more than just a checklist for definitive protection against cyberthreats.   

NIS2 requirements for financial entities

Cybersecurity compliance involves transferring the regulations, laws and rules into practical, actionable applications within your organization. Complying with NIS2 gives companies the opportunity to meet stringent requirements, promoting trust with customers and third parties, and providing better protection against cyber threats.

Here’s an overview of NIS2 requirements for financial entities:

• Risk management
• Incident reporting
• Supply chain security

Risk management

Financial entities must implement the appropriate measures to manage risks. The NIS2 directive includes specific mandatory requirements around this, including:

Risk Category	Details
Security policies relating to risk	Firms should have robust frameworks that detail how to analyze and mitigate risk
Incident response	Including all stages from prevention through to detection and continuity planning during a live event
IT network security	Including plans for maintenance, development and growth to avoid further risk
Access controls and management	Including log-in credentials like multi-factor authentication, and working methods like the segregation of duties
Cybersecurity training	Regular contact for employees, especially when threats evolve at a fast pace

Importantly, the measures in place should be proportional to the risks. For example, most companies wouldn’t require an escalated approval process for purchases under $10, but would if the same purchases were above $10,000. 

Incident reporting

Financial firms are required to follow three types of reporting requirements under the NIS 2 Directive:

1. Early warning: within 24 hours of becoming aware that an incident has occurred, firms must report it to their relevant national body
2. Incident notification: within 72 hours of becoming aware that an incident has occurred, firms must update their national body with further details
3. Final report: within one month of becoming aware that an incident has occurred, firms must produce a report that details what happened, its impact, and the measures in place to mitigate any further consequences

Supply chain security

As mentioned, there is an overlap between the EU NIS2 Directive and DORA regulation, with the latter focusing significantly on the challenge of third party security. But NIS2 also covers the supply chain, particularly during the contracting phase.

Firms must conduct a full risk assessment for each supplier, considering the specific vulnerabilities and mitigation measures of each. The criteria to assess third parties relates to their IT services, including:

1. The extent of use and level of dependence on them
2. Importance (in terms of performing critical functions)
3. Availability of alternatives
4. Resilience to disruption
5. Potential future significance

One of the more difficult obligations of this regulation is the last one. Firms must predict how each product might be developed (foreseeing potential new risks), but this can be challenging without the correct technical resources or close vendor relationships.

NIS2 cybersecurity requirements 2025

The original NIS was effective, but it did have some limitations, which were largely revealed during the COVID-19 pandemic. A consultation into the initial cybersecurity law revealed the following issues:

• Insufficient cyberattack resilience for EU businesses
• Inconsistencies across each member state
• Inadequate understanding of the threats and challenges facing businesses across the EU
• A lack of cohesive response to these threats

Therefore, a consultation and later revision to the rules was completed, known as NIS2. It expanded significantly on the previous scope of NIS, with the second directive including stricter reporting requirements and more accountability.

Here’s the timeline for implementation:

• January 2023: NIS2 officially entered into force

• October 2024: compliance became mandatory, with all member states publishing their own national legislation by this date

• April 2025: member states had to identify entities within the ‘essential’ and ‘important’ categories by this date

• 2025 onwards: audits for compliance began

The penalties were also expanded. Fines for ‘essential’ entities would be at a maximum of €10 million or 2% of annual turnover figures (whichever is higher). For ‘important’ entities, a fine of €7 million or 1.4% of annual turnover figures (whichever is higher) is the rule. But it’s key to note that the circumstances surrounding each case, including the scale and duration of violations, will impact the penalty.

How to comply with NIS2 for financial institutions?

When complying with NIS2 as a financial institution, it’s helpful to:

• Build clear governance structures: involve senior management from the very beginning to secure stakeholder buy-in and create an engaged culture from the top. 
• Perform ongoing monitoring: don’t get caught out as third parties make changes, stay aware by monitoring on a continual basis, realizing new risks in real-time.
• Train staff to recognise risk and promote a culture of security: skeptical staff are like gold dust - and when it comes to security, this is a great trait. Regular training sessions and scenario testing can be useful in ensuring your staff follow through with incident response plans.

Following standard best practices in financial cybersecurity is a good place to start, but specialist compliance efforts for NIS2 are also recommended. 

For example, the risk assessment and management requirements require deep and ongoing collaboration between compliance professionals and IT teams. As systems change and develop over time, compliance managers need to know, so that they can adjust and re-assess the level of risk.

Compliance challenges under the NIS2 Directive

There are a few key challenges that businesses tend to face under NIS2. We’ve already touched on the challenge of supply chain oversight, but the incident reporting timelines can also apply pressure, as they are fairly tight, especially when staff are focused on reacting to the crisis itself.

Supply chain oversight

Much of the focus of NIS2, alongside DORA, is on third-party and operational resilience. But it can be hard to:

1. Know enough about how your suppliers protect your information, and your system connections
2. Maintain that knowledge even as systems, technologies and threats change

Best practices to ensure supply chain oversight include an in-depth, upfront assessment of processes, and automated ongoing monitoring.

Most financial entities will already be familiar with the due diligence process, requiring contractors and vendors to meet specific security requirements. This process should extend to NIS 2, building automatic oversight into the process to ensure that changes don’t go under the radar.

Incident reporting timelines

Incident reporting is ingrained into cybersecurity risk management for banks, especially for keeping regulators and customers in the loop. But the timelines under NIS2 are tight - just 24 hours for the first notification, 72 hours for the official notification and one month for the full investigative report.

This may cause resources to be rerouted in order to put all hands towards the investigation, leading to:

• Service disruptions: creating customer friction and further stress
• Project diversions and delays
• Systems going offline to re-protect the company

Auditing

When it comes to cybersecurity risk management for banks, there is no one-size-fits-all approach. This makes regular auditing even more important because it enables you to lock-in your cybersecurity framework, and even practice incident response, before the real pressure is on.

Here are some examples of audit points that could be helpful to add to your own audit checklist for NIS2 compliance:

Audit area	Requirement	Example of evidence
Senior management oversight	Does the management body regularly oversee and approve the cybersecurity risk management measures?	Board meetings, report signatures
Scope	Has the organization formally documented itself as essential or important?	Internal legal assessment and self-registration confirmation
Business continuity	Are backup management and disaster recovery plans in place, and tested?	Crisis communication documents, testing reports
Supply chain security	Are procedures in place for managing the security risks of third parties?	Vendor risk assessment, vendor management platform and SOPs
Cybersecurity training	Are basic cyber hygiene policies (such as password policies, document sharing rules) enforced?	IT security policy, activity logs

Using technology for NIS2 compliance

To effectively manage the complexity and rapid timelines of the NIS2 Directive, organisations must increasingly rely on technology and automation.

Security Information Event Management (SIEM) tools exist to continuously monitor critical infrastructure, and signal anomalous behaviour that could indicate a cyberthreat. Working in real-time, these tools can combine with robust encryption systems for well-rounded data protection.

Specialized incident monitoring and logging management tools also automate the meticulous documentation required in Article 23 of NIS2.

Relying on manual processes leaves businesses at risk of:

• Non-compliance: leading to reputational damage and financial penalties
• Poor efficiency: which can make the reporting deadlines near-impossible
• Being error-prone: exacerbating issues while under the pressure of a cybersecurity threat

Cyber resilience is more than NIS2 compliance

The EU’s NIS2 Directive serves as a foundational blueprint for achieving secure financial operations. Far from being an administrative burden, it provides an opportunity for firms to better withstand, respond to and recover from sophisticated cyberattacks.

With the power of automated detection and response tools, NIS2 directly enhances the financial sector’s continuous cyber resilience. Global Relay’s surveillance tool enables smarter risk management across all your communication channels, helping your team to focus on the genuine areas of concern.

Going beyond traditional keyword analysis, we use generative AI to review messages in their entirety, making alert-based decisions based on the message context. For NIS2, tools like this help financial institutions to move beyond static compliance and adopt a continuous cyber resilience mindset.

Explore the benefits of Communications Monitoring. 

< Back to the hub