Europe’s new NIS2 directive: Elevating cybersecurity standards for financial institutions
Maksim Djackov, Chief Information Security Officer at ConnectPay
The EU’s evolving cybersecurity landscape, 2016 to present
Cybersecurity threats constantly evolve, growing ever more sophisticated in their ability to target critical infrastructure and sensitive data across industries and across nations. Even in cases where the number of cyber attacks dropped from 2022 to 2023, increased rates of successful attacks tell a different story. Anticipating and protecting against such an evolving and dangerous threat requires continuous and concerted effort.
In 2016, the European Parliament set out to enhance the security of the EU as a whole by passing the first piece of EU-wide cybersecurity legislation, the Directive on Security of Network and Information Systems (NIS Directive). This legislation aimed to institute robust cybersecurity standards across all EU member states, with a focus on protecting essential services like energy, healthcare, transportation, and financial services, as well as key digital infrastructure like online marketplaces and cloud computing services. The NIS Directive went into force in 2018 and was a significant first step toward greater cybersecurity in the EU.
In November 2022, the European Parliament set out to address some of the shortcomings of the NIS Directive that had become apparent in the years since its passing, such as its inconsistent implementation across EU states and the limited scope of industries it covered. The new cybersecurity directive, known as NIS2 (Network and Information Security Directive 2), establishes more standardized measures and stricter requirements while bringing into its scope nearly a dozen more industries, including telecoms, manufacturing, and food production.
Because of its role in managing vast amounts of sensitive data and transactions, the financial industry is always a prime target for cyber attacks. While the original NIS Directive provided essential protections for the industry’s users and its sensitive data, the increased clarity, specificity, and rigor of the NIS2 is a welcome development, presenting both challenges and opportunities for such a critical industry.
Financial industry and cybersecurity: navigating the regulatory environment
There has been no shortage of protections for financial sector companies in the past. In the context of cybersecurity, protection has been driven by stringent compliance and legal standards and frameworks such as ISO 27001, the leading international standard for managing information security, and the GDPR, the EU’s data protection regulations. Industry-specific frameworks like ENISA (the EU Agency for Cybersecurity) also define key areas of focus, including requirements for regular risk assessment, secure network architecture, access controls, data encryption, and malware protection.
The nature of the financial industry, the value of its assets, and the sensitivity of its data, require heavy regulation and a high number of legal and security frameworks, putting a considerable burden on financial companies to maintain compliance. But it is well known that compliance is not equal to security, and vice versa. Quite often fintechs, especially at the beginning of their maturity cycle, view security as something that comes strictly out of fulfilling compliance requirements. Thus, covering a compliance framework is considered a success, and a key factor in navigating the difficult process of obtaining a banking license from financial regulators. But this kind of view is shortsighted and can lead to a data breach sooner or later.
In addition to meeting important compliance requirements, in-depth security must also be considered, including not only mature digital controls but also human gateways. Under the NIS2, financial companies will have clearer guidelines for adapting and expanding their security frameworks, with new controls that will be stricter and cover more areas. This will emphasize that a baseline of adherence to regulatory policies and risk management requirements will not be a sufficient standard of adequate protection.
Areas that will require more strict focus include the process of securing trusted partners, through thoroughly vetting third-party vendors. For software development, it will be necessary to closely monitor the use of external libraries and open-source software. These areas are often best addressed through risk management and vendor monitoring, as well as increased vulnerability monitoring and response measures, such as those outlined in the NIS2.
Challenges and outlooks
For all its benefits, the NIS2 will pose resource and skill challenges for financial institutions. For instance, it will be necessary to allocate more budget for cybersecurity and invest in staff training to ensure their teams can effectively manage compliance and cybersecurity simultaneously. It will also be necessary to find and retain skilled cybersecurity professionals, which could prove difficult given the growing demand for, and shortage of, such expertise in this area. Additionally, there is the matter of penalties for non-compliance, which will be intensified under NIS2.
Given how rapidly the financial industry is growing, it is important that cybersecurity protections develop just as rapidly, through better and more nuanced policies, like the NIS2, with its increased specificity and stringent requirements raising the bar for security. Overall, in the ever-evolving cybersecurity landscape, the NIS2 directive represents a crucial step forward for the financial sector and the broad spectrum of industries it connects with.
Jesse Pitts has been with the Global Banking & Finance Review since 2016, serving in various capacities, including Graphic Designer, Content Publisher, and Editorial Assistant. As the sole graphic designer for the company, Jesse plays a crucial role in shaping the visual identity of Global Banking & Finance Review. Additionally, Jesse manages the publishing of content across multiple platforms, including Global Banking & Finance Review, Asset Digest, Biz Dispatch, Blockchain Tribune, Business Express, Brands Journal, Companies Digest, Economy Standard, Entrepreneur Tribune, Finance Digest, Fintech Herald, Global Islamic Finance Magazine, International Releases, Online World News, Luxury Adviser, Palmbay Herald, Startup Observer, Technology Dispatch, Trading Herald, and Wealth Tribune.