Adopted in 2016 by the European Union, the NIS 1 directive (Network and Information Security) aimed to raise cybersecurity levels across Operators of Essential Services (OES) and Digital Service Providers (DSP). Banking and financial-market infrastructures (sometimes called cyber banking) are among these OES.
1 – New cybersecurity obligations for banking institutions
Under this first framework, banking institutions had to report their security incidents to ANSSI and implement the security measures needed to significantly reduce critical-system exposure to cyber risks.
On 10 November 2022, European MPs voted the NIS 2 directive, which aims to raise cybersecurity levels across OES and DSP.
A. Rising cybercrime context
Since member countries interconnected, the European market has become more exposed to new cyber threats. NIS 2 extends its scope and objectives to provide more protection. One objective is to improve member-state cooperation against shared threats.
Statistics show sustained global cybercrime growth:
Estimates show annual cybercrime cost to the global economy reached 5,500 billion euros at the end of 2020, double the 2015 figure.
B. Why cyber regulations matter for financial institutions
Several reasons explain why these regulations matter. They help protect sensitive customer data and prevent breaches. These institutions are now required to take effective measures against various cyberattack types.
This investment in IT protection strengthens customer trust in financial institutions. It also reduces the prohibitive costs tied to data breaches and cyberattacks.
These measures matter even more as users increasingly consult banking services via mobile apps or personal computers — a trend that started during COVID-19 and has kept growing.
2 – Main cyber regulations for financial institutions
A. Overview of existing regulations
Digital Operational Resilience Act (DORA)
The DORA regulation on digital operational resilience for financial services was adopted in November 2022 in its final form. It has been in force across Europe since 16 January 2023.
DORA’s main objectives are data protection and the ability to withstand service disruption during a cyberattack or malfunction. This capability is called “cyber resilience”.
DORA introduces regulator control not only inside financial organisations, but also at their external providers, required to meet new cybersecurity standards.
NIS 1 directive
NIS 1 did not apply to DSPs considered small businesses (under 50 people with annual revenue or total balance sheet below €10M). This directive remained fairly general.
Entities affected by NIS 1 were limited to essential-service operators and digital-service providers. NIS 2 affects ten times more organisations, classified as Essential Entities (EE) and Important Entities (IE) based on service criticality.
Essential Entities (EE)
- Energy
- Transport
- Banking
- Financial-market infrastructure
- Health
- Drinking water
- Wastewater
- Digital infrastructure (ISPs, data centres…)
- Public administrations
- Space
Important Entities (IE)
- Waste management
- Postal services
- Chemical industry
- Digital-service providers (search engines, marketplaces…)
The penalty regime and reporting requirements were also lower than under the new NIS 2, which aligns more with GDPR — a percentage of revenue (see below).
B. Regulatory evolution after recent cyberattacks
Since 2022, many regional councils, health organisations and European financial entities have been cybercrime victims. Each time, public services freeze for days.
NIS 2 will impose even stricter cybersecurity obligations for critical infrastructure like banks and financial organisations. National authorities are called to stricter supervision.
This new directive harmonises penalties and reporting obligations across every EU member state.
3 – New obligations on financial institutions
A. Strengthened data-protection measures
Beyond basic declarative obligations, NIS 2 imposes a 24-hour notification obligation on IT flaws — including potential incidents.
A cybersecurity skills centre and a coordination-centre network have been set up to support financial and banking organisations. In France, this skills centre is the ANSSI Cyber Defence Centre.
National control authorities can run regular audits, on-site and off-site checks, and request access to documents or evidence.
The CyCLONe coordination network (Cyber Crisis Liaison Organisation Network) federates cyber-crisis preparedness and management across member states.
These measures apply from October 2024 at European level.
B. Early cyberattack detection mechanisms
AI as a machine-learning and predictive-analysis tool will detect IT attacks faster. It can automate tasks to improve online security — for example, malware protection by analysing files and activities in real time.
C. Strengthened response and recovery capabilities
Banking resilience to cyber risk is extremely important due to financial stakes and monetary-value loss risks. A Security Plan accounting for cyberattack consequences is paramount.
Cybersecurity tools must allow teams to take immediate containment actions and limit damage.
Make IT Safe offers a Supplier Security Assurance plan (SSA) that centralises all exchanges with your providers and triggers the right actions faster to restore your IS.
4 – Consequences of non-compliance
Organisations that don’t meet European directives like NIS 2 or DORA face significant fines and financial penalties, plus reputation risks.
Financial and reputation risks
The NIS 2 penalty mechanism, similar to GDPR, can be based on a fixed amount or a percentage of global revenue:
For Essential Entities (EE): up to €10 million or 2% of global revenue. For Important Entities (IE): up to €7 million or 1.4% of global revenue.
Since cyberattacks are particularly covered by media, the consequences on a financial organisation can strongly affect its reputation with clients or suppliers, especially if cyber negligence is found.
NIS 2 introduces a notion of leadership liability in risk management. This requires leaders to ensure cybersecurity policy compliance before the reform’s application date in October 2024.
5 – Best practices to comply with new regulations
Make IT Safe is at your disposal to help you comply. Three main areas to focus on:
A. Regular risk evaluation and security updates
Our Make IT Safe platform lets you run regular audits across your IT structure. Recurring verification includes evidence storage that proves, if needed, you took all corrective measures required by NIS 2.
B. Staff training and awareness
Cybersecurity also means developing skills among staff exposed to attack risks, especially social engineering.
Make IT Safe regularly publishes webinars your employees can attend. We also offer tailor-made training.
C. Collaboration with regulators and external partners
Information sharing is part of any good security policy. In a confirmed incident or attack, you must react to safeguard your interests and inform the relevant regulatory bodies. In France, contact ANSSI to report a vulnerability or report an incident.
If you are a CISO, DPO or in any cybersecurity watch role, we recommend regularly checking alerts from the French Government Cyber Watch and Response Centre (CERT).
Our Make IT Safe platform also lets you run third-party analysis to evaluate cyber risks tied to your suppliers.
6. Conclusion
As this article shows, financial-institution cybersecurity is a paramount European stake, validated by these new regulatory provisions.
Certainly, it is sometimes hard to meet new constraints. That requires significant investment in both human and material resources. However, given the astronomical cost of cyberattack damage, this investment is essential to ensure financial-organisation longevity.
Make IT Safe has anticipated adapting its software platform to face these new threats. Our platform gives you a simple, complete view of every action needed to bring your organisation into full compliance with these new regulations.
We are at your disposal to help you deploy or run a demo.
