NIS-2 Directive: What's in store for banks and insurance companies?

NIS-2 is an EU directive that builds on the first Network and Information Security Directive (NIS-1) and must be transposed into national law by October 17, 2024, at the latest. The EU’s introduction of NIS-2 has significantly tightened security requirements for critical infrastructure operators (such as banks and insurance companies) and digital service providers. These new regulations not only have a direct impact on the affected companies themselves but also on the suppliers and service providers they use. NIS-2 aims to make the EU and its member states more resilient to cyber-attacks and digital threats, thereby increasing confidence in digital services and the online sector. In this blog article, we will look closer at the implications of NIS-2 for Gini as a partner for banks and insurance companies.

What does the introduction of NIS-2 mean for banks and insurance companies?

NIS-2 applies to operators of essential services and providers of digital services, which undoubtedly include banks and insurance companies (see Annex I, NIS-2). In this context, the directive specifies requirements that fundamentally concern the security of networks and information systems. It includes measures for preventing security incidents, implementing security policies, implementing effective risk management (identifying risks, assessing them according to their impact, implementing and monitoring risk-reducing measures), and introducing regular security controls. Also essential to NIS-2 is the obligation to report significant security breaches within 24 hours and, along with this, the obligation to cooperate with national authorities to address significant security incidents. In detail, this involves the obligation to report and provide information and assist in the investigation.
The national authorities, in turn, are responsible for ensuring that the NIS-2 requirements are met by the organizations concerned. They, thus, must monitor and impose sanctions in the event of violations.
Companies affected by NIS-2 are well advised to deal with the requirements early and implement an auditable management system.

What does the introduction of NIS-2 mean for Gini?

1. Enhanced security requirements

NIS-2 significantly increases the security requirements for affected companies. This means that their suppliers and service providers, such as Gini, now also have an increased obligation to ensure that their products and services meet the latest standards for data processing security. Suppliers must, for example, review their network and server infrastructure security measures and permanently ensure that they have implemented appropriate technical and organizational measures to sustainably guarantee the security of the products and services provided.

2. Contractual conditions and adjustments

With NIS-2, affected companies must revise their contracts with suppliers and service providers to meet the new security requirements. Suppliers and service providers must include additional clauses in their contracts requiring them to meet certain security standards and conduct regular security audits. This may require suppliers and service providers to adapt their business practices and internal processes to meet the requirements.

3. Audit of the supply chain

Under NIS-2, affected companies will be required to assess and monitor the security of their entire supply chain. This means that they must improve their network security and ensure that their suppliers and service providers have implemented appropriate security measures and regularly review them for effectiveness. As a result, companies will need to scrutinize their suppliers and service providers more closely and require them to disclose their security measures or demonstrate appropriate certifications.

4. Risk mitigation and collaboration

Suppliers and service providers should be aware that customers affected by NIS-2 may require them to develop and submit risk mitigation plans. This could include, for example, measures to strengthen network security and business continuity, regular security audits, or training for employees. Close collaboration between affected companies and their vendors and suppliers is critical to ensure security throughout the supply chain.

5. Cooperation in reporting obligations

Companies and organizations affected by NIS-2 must report significant security incidents and service disruptions to the appropriate national authority. The reporting obligations are bound to strictly defined periods, which must also be observed on weekends or holidays. For example, for significant security incidents, an early warning must be issued within 24 hours, and a detailed report within 72 hours of becoming known. A final report on a security incident must be submitted within one month. Suppose companies depend on their suppliers’ and service providers’ services or support. In that case, they should contractually obligate their suppliers and service providers to take measures to ensure compliance with the reporting obligations.

This is the conclusion we draw from the new NIS-2 guidance

NIS-2 directly impacts our partners in the banking and insurance environment and us as Gini. We must meet heightened security standards throughout the network and supply and service chain. Fortunately, from the beginning, Gini assures its customers and partners that it maintains a very high level of security for systems and data. With ISO 27001 certification and, in particular, by aligning its processes and documentation with the new version of ISO 27001:2022, which places even more emphasis on cybersecurity, Gini already considers itself capable of meeting the stringent security requirements of NIS-2. By continuously developing and improving its internal processes and security facilities, Gini continues to be a reliable partner in cybersecurity and will continue to be so in the future.

Michael Poprat

Senior Operational Excellence Manager, Information Security Officer, Data Protection Coordinator

At Gini, we want our posts, articles, guides, white papers and press releases to reach everyone. Therefore, we emphasize that both female, male, and other gender identities are explicitly addressed in them. All references to persons refer to all genders, even when the generic masculine is used in content.