Article   November 09 2023

The Finance sector - what’s new with NIS2?

With a wider coverage of sectors, stricter requirements for risk management and incident reporting and more hard-hitting penalties for non-compliance, the new NIS2 directive is the most comprehensive European cybersecurity directive yet. In recent years, the Finance sector has been subject to increasing regulatory scrutiny to increase its stability and resilience. The NIS2 directive is one of those measures that is set to have a significant impact on the sector.

Information security
DORA course

Image: (royalty free)

It goes without saying that the finance sector is a critical component of the European economy and as such, facing several cybersecurity challenges targeting both the operating systems and the people operating the systems.

Phishing Attacks, Web-based attacks and Ransomware attacks targeting both employees and customers are very common and are variations of social engineering attacks. These are still largely effective in the finance sector, where human weaknesses are exploited to compromise sensitive information. Along with these threats there are also threats on a systematic level such as DDoS attacks threatening to disrupt the processing of high-value transactions and financial information and Supply chain attacks targeting weaknesses in the supply chain to compromise financial systems and data, putting sensitive financial information at risk.

Finance companies must take a closer look at their existing cybersecurity measures and implement the necessary changes to meet the NIS2 requirements, including ensuring business continuity, managing third-party risks, and protecting financial data. In doing this the implementation of the NIS2 directive is projected to bring substantial benefits to the finance market.


Awareness training – one of 10 key cyberhygiene measures

The NIS2 directive requires that the Finance sector and other essential and important entities implement 10 baseline security measures to address specific forms of likely cyberthreats.

  • Risk assessments and security policies for information systems.
  • Policies and procedures for evaluating the effectiveness of security measures.
  • Policies and procedures for the use of cryptography. 
  • A plan for handling security incidents.
  • Security around the procurement of systems and the development and operation of systems.
  • Security procedures for employees with access to sensitive or important data. 
  • A plan for managing business operations during and after a security incident.
  • The use of multi-factor authentication.
  • Security around supply chains and the relationship between the company and direct supplier. 
  • Cybersecurity training and a practice for basic computer hygiene.


Cybersecurity training is not only ‘on the list’. It’s a well-known fact that awareness training is an essential part in creating the organisational security culture needed for organisations to be compliant with many of the other security measures mandated by NIS2. Without awareness training all year round, many of the operational procedures will eventually fail – due to human errors.

Our new updated 2024 editions of Information Security Awareness training is targeting all employees, managers, executives and boards and is one part of being NIS2 compliant.

Or why not kickstart with our NIS2 Introdution course? This will give your management a better understanding of what your organisation need to be NIS2 compliant.

Article   November 09 2023