Enactment of NIS2 requires additional cybersecurity responsibilities for banks and insurance companies
The German financial sector is gearing up for a significant shift in cybersecurity regulations with the impending implementation of the NIS2 Directive. Expected to come into force by the end of 2025, this European Union directive will usher in a new era of enhanced cybersecurity demands for banks and insurers, affecting around 29,000 companies in the country[1][2][3].
The NIS2 Directive places a strong emphasis on cybersecurity risk management, mandating the implementation of an Information Security Management System (ISMS), regular risk analyses, business continuity measures, and strict incident reporting obligations[1]. This shift moves cybersecurity responsibility to a strategic core task of corporate management, with personal liability for executives[1].
For financial institutions, the NIS2 Directive interfaces with sector-specific legislation such as the Digital Operational Resilience Act (DORA), which applies from January 2025. DORA mandates its own ICT risk management and incident reporting standards that are considered at least equivalent to NIS2’s requirements[2][5]. As a result, when DORA covers a financial entity, the NIS2 provisions will not apply for those cybersecurity obligations. However, if an entity in the financial sector is not covered by such sector-specific laws, NIS2 rules will continue to apply[2][5].
The implications for banks and insurers are multifold. They must implement or review ISMS aligned with both NIS2 and DORA requirements, conduct regular and comprehensive risk management and security testing, prepare for stringent reporting to authorities about cybersecurity incidents, and face increased accountability and potential personal liability[2][3][4][5]. The regulatory landscape’s complexity requires institutions to coordinate compliance across overlapping frameworks (NIS2, DORA, CRA, ISO/IEC 42001, etc.) to avoid gaps or duplication[2][3][4][5].
German institutions and associations are responding proactively by advising companies to perform gap analyses, emphasizing the establishment or enhancement of robust ISMS and incident response programs, offering guidance and toolkits for cybersecurity risk assessments, continuous monitoring, training, and reporting mechanisms, and highlighting the need for strategic integration of cyber resilience into corporate governance frameworks[1][2][3].
The TÜV association, a key player in the cybersecurity landscape, believes that the Bundestag needs to sharpen the bill at crucial points to increase its effectiveness in practice[1]. They specifically mention the need to clarify open points regarding exceptions, proof obligations, and independent certifications[1]. Marc Fliehe, Head of the Digitalization and Education department at the TÜV association, states that the law is long overdue and must be passed promptly[1].
The implementation law of the NIS2 directive must be reintroduced to the Bundestag after the federal election in spring 2025[1]. The federal administration continues to exempt itself from stricter cybersecurity requirements, and there is a need for changes in the current government draft to ensure a uniform framework for cybersecurity throughout the EU and to avoid security gaps[1].
Under the NIS2 directive, notification obligations are expanded, requiring security incidents that significantly impact business operations or could affect third parties to be reported to the relevant authorities within 24 hours, with a detailed analysis to follow within 72 hours[1]. The NIS2 implementation marks a new stage of regulatory requirements for the financial sector in Germany, enacting the EU directive NIS2[1].
The German federal government has committed to significantly tougher cybersecurity measures for banks, insurers, and other financial service providers due to the cabinet decision on the NIS2 implementation act[1]. The federal government's draft on the NIS2 directive is seen as an important step towards a resilient cyber nation[1]. The TÜV association also notes ongoing discussions and adjustments to the NIS2 directive in the parliamentary process[1].
In summary, the NIS2 Directive signifies a paradigm shift in cybersecurity governance for banks and insurers in Germany. With personal liability for executives, comprehensive risk management, and stringent reporting obligations, these institutions must prepare for a more secure and resilient future[1]. The TÜV association, along with other industry experts and associations, will continue to support a smooth transition to these elevated standards.
[1] [Source] [2] [Source] [3] [Source] [4] [Source] [5] [Source]
- The German financial institutions, like banks and insurers, must prepare for the arrival of the NIS2 Directive, which, as part of their strategic corporate management, requires the implementation of Information Security Management Systems (ISMS), regular risk analyses, incident reporting, and business continuity measures due to its emphasis on cybersecurity risk management.
- The implementation of NIS2 Directive in the German financial sector will necessitate a review of current ISMS and incident response programs to ensure alignment with both NIS2 and Digital Operational Resilience Act (DORA) requirements, resulting in regular and comprehensive risk management, stringent reporting, and increased accountability for the institutions.
