Strengthening of Cybersecurity Measures for Financial Institutions: Banks and Insurers Face New Obligations Under NIS2
The European Union's NIS2 directive, a landmark cybersecurity legislation, is set to transform the digital landscape in Germany, particularly within the financial sector. The directive, which came into effect in 2025, imposes stringent cybersecurity risk management and incident reporting measures on banks, insurers, and approximately 29,000 companies [1][2].
Ralf Wintergerst, President of Bitkom, has suggested a unified approach to implementing the European requirements for the NIS2 directive, avoiding any national special paths in individual aspects [1]. The directive makes cybersecurity a top priority, requiring companies to implement risk management measures, monitor their implementation, and educate themselves on questions of cyber risk evaluation and management [1].
Under the NIS2 directive, companies are required to systematically analyze, document, and manage cybersecurity risks, implementing state-of-the-art technical and organizational protective measures [1]. Key requirements include conducting comprehensive risk analyses, implementing technical and organizational safeguards (such as backups, encryption, and staff training), and promptly reporting security incidents to designated authorities [1].
For the financial sector, the Digital Operational Resilience Act (DORA) serves as a sector-specific regulation, taking precedence over the NIS2 directive where cybersecurity risk management and incident notification are concerned [3]. However, for entities not covered by sector-specific acts, NIS2 obligations apply.
The law mandates the observance of binding minimum standards for IT systems, including requirements for encryption techniques, access controls, disaster management, and supply chain and service provider security [1]. Notification obligations under NIS2 are expanded, with security incidents that significantly affect business operations or could impact third parties needing to be reported to authorities within 24 hours, followed by a detailed analysis within 72 hours [1].
Industry associations and institutions have actively engaged with the NIS2 implementation process. The European Union Agency for Cybersecurity (ENISA) released detailed technical guidance in mid-2025 to help companies understand the specific measures and documentation needed for compliance [4]. This guidance serves as a benchmark for national audits, creating a clear roadmap for integrating cybersecurity measures into daily operations.
The new law reshapes cybersecurity into a strategic corporate responsibility rather than a purely technical issue [2]. Companies must proactively assess gaps and align policies with both NIS2 and sector-specific frameworks like DORA to ensure smooth compliance [1][4].
Marc Fliehe, Head of the Digitalization and Education Department at the TÜV Association, emphasizes the need to sharpen the bill at crucial points to increase its effectiveness in practice [1]. The TÜV Association also suggests the need for independent certifications in the implementation of the NIS-2 directive [1].
The German federal government has committed to implementing the NIS2 directive, which brings enhanced cybersecurity demands for banks, insurers, and other financial service providers. The implementation of the NIS2 directive is an important step towards a resilient cyber nation, requiring business and state to better protect themselves against cyber threats [1].
The federal administration continues to exempt itself from stricter cybersecurity requirements, according to Bitkom President [1]. Companies are uncertain whether they will fall under NIS2 due to unclear formulations [1]. Affected institutions must prepare for the new requirements in good time, as the obligations will apply without transition periods [1].
The new federal government in Germany is making progress on the topic of cybersecurity. The law assigns personal liability to a company's management for compliance with the NIS2 directive, with violations resulting in fines of up to ten million euros or two percent of global annual turnover, with the higher amount applying [1]. The law also mandates the observance of binding minimum standards for IT systems [1].
The implementation of the NIS2 directive is an essential step towards a resilient cyber nation, requiring businesses and state to better protect themselves against cyber threats. With the new law, cybersecurity becomes a strategic corporate responsibility, necessitating heightened awareness and resource allocation. Industry bodies advise their members to proactively assess gaps and align policies with both NIS2 and sector-specific frameworks like DORA to ensure smooth compliance.
- The finance sector, under the Digital Operational Resilience Act (DORA), faces stricter cybersecurity regulations compared to other sectors as it prioritizes cybersecurity risk management and incident notification.
- To promote a unified approach in implementing the European Union's NIS2 directive, Ralf Wintergerst, President of Bitkom, suggests avoiding individual national special paths in certain aspects.
- In compliance with the NIS2 directive, companies in the business, data-and-cloud-computing, and technology sectors are required to implement risk management measures, conduct comprehensive risk analyses, and report security incidents promptly to designated authorities.
