Preparing for NIS2: What UK Financial Institutions need to know

With a focus on cybersecurity and resilience, NIS2 –or Directive (EU) 2022/2555– aims to enhance the overall cybersecurity posture within the EU.

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

It introduces security requirements, reporting obligations, and sanctions, as a response to the increased frequency and impact of cyberattacks on EU companies and critical infrastructure.

Although NIS2 requirements do not apply to the UK, compliance is crucial for financial institutions operating within EU supply chains. This includes heightened scrutiny on third-party risk management, supply chain resilience, and cybersecurity practices. For CISOs in the UK, understanding and aligning with NIS2 is key to securing both trust and business continuity across EU markets.

Navigating the Supply Chain Risk Management Imperative

As the digital landscape grows more interconnected, every new supplier—especially those leveraging AI, cloud services, and automation—presents a potential gateway for cyber threats. By investing in supply chain cybersecurity, organisations are not just preventing potential breaches; they're also avoiding the significant financial and reputational repercussions that can follow.

NIS2 provides three mechanisms to guarantee supply chain security:

Supplier Risk AssessmentCoordinated Security Risk AssessmentNational Risk Assessment
The evaluation of security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.A procedure, carried out at the EU level, to assess the level of risk of a specific supply chain.Powers of Member States to extend the scope of the Directive to entities originally outside its scope.

Steps to Enhance Supply Chain Security for NIS2 Compliance

1. Conduct Thorough Supplier Assessments

Some of the more impactful methods to do this include:

  • Assessment questionnaires to gauge suppliers’ cybersecurity maturity.
  • External data insights to bridge the gap from subjective responses to objective evidence.
  • On-site assessments for high-risk suppliers.
  • Third-party certifications such as ISO 27001, ISO 27002, NIST CSF, NIST SP 800-53 CIS Controls, or Cyber Fundamentals.

2. Implement cyber risk measures into contractual obligations

Well-drafted contracts can play a critical role in setting clear expectations, responsibilities, and security requirements for third-party vendors and suppliers. Consider including robust cybersecurity measures, incident response and reporting mechanisms. Contracts should also include provisions on consequences in case of failure and allow you to terminate the agreement if a vendor fails to meet the required cybersecurity standards or has a significant security breach.

3. Leverage Technology for Continuous Monitoring

Use tools and platforms that offer continuous monitoring of supplier networks and automated alerts for any deviations or potential threats. 

4. Foster a Culture of Cybersecurity

Building a strong cybersecurity culture extends beyond your organisation. Encourage your suppliers to conduct regular training and awareness programs, and foster a collaborative approach to cybersecurity challenges.

As cybersecurity practitioners, complexity may be a given, but simplicity is our choice. From laying the foundations of a robust supplier risk assessment framework to adopting an eagle-eyed stance for continuous monitoring, compliance obligations can be turned into strategic opportunities to build trust and drive growth.