NIS2 and the Banking Sector
Credit institutions and banking entities fall under both NIS2 Annex I and DORA (EU) 2022/2554. NIS2 obligations apply in parallel with DORA's digital operational resilience requirements. Systemic importance makes this a priority sector.
Key cyber risks in Banking
- ▸DDoS attacks on online banking services
- ▸SWIFT and interbank network compromise
- ▸Account takeover and credential stuffing
- ▸Third-party ICT provider failures
Focus obligations for Banking
- ✓ICT risk management framework (aligned with DORA)
- ✓72-hour incident notification to national authority
- ✓Third-party ICT service provider oversight
- ✓Business continuity and disaster recovery testing
Who is covered?
Examples of in-scope organisation types:
- ·Commercial and retail banks
- ·Credit institutions (licensed under CRR)
- ·Online banking platforms
- ·Payment infrastructure operators
Is your Banking organisation in scope?
Answer 5 questions and get a personalised NIS2 scope assessment, obligation checklist and readiness score — free.
Check your scope →Banking NIS2 compliance by country
See how national transpositions affect Banking obligations in each EU member state:
Frequently asked questions
Is the Banking sector covered by NIS2?
Yes. The Banking sector is listed in NIS2 Annex I (highly critical sectors). Medium and large organisations in this sector must comply with NIS2 obligations. Credit institutions and banking entities fall under both NIS2 Annex I and DORA (EU) 2022/2554. NIS2 obligations apply in parallel with DORA's digital operational resilience requirements. Systemic importance makes this a priority sector.
Are Banking organisations Essential or Important Entities?
Under NIS2, large Banking organisations are typically Essential Entities. Medium-sized Banking organisations are Essential (large) / Important (medium). The distinction affects supervisory intensity and fine levels.
What are the key NIS2 obligations for the Banking sector?
ICT risk management framework (aligned with DORA); 72-hour incident notification to national authority; Third-party ICT service provider oversight; Business continuity and disaster recovery testing. Obligations apply under NIS2 Articles 21 (security measures) and 23 (incident reporting).
Which national authorities supervise NIS2 for Banking in each EU country?
Each EU member state designates a national competent authority for NIS2. Visit any country page on NISDESK to see the specific authority and CSIRT for the Banking sector in that country.
For decision-support purposes only. Exact scope depends on national transposition.