NIS2 and the Financial Markets Infrastructure Sector
Trading venues, central counterparties (CCPs) and central securities depositories (CSDs) are classified as highly critical. They also fall under DORA's scope. Any disruption can trigger systemic financial risk across the EU.
Key cyber risks in Financial Markets Infrastructure
- ▸Market manipulation via system compromise
- ▸Settlement infrastructure outages
- ▸Data integrity attacks on trade records
- ▸Third-party clearing system vulnerabilities
Focus obligations for Financial Markets Infrastructure
- ✓Real-time monitoring and anomaly detection
- ✓Incident notification within 72 hours
- ✓Operational resilience testing (DORA TLPT)
- ✓Third-party concentration risk management
Who is covered?
Examples of in-scope organisation types:
- ·Stock exchanges and trading venues (MiFID II regulated)
- ·Central counterparties (CCPs)
- ·Central securities depositories (CSDs)
- ·Trade repositories
Is your Financial Markets Infrastructure organisation in scope?
Answer 5 questions and get a personalised NIS2 scope assessment, obligation checklist and readiness score — free.
Check your scope →Financial Markets Infrastructure NIS2 compliance by country
See how national transpositions affect Financial Markets Infrastructure obligations in each EU member state:
Frequently asked questions
Is the Financial Markets Infrastructure sector covered by NIS2?
Yes. The Financial Markets Infrastructure sector is listed in NIS2 Annex I (highly critical sectors). Medium and large organisations in this sector must comply with NIS2 obligations. Trading venues, central counterparties (CCPs) and central securities depositories (CSDs) are classified as highly critical. They also fall under DORA's scope. Any disruption can trigger systemic financial risk across the EU.
Are Financial Markets Infrastructure organisations Essential or Important Entities?
Under NIS2, large Financial Markets Infrastructure organisations are typically Essential Entities. Medium-sized Financial Markets Infrastructure organisations are Essential (large) / Important (medium). The distinction affects supervisory intensity and fine levels.
What are the key NIS2 obligations for the Financial Markets Infrastructure sector?
Real-time monitoring and anomaly detection; Incident notification within 72 hours; Operational resilience testing (DORA TLPT); Third-party concentration risk management. Obligations apply under NIS2 Articles 21 (security measures) and 23 (incident reporting).
Which national authorities supervise NIS2 for Financial Markets Infrastructure in each EU country?
Each EU member state designates a national competent authority for NIS2. Visit any country page on NISDESK to see the specific authority and CSIRT for the Financial Markets Infrastructure sector in that country.
For decision-support purposes only. Exact scope depends on national transposition.