How will NIS 2 impact automotive finance and leasing?
The Network and Information Systems Directive (NIS) isn’t a new concept as the first directive was already released in 2016 as a fundamental part of the European Cybersecurity Strategy. The new directive – NIS 2 – aims to achieve the same goals as its predecessor, but it’s much broader in scope and regulations. There are more rules around reporting incidents, more specifications of measures, and higher sanctions.
Some of the requirements include risk assessment policies, multi-factor authentication, and cybersecurity training. Developing procedures around handling security incidents, managing business operations during incidents, and enhancing supply chain security will also become crucial parts of your activities in the coming months.
Will NIS 2 apply to you?
If NIS 1 did not apply to you, there’s a big chance NIS 2 will apply since the scope has broadened significantly. In the new directive, the financial services industry, including automotive finance and leasing, is a sector of high criticality where compliance is either essential or important for large and medium entities. Nonetheless, most entities will now need to determine for themselves if they are within scope.
NIS 2 in the financial services industry | ||
Essential | Important | |
Who? | Large entities* | Medium entities unless actively identified as essential** |
Requirements | All requirements | All requirements |
Compliance check | Active monitoring | Action taken if there’s evidence of non-compliance |
* (at least 250 employees OR with an annual turnover of at least 50 million euros or an annual balance sheet total of at least 43 million euros)
** (at least 50 employees OR with an annual turnover (or balance sheet total) of at least 10 million euros, but with fewer than 250 employees AND no more than 50 million euros annual turnover or 43 million euros balance sheet total)
Most likely, NIS 2 will apply to you too but if you have any doubts, the full scope can be found in Annex I and II of the NIS 2 directive. Mind, though, that it’s still subject to change as further or stricter specifications can be introduced in your local transposing legislation.
Are you taking actions to comply with NIS 2?
The new directive significantly impacts the automotive finance and leasing industry, requiring compliance with the new requirements. Both you and your technology partners will need to do their part to comply and protect sensitive information from cybersecurity threats.
At Sofico, we’re doing our part
As a critical software provider, we strive to offer you optimal cybersecurity at all times. This translates into a Sofico guarantee to be up to date with regulations — often exceeding the mandatory requirements.
- Since the 2007 banking crisis, we’ve been mindful of the EBA guidelines that impact our customers.
- We are certified with ISO27001 (2013) and are actively updating to the 2022 version.
- We are already in a strong position to comply with NIS 2, since there’s a significant overlap with ISO27001 (2022).
In fact, NIS 2 perfectly complements ISO 27001 by addressing specific requirements that are unique to critical sectors, such as finance. While both frameworks emphasize risk assessment and response procedures, only NIS 2 requires legal compliance and mandatory incident reporting.
As Sofico is active worldwide, we aim to comply with both the international ISO 27001 standard and the European NIS 2 directive.
To meet the NIS 2 requirements by October 17, 2024, we have already established comprehensive security policies, improved system security, and enforced advanced authentication and encryption procedures, among other measures.
Thanks to a secure platform and full compliance from our side, you are assured of working with a contract management solution that’s in line with the NIS 2 directive.
How should you prepare for NIS 2?
There’s not much time left to get your house in order. By October 17, 2024, all member states of the EU must implement the NIS 2 directive into national law and every company within scope must ensure full compliance. This likely includes you.
In the remaining months, make sure to implement the necessary measures. The checklist below covers eleven tasks to help you track your progress and monitor your partners’ efforts. Sofico has already implemented most of these measures as part of our ISO 27001 information security management and is actively working on completing the final tasks.
NIS 2 checklist | |
Status | Topic |
Set up risk assessments and security policies for information systems. | |
Create policies and procedures for the use of cryptography and, when relevant, encryption. | |
Enhance security around the procurement of systems and the development and operation of systems. | |
Implement stronger security procedures for employees with access to sensitive or important data, including policies for data access. | |
Enforce the use of multi-factor authentication, continuous authentication solutions, voice, video, and text encryption, and encrypted internal emergency communication, when appropriate. | |
Develop policies and procedures for evaluating the effectiveness of security measures. | |
Organize cybersecurity training and practice for basic computer hygiene. | |
Develop a plan for handling security incidents. | |
Create a plan on how to manage business operations during and after a security incident. | |
Enhance security around supply chains and the relationship between the company and direct suppliers. | |
Review the possibility of EU-requirement for EU-cloud providers. |
What does the future hold?
Keep an eye out for the Digital Operational Resilience Act (DORA), which will enter into effect on 17 January 2025. This EU regulation will allow financial services supervisors to oversee third-party providers of critical ICT services, ensuring stronger cybersecurity in the financial sector and better cross-border rules.
Since there’s much overlap between NIS 2 and DORA, the European Commission has decided that DORA will take precedence over NIS 2 for financial entities. So, in practice, NIS 2 may still apply to us as a software provider, but DORA will become the dominant framework for you as a financial entity.
Regardless of the applicable framework, cybersecurity is a critical topic for everyone in automotive finance. If you have any questions about the measures we are taking or if you need our guidance, we are here to help you in other key areas of the directive such as:
- Risk management and analysis
- Corporate accountability and governance
- Mandatory incident reporting
- Resilience and continuity
Get in touch
Talk to an expert
Eager to know more about Sofico’s cybersecurity approach? Reach out to one of our experts for an in-depth discussion about your requirements and specific needs.