BondGovernance — Infrastructure for Secured Bonds

§ 07.6 — NIS2, financial entities

NIS2 and financial entities: how bond governance infrastructure is in scope.

Directive (EU) 2022/2555, the Network and Information Security Directive (NIS2), entered into force on 16 January 2023 and must be transposed by 17 October 2024. It expands cybersecurity obligations to a broader set of entities, including financial market infrastructure, payment institutions, crypto-asset service providers and ICT service providers that support them. A bond governance platform is part of that supply chain.

BondGovernance, Regulatory desk · Editorial standard

Reviewed 2026-07-01 · Primary-source cited below

01

NIS2 scope expansion

NIS2 replaces the original NIS Directive and extends obligations beyond operators of essential services to a wider list of important entities in Annex I and Annex II. For the financial sector, the relevant categories include credit institutions, investment firms, payment and e-money institutions, crypto-asset service providers, and central securities depositories. Entities are designated as essential or important based on size and sector, with stricter oversight for essential entities.

02

Financial entities in scope

A bond issuer, trustee, security agent or paying agent that meets the size thresholds falls within the financial sector categories of NIS2. Even where an entity is below the threshold, a group-wide risk assessment or the criticality of its services may bring it into scope. The directive requires risk management, incident reporting, business continuity, supply-chain security and accountability at management level.

03

Governance infrastructure as a supply-chain service

When a bond trustee or agent uses a third-party platform for covenant monitoring, document extraction, alert generation or audit logging, that platform is part of the ICT supply chain. NIS2 Article 23 requires important and essential entities to assess and manage supply-chain risks, including security practices in procurement and the relationship between the entity and its suppliers. This is complementary to, and overlaps with, DORA for financial entities that are also in DORA scope.

04

Incident reporting and continuity

NIS2 imposes incident reporting to national authorities within 24 hours for significant incidents. For a governance platform that supports continuous covenant monitoring, a significant incident is one that affects the availability, integrity or confidentiality of the monitoring or audit-trail function. Business continuity and recovery plans must therefore cover the platform as part of the entity's critical ICT services.

§ Key takeaways

  • K.01

    NIS2 expands cybersecurity obligations to a broader set of financial entities and their ICT supply chains.

  • K.02

    Bond trustees, agents and issuers that meet size thresholds fall within the financial-sector categories of NIS2.

  • K.03

    A governance platform used for covenant monitoring is part of the ICT supply chain and must be risk-managed under Article 23.

  • K.04

    Significant incident reporting and business continuity requirements apply to the platform's availability, integrity and confidentiality.

§ Primary sources

  1. [01]

    Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union

    European Union · OJ L 333, 27.12.2022, p. 80

    Read at source ↗
  2. [02]

    NIS2 Directive, implementation support and guidance

    ENISA · ENISA, 2024

    Read at source ↗
  3. [03]

    NIS2 Directive, official overview and national transposition

    European Commission · DG CONNECT

    Read at source ↗