NIS2 scope expansion
NIS2 replaces the original NIS Directive and extends obligations beyond operators of essential services to a wider list of important entities in Annex I and Annex II. For the financial sector, the relevant categories include credit institutions, investment firms, payment and e-money institutions, crypto-asset service providers, and central securities depositories. Entities are designated as essential or important based on size and sector, with stricter oversight for essential entities.
Financial entities in scope
A bond issuer, trustee, security agent or paying agent that meets the size thresholds falls within the financial sector categories of NIS2. Even where an entity is below the threshold, a group-wide risk assessment or the criticality of its services may bring it into scope. The directive requires risk management, incident reporting, business continuity, supply-chain security and accountability at management level.
Governance infrastructure as a supply-chain service
When a bond trustee or agent uses a third-party platform for covenant monitoring, document extraction, alert generation or audit logging, that platform is part of the ICT supply chain. NIS2 Article 23 requires important and essential entities to assess and manage supply-chain risks, including security practices in procurement and the relationship between the entity and its suppliers. This is complementary to, and overlaps with, DORA for financial entities that are also in DORA scope.
Incident reporting and continuity
NIS2 imposes incident reporting to national authorities within 24 hours for significant incidents. For a governance platform that supports continuous covenant monitoring, a significant incident is one that affects the availability, integrity or confidentiality of the monitoring or audit-trail function. Business continuity and recovery plans must therefore cover the platform as part of the entity's critical ICT services.
™