Tessera Cyber

// NIS2

NIS2 compliance for financial entities outside DORA's full scope.

NIS2 (Directive EU 2022/2555) is transposed into national law across Cyprus, Malta, and Greece. If your entity falls outside DORA's coverage — or sits in the intersection — we build your compliance documentation and evidence workspace to the Article 21 standard.

Book a DORA/NIS2 Readiness Call

Not sure whether you fall under DORA or NIS2? We clarify this in the first call, at no charge.

// SCOPE

NIS2 scope — financial entities.

NIS2 expands the scope of cybersecurity obligations to a broader set of entities than its predecessor. In the financial sector, NIS2 covers:

  • Essential entities

    Credit institutions (banks), stock exchanges, financial market infrastructure operators.

  • Important entities

    Smaller investment firms, insurance undertakings, certain payment institutions and EMIs not fully covered by DORA's simplified regime.

The lex specialis rule

Where DORA applies fully to a financial entity, DORA replaces NIS2 for ICT risk management and incident reporting obligations. However, NIS2 governance requirements — particularly the personal liability of management — remain relevant across the financial sector. If you are uncertain whether DORA covers your entity fully, a scoping conversation is the right first step.

// ARTICLE 21

NIS2 Article 21: translated.

NIS2 Article 21 requires essential and important entities to implement risk management measures that are proportionate to the risks they face. In plain terms, this means:

  1. 01

    Risk analysis and information security policies

    A documented policy framework covering how your firm identifies and manages cybersecurity risks. Not a PowerPoint. A working document with evidence of board approval and periodic review.

  2. 02

    Incident handling

    Written procedures for detecting, classifying, containing, and reporting security incidents. NIS2 requires a 24-hour early warning notification, a 72-hour incident report, and a final report within one month for significant incidents.

  3. 03

    Business continuity

    Documented backup and recovery procedures, business continuity plans, and crisis management arrangements for significant ICT disruptions.

  4. 04

    Supply chain security

    Assessment of the cybersecurity posture of your significant suppliers and ICT service providers. Documented due diligence, not just a questionnaire sent and filed.

  5. 05

    Network and information systems security

    Baseline technical security controls: access control, multi-factor authentication, asset inventory, vulnerability management, encryption of data in transit and at rest.

  6. 06

    Cybersecurity hygiene and training

    Evidence of staff awareness training, policy acknowledgements, and management training on cybersecurity governance obligations.

  7. 07

    Cryptography policies

    Written policy on encryption standards and key management practices.

  8. 08

    HR security and access control

    Joiners/movers/leavers processes, privileged access management, and role-based access controls documented and implemented.

  9. 09

    Multi-factor authentication

    MFA enabled for all remote access, privileged accounts, and critical systems. Evidenced, not assumed.

  10. 10

    Governance accountability

    The management body must approve cybersecurity measures and can be held personally liable for infringements. This includes temporary bans from managerial roles in the event of gross negligence.

// DELIVERABLES

The NIS2 readiness pack.

Information Security Policy Framework

A documented, board-approved policy set covering the Article 21 requirements. Formatted for regulatory review and periodic audit.

Incident Response & Reporting Procedures

Classification criteria, notification templates (24-hour, 72-hour, 30-day), and reporting workflows. Aligned to the national transposition requirements in Cyprus, Malta, or Greece.

Business Continuity Documentation

ICT continuity plan, backup and recovery procedures, and crisis communication framework — proportionate to your entity's size and service profile.

Supply Chain Security Register

Documented review of key ICT suppliers and service providers, with risk ratings and contract compliance notes.

Evidence Workspace

A structured folder of compliance evidence — policy documents, training records, board minutes, test results — organised to support a regulatory inspection or audit.

Management Liability Briefing

A short briefing document for directors and senior management explaining their personal obligations under NIS2, in plain language.

Not sure where your firm stands?

NIS2 and DORA overlap in ways that create genuine uncertainty for small regulated entities. A 20-minute call will clarify your position, your obligations, and the fastest route to documented compliance.

Book a DORA/NIS2 Readiness Call