CAI Technology
Book a demo
Menu ☰
Annex I β€” Essential Entities Β· Financial

🏦NIS2 for Banking β€” deadlines, obligations, fines

Banking fall under NIS2 (Directive (EU) 2022/2555 + Romanian Emergency Ordinance 155/2024). See Art.21 obligations, deadlines, max fines and compliance roadmap for Annex I.

Last reviewed: Β· CAI Technology Β· echipa Lexnomia + AEGIS

🎯 Who is covered

The banking sector (credit institutions) is listed in Annex I to Directive (EU) 2022/2555 (NIS2) as a sector of high criticality [C2]. In Romania, the rules are transposed by OUG 155/2024 (Romanian Emergency Ordinance transposing NIS2), and DNSC (the Romanian National Cybersecurity Directorate), BNR (the National Bank of Romania) and ASF (the Financial Supervisory Authority) cooperate on enforcement in the financial space [C6][C17]. On top of NIS2, banks fall directly within the scope of Regulation (EU) 2022/2554 (DORA), applicable from 17 January 2025 [C7]. In practical terms, for a bank, compliance means a combined NIS2 + DORA stack β€” not one or the other.

Examples in Romania

Banca Comercială RomÒnă (BCR)BRD Groupe Société GénéraleBanca TransilvaniaRaiffeisen Bank RomÒniaING Bank RomaniaUniCredit Bank Romania

Applicability thresholds

Annex I of NIS2 covers credit institutions as defined under Article 4 of Regulation (EU) 575/2013 (CRR) [C2]. Default threshold: medium and large entities (>= 50 employees or annual turnover / balance-sheet total >= EUR 10 million) qualify as essential; below-threshold institutions identified by DNSC as playing a critical role may be notified on a case-by-case basis [C2][C6].

πŸ“… Regulatory timeline

  1. Adoption of Directive (EU) 2022/2555 (NIS2) and Regulation (EU) 2022/2554 (DORA) [C1][C7]

  2. Publication of NIS2 and DORA in the Official Journal of the EU [C1][C7]

  3. MiCA Titles III and IV (asset-referenced tokens, e-money tokens) enter into application [C16]

  4. EU deadline for transposing NIS2 into national law (NIS2 Art. 41) [C1]

  5. NIS1 (Directive 2016/1148) repealed; NIS2 takes effect [C1]

  6. MiCA fully applicable [C16]

  7. Romania publishes OUG 155/2024 β€” NIS2 transposition; DNSC designated as competent authority [C6]

  8. DORA enters into full application across the EU; ICT third-party registers under Art. 28 become mandatory [C7][C10]

  9. ECB updates TIBER-EU for full alignment with the DORA RTS on TLPT [C11]

  10. Adoption of Comm. Del. Reg. (EU) 2025/1190 β€” criteria for entities required to perform TLPT [C9]

πŸ“‹ Key obligations

ICT risk-management framework (NIS2 Art. 21(2) + DORA Chapter II)

effort: high

A documented framework covering risk policies, system security, cryptographic controls and MFA, training and effectiveness assessment. NIS2 Art. 21(2) imposes the ten minimum measures (a-j) under an all-hazards approach, aligned with European and international standards including ISO/IEC 27001 and ISO/IEC 27002 [C3]. DORA layers sector-specific requirements on top (policies, asset identification, cryptographic protection, detection, response). EBA/GL/2019/04 remains applicable to credit institutions and investment firms in a narrowed scope after DORA enters into application [C12]. The management body approves and oversees implementation (NIS2 Art. 20) [C14].

Recommended controls: NIS2 Art. 21(2)(a-j)DORA Art. 5-15EBA/GL/2019/04ISO/IEC 27001:2022ISO/IEC 27002:2022

Incident reporting on two parallel tracks (NIS2 Art. 23 + DORA Art. 19)

effort: high

For a bank under both NIS2 and DORA, the same category of event can trigger two parallel reporting flows. NIS2 Art. 23: early warning to the CSIRT within 24 hours of awareness, incident notification within 72 hours, and final report within one month [C4]. DORA Art. 19 (Joint Committee RTS): initial notification within 4 hours after classifying the incident as major and within 24 hours of detection, intermediate report within 72 hours, final report within one month [C8]. In practice, the CISO needs a single runbook that produces both filings in parallel β€” covering BNR/ASF on the DORA side and DNSC on the NIS2 side.

Recommended controls: NIS2 Art. 23(4)DORA Art. 17-19Comm. Del. Reg. (EU) 2024/1772 β€” clasificare incidente Β· Comm. Del. Reg. (EU) 2025/301 β€” RTS conΘ›inut raportare Β· Comm. Impl. Reg. (EU) 2025/302 β€” ITS template raportare

TLPT (threat-led penetration testing) every 3 years β€” DORA Art. 26

effort: high

Significant financial entities (including banks above a defined threshold) must carry out advanced testing via TLPT at least every three years [C9]. Where internal testers are used, every third cycle must be subcontracted to external testers (DORA Art. 26(8)) [C9]. The technical reference framework is TIBER-EU, updated in February 2025 to align with the DORA RTS on TLPT [C11]. Romania is among the Member States that have adopted TIBER-EU, so we can run domestic TLPT engagements compatible with the European framework [C11]. Scope covers critical or important functions in production β€” not pre-prod.

Recommended controls: DORA Art. 26DORA Art. 26(8)TIBER-EU framework (ECB)Comm. Del. Reg. (EU) 2025/1190

ICT third-party risk management (DORA Chapter V + NIS2 Art. 21(2)(d))

effort: medium

DORA Art. 28(3) requires financial entities to maintain a register of ICT third-party contractual arrangements at entity, sub-consolidated and consolidated level, using the standard template imposed by Comm. Impl. Reg. (EU) 2024/2956 [C10]. Competent authorities and the ESAs use the register to designate Critical ICT Third-Party Providers (CTPPs) subject to the DORA oversight regime. NIS2 Art. 21(2)(d) overlays a supply-chain security requirement that applies to every essential entity, not only financial ones [C3]. Concretely: mandatory contract clauses (exit strategy, audit rights, sub-outsourcing), continuous monitoring, concentration assessment.

Recommended controls: DORA Art. 28(3)DORA Art. 28-30NIS2 Art. 21(2)(d)Comm. Impl. Reg. (EU) 2024/2956

Digital operational resilience and business continuity (DORA Art. 11-14)

effort: high

DORA requires ICT business continuity policies, response and recovery plans, and regular scenario testing (including switch-over, recovery, and crisis communication). NIS2 Art. 21(2)(c) adds business continuity and crisis management as minimum measures [C3]. For credit institutions, EBA/GL/2019/04 (BCM and DR) remains the operational reference in the post-DORA narrowed scope [C12]. A bank must demonstrate documented RTO/RPO for every critical function and annual plan testing (DORA Art. 25 β€” basic testing). The ICBC and Evolve incidents show the lesson plainly: continuity plans you have not exercised for real do not work under crisis conditions.

Recommended controls: DORA Art. 11-14DORA Art. 25NIS2 Art. 21(2)(c)EBA/GL/2019/04 (BCM section)

πŸ“° Real incidents, concrete lessons

ICBC Financial Services (US subsidiary of ICBC)

2023 Β· United States (global impact on US Treasury markets)

Type: LockBit ransomware exploiting CitrixBleed (CVE-2023-4966)

Impact: Decuplare a sistemelor financiare; SIFMA a notificat membrii ca tranzactiile US Treasury nu pot fi decontate prin ICBC; restaurare partiala in 8-9 noiembrie 2023.

Lesson: Poor patch management on a publicly known vulnerability (Citrix patch released 10 October 2023) shut down settlements on global markets. NIS2 Art. 21(2)(e) and DORA Art. 9 require timely vulnerability handling.

Public source β†—

Infosys McCamish Systems / Bank of America

2023 Β· United States

Type: Ransomware (LockBit suspected) at a third-party ICT supplier

Impact: 57.028 persoane afectate; date privind planurile de compensatie amanata gestionate pentru Bank of America compromise; disclosure SEC Infosys pe 3 noiembrie 2023; notificare Bank of America pe 24 noiembrie 2023.

Lesson: ICT supply chain: a compromised vendor (Infosys McCamish) exposed sensitive data of a major customer. DORA Chapter V and NIS2 Art. 21(2)(d) require continuous contractual evaluation and monitoring of every ICT provider.

Public source β†—

Evolve Bank & Trust

2024 Β· United States

Type: LockBit ransomware (incident discovered 29 May 2024)

Impact: 7,6 milioane persoane afectate; SSN, numere de cont bancar si contact pentru majoritatea clientilor de retail; partenerii Banking-as-a-Service (Affirm, Wise) au raportat la randul lor expunere prin contracte ICT.

Lesson: The Banking-as-a-Service model propagated the incident to dozens of fintech partners through ICT contracts. DORA Art. 28 (third-party register) plus concentration testing reduce the blast radius.

Public source β†—

MOVEit Transfer (Progress Software) β€” vector with hundreds of financial victims

2023 Β· Global (EU+UK+US)

Type: Zero-day SQL injection exploit CVE-2023-34362, operated by Clop ransomware

Impact: Pana in iulie 2023: 383 organizatii si 20+ milioane persoane afectate; in 2024, totalul a depasit 2.700 de organizatii si ~95 milioane persoane. Victime confirmate in finance: Tesco Bank, Putnam Investments, multiple firme financiare prin furnizori (ex. Zellis payroll).

Lesson: A supply-chain attack on a widely deployed file-transfer product. NIS2 Art. 21(2)(d) and DORA Chapter V require an ICT supply-chain inventory and response procedures for critical providers.

Public source β†—

⚠️ Typical threats

  • β€’ Phishing + business email compromise
  • β€’ Cyber-fraud pe SWIFT / SEPA
  • β€’ Ransomware pe core-banking

πŸ’° Maximum fines

DORA + NIS2 = pÒnă la 10 mil EUR + 1% din cifra zilnică de afaceri

πŸ“Š Romania compliance status

Top 5 bănci RO (BRD, BCR, Banca Transilvania, Raiffeisen, ING) la 80%+ DORA-NIS2 readiness.

πŸ›‘οΈ How CAI Technology helps

AEGIS β€” Observability + SecOps with AI

Unified SIEM for on-premise DCs: logs + metrics + threat detection + AI incident analysis.

ARTEMIS β€” AI Pentest Β· Hunt Β· Reveal Β· Strike

Autonomous pentest platform with 5 AI agents and 6 audit types. From 2€ per scan, no subscription.

CAI-AUTH β€” Post-Quantum Identity Provider

OIDC IdP built in Romania with post-quantum cryptography (hybrid post-quantum signatures). Patent Pending.

Lexnomia β€” EU Compliance Audit Platform

Self-serve compliance audit across 7+ EU regulations: GDPR, NIS2, DORA, EU AI Act, ISO 27001, CRA, DSA.

πŸ“š Adjacent regulations with overlap

DORA β€” Regulamentul (UE) 2022/2554 Β· Directly applicable from 17 January 2025; no national transposition required [C7]

Fully overlaps with NIS2 for credit institutions. Key differences: DORA requires initial notification within 4 hours after classification (NIS2: 24-hour early warning) [C4][C8]; DORA mandates TLPT every 3 years for significant entities (NIS2 has no mandatory TLPT) [C9]; DORA imposes a standardised ICT third-party register (NIS2 only requires proportionate supply-chain measures) [C10][C3].

EBA/GL/2019/04 β€” Guidelines on ICT and security risk management Β· Applicable through BNR/ASF regulations; scope narrowed after DORA enters into application (EBA/GL/2025/02) [C12]

Baseline framework for credit institutions and investment firms on ICT risk management and BCM. After 17 January 2025, certain requirements migrated under DORA, but the guidelines remain the reference in areas not covered by DORA.

PSD2 β€” Directiva (UE) 2015/2366 + RTS SCA (Reg. delegat 2018/389) Β· RTS on Strong Customer Authentication applicable from 14 September 2019 [C15]

For any bank operating payment services, SCA is mandatory for electronic remote transactions. Customer authentication mechanisms must sit within the broader ICT risk-management framework required by DORA and NIS2.

MiCA β€” Regulamentul (UE) 2023/1114 Β· Fully applicable from 30 December 2024 [C16]

Relevant for banks issuing electronic-money tokens (EMTs) or offering crypto-asset custody. Cybersecurity requirements for CASPs overlap with DORA obligations, since most CASPs will be treated as financial entities under DORA.

TIBER-EU β€” Cadrul ECB pentru threat-led red teaming Β· Adopted in Romania; framework version 2025 aligned with DORA [C11]

Technical reference framework for the TLPTs required by DORA Art. 26. Provides methodology, criteria for the threat intelligence provider and the red team, and reporting structure.

❓ Frequently asked

I am a bank authorised by BNR β€” am I in scope of NIS2?

Yes. NIS2 Art. 2 and Annex I explicitly list credit institutions (as defined in Art. 4 of Regulation 575/2013) as a sector of high criticality [C2]. If you are a medium or large enterprise (>= 50 employees or >= EUR 10 million turnover), you are an essential entity. In Romania, OUG 155/2024 and DNSC handle registration, with BNR and ASF cooperating on the financial-services side [C6][C17].

How do NIS2 and DORA stack up for Romanian banks?

Neither exempts you from the other. NIS2 (horizontal) imposes ten minimum risk-management measures and incident reporting on a 24h / 72h / 1 month track [C3][C4]. DORA (sectoral, lex specialis for financial entities) imposes TLPT, the ICT third-party register, and reporting on a 4h / 24h / 72h / 1 month track [C8][C9][C10]. In practice: a single ICT risk framework that satisfies both, and two parallel reporting channels.

What is TLPT, and when am I required to run it?

Threat-led penetration testing β€” red teaming on production systems, guided by real threat intelligence. DORA Art. 26 requires TLPT at least every 3 years for significant financial entities [C9]. If you use internal testers, external testers are mandatory for every third test (Art. 26(8)) [C9]. The technical framework is TIBER-EU, version 2025 aligned with the DORA RTS [C11]. The exact criteria for identifying in-scope entities are set out in Comm. Del. Reg. (EU) 2025/1190 [C9].

Incident reporting deadlines to BNR and DNSC β€” what exactly?

Two parallel channels. NIS2 (to CSIRT/DNSC): early warning within 24 hours of awareness, notification within 72 hours, final report within one month (Art. 23) [C4]. DORA (to the competent authorities β€” for credit institutions, BNR): initial notification within 4 hours of classification as major and within 24 hours of detection, intermediate report within 72 hours, final report within one month (Art. 19 + RTS) [C8]. Practical recommendation: build a single process that feeds both filings automatically.

Can I outsource to a public hyperscaler (AWS, Azure, GCP)?

Yes, while complying with DORA Chapter V and NIS2 Art. 21(2)(d). DORA Art. 28(3) requires a consolidated register of ICT contractual arrangements using the standard template imposed by Comm. Impl. Reg. (EU) 2024/2956 [C10]. Hyperscalers are candidates for Critical Third-Party Provider (CTPP) status, subject to direct ESAs oversight [C10]. Mandatory clauses include exit strategy, audit rights, sub-outsourcing controls, and concentration monitoring.

What is the maximum fine for an essential bank?

Under NIS2 Art. 34: at least EUR 10 000 000 or 2% of total worldwide annual turnover, whichever is higher [C5]. For important entities: EUR 7 000 000 or 1.4% [C5]. Under DORA Art. 50, ceilings are set by national legislation β€” the regulation contains no uniform EUR cap for financial entities (only periodic penalties for CTPPs). Sanctions can stack with those under GDPR Art. 83 and under banking legislation.

Who is personally liable on the bank's management body?

NIS2 Art. 20 requires management bodies to approve risk-management measures, oversee their implementation, and accepts that they can be held liable [C14]. The directive allows Member States to impose temporary bans on holding management positions in essential entities. In Romania, OUG 155/2024 has transposed these provisions [C6].

πŸ”— Official sources

Are you in the banking sector?

Free NIS2 audit for companies with 50+ employees. We reply within 24 business hours.

Request audit β†’