top of page
blue trudexia Trans Background.png
Service Team

BRIEFING: Uncovering EU Cyber Security and Information Security Regulations for Non-Banking Financial Institutions: Navigating Third Party Risk

Updated: Dec 5

In an age where digital threats are growing rapidly, understanding cyber security and information security regulations is essential for non-banking financial institutions (NFIs) in the European Union (EU). These institutions deal with vast amounts of sensitive customer information daily, making their compliance with regulations not just necessary, but critical. This compliance helps maintain customer trust and protects the overall integrity of the financial system.


This blog post will break down key EU regulations that govern cyber and information security for NFIs, focusing specifically on how these laws address third-party risks. By grasping these regulations, NFIs can bolster their security measures and manage relationships with third-party vendors more effectively.


The EU Regulatory Landscape


The EU has crafted a detailed framework of regulations and directives designed to elevate cyber security and information security across sectors, including non-banking financial services. Key regulations include:


General Data Protection Regulation (GDPR)


The GDPR, which came into effect in May 2018, serves as a foundational law for data protection in the EU. It emphasizes the safeguarding of personal data and demands strict compliance from organizations, including NFIs.


One major component is Article 28, which deals with the responsibilities of data processors—third parties handling personal data on behalf of an NFI. For example, if an NFI outsources marketing services, it must have a Data Processing Agreement ensuring that the third party implements adequate security measures. This not only minimizes the risks of data breaches but also protects valuable customer information.


Network and Information Systems Directive (NIS Directive)


The NIS Directive, established in 2016, aims to improve cyber security across the EU. It applies primarily to operators of essential services and digital service providers, though it encourages all sectors, including NFIs, to adopt best security practices.


According to the NIS Directive, institutions must have appropriate security measures in place. For instance, an NFI working with cloud service providers must evaluate their cybersecurity protocols. The consequences of a third-party breach can be dire, especially if they compromise sensitive financial data.


Payment Services Directive 2 (PSD2)


PSD2 is crucial for governing payment services within the EU. Its goal is to support open banking while ensuring secure transaction processes. This law stresses the necessity of robust customer authentication and the protection of sensitive financial data.


For NFIs, this means paying close attention to third-party service providers, such as payment processors. If a vendor does not meet the security standards set by PSD2, it could jeopardize the institution's security integrity. In fact, according to recent statistics, around 40% of data breaches in financial services arise from third-party vendors, underscoring the importance of compliance.


eIDAS Regulation


The electronic IDentification, Authentication and trust Services (eIDAS) Regulation sets standards for electronic identification and trust services. For NFIs, it is vital to ensure that any third-party partners involved in identity verification or digital signatures adhere to eIDAS standards.


Verifying that third-party service providers are compliant with eIDAS can significantly reduce risks associated with identity fraud. In 2022, fraud cases in the EU rose 30%, highlighting the growing need for secure identification processes.


These Regulations Addressing Third Party Risk


Recognizing the significance of third-party risk in information security, several regulations offer further guidance for NFIs:


European Union Agency for Cybersecurity (ENISA)


ENISA serves as the primary cybersecurity agency for the EU. It offers invaluable guidelines and best practices, particularly in managing third-party relationships. NFIs can utilize ENISA's resources to clarify their roles in safeguarding third-party access to their systems and sensitive data.


Capital Requirements Regulation (CRR) and Capital Requirements Directive (CRD)


While primarily aimed at banking entities, the CRR and CRD also have implications for NFIs, especially regarding financial market stability. These regulations highlight the need for vigilance when outsourcing to service providers, particularly those handling sensitive data.


NFIs should implement a solid framework for evaluating and onboarding service providers. This framework should be adapted to account for the diverse risks highlighted in these regulations, ensuring a comprehensive approach to risk management.


Strategies for Compliance


To successfully navigate the intricate landscape of EU cyber security regulations concerning third-party risk, non-banking financial institutions should adopt the following strategies:


Develop a Comprehensive Vendor Risk Management Program


Creating a vendor risk management program is essential for NFIs. This program should include thorough due diligence processes that evaluate a third party's cyber security practices and their compliance with relevant regulations. For instance, conducting audits on potential vendors can help identify weaknesses before entering into contracts.


Establish Clear Contracts


Setting up clear contracts with third-party vendors is crucial. These contracts should specify each party's responsibilities regarding data protection and security protocols. Additionally, they should clearly outline the repercussions for non-compliance or data breaches. A well-defined contract helps ensure accountability in the vendor relationship.


Regularly Monitor and Audit Third Parties


Institutions must regularly monitor and audit their third-party vendors to confirm compliance with established security measures. This proactive strategy allows NFIs to spot potential vulnerabilities early and take preemptive action, thus reducing the risk of breaches occurring.


Final Thoughts on Navigating Compliance


Understanding EU cyber security and information security regulations is essential for non-banking financial institutions. As these institutions often rely on third-party services, it is critical to comprehend and adhere to regulations like GDPR, NIS Directive, PSD2, and eIDAS.


A proactive approach to managing third-party risks will not only enhance compliance but also improve the NFI's overall cyber security posture. This effort protects sensitive information while contributing to the resilience of the entire financial ecosystem.


As non-banking financial institutions continue adapting in an increasingly digital landscape, remaining informed about regulatory requirements and effectively managing risks will be crucial for their long-term success and security.

bottom of page