Navigating the New Cybersecurity Landscape: How NIS-2, the AI Act, and CRA are Reshaping Financial Sector Security
The financial sector is facing a rapidly evolving regulatory landscape demanding a proactive and comprehensive approach to cybersecurity. Three key pieces of legislation – NIS-2, the EU AI Act, and the Cyber Resilience Act (CRA) – are driving meaningful changes in how financial institutions and their technology providers manage risk, respond to incidents, and secure their digital infrastructure. While each regulation focuses on a distinct area, they collectively push for a more robust and resilient cybersecurity posture.
NIS-2, already binding since January 17, 2025, substantially expands the scope of the original NIS Directive, applying to a broader range of entities within the financial sector and its associated ICT service providers.It mandates stringent ICT risk management practices,detailed ICT incident reporting,regular resilience testing,and careful management of third-party and cloud dependencies. For 2026, the focus shifts to operationalizing these requirements, meaning companies must have established their resilience organizations and integrated them into ongoing business operations.
Alongside NIS-2, the EU AI Act, which came into force on August 1, 2024, introduces a risk-based framework for the use and provision of artificial Intelligence systems. While full implementation extends to August 2, 2026, and beyond for some provisions, organizations must begin preparing now. This includes creating a comprehensive inventory of all AI systems in use, conducting thorough risk assessments, ensuring openness and documentation, and establishing robust monitoring and quality assurance processes. Crucially,organizations need to implement AI governance to prevent the emergence of “shadow AI” – unapproved AI applications that could introduce compliance and security vulnerabilities.
Completing the triad is the CRA regulation, focused on the security of products with digital elements. Introduced on November 12, 2024, and taking full effect on December 11, 2027, it establishes minimum cybersecurity requirements throughout the entire product lifecycle. Looking ahead to 2026, manufacturers and suppliers of digital products should prioritize “Security by Design” and “Secure by Default” principles, alongside robust vulnerability management and the creation of accurate Software bills of Materials (SBOMs). Mandatory vulnerability reporting will begin in september 2026.
Despite years of discussion surrounding these regulations, many companies are still seeking clarity and guidance on implementation. A common understanding is emerging: compliance is not merely a checklist exercise, but a fundamental component of preventing security breaches. Cybercriminals are opportunistic and innovative, constantly seeking vulnerabilities and operating outside the bounds of regulation. Therefore, particularly for critical infrastructure operators, a move beyond basic compliance is essential, incorporating automation powered by AI to enhance security strategies.
Solutions like Armis’ cyber exposure management platform, Centrix, are designed to address these evolving requirements. By providing comprehensive asset visibility, real-time intelligence, vulnerability assessments, AI-powered threat detection, and contextual incident intelligence, platforms like Centrix empower organizations to make informed decisions and proactively manage their cyber risk in this new regulatory habitat.
Peter Machat, Senior director EMEA Central bei Armis
