In an exclusive interview, Bobsguide sat down with Crystal Morin, Cybersecurity Strategist at Sysdig, to discuss the challenges and complexities of the evolving regulatory landscape for banks and fintech companies. With over a decade of experience in threat analysis and research, Crystal brings a wealth of knowledge to the forefront of cybersecurity in finance.
Morin’s career began in the United States Air Force as a Cryptologic Language Analyst, followed by a role in the Intelligence Community (IC) at Booz Allen Hamilton (BAH), where she transitioned from counterterrorism to cyber threats. At BAH, she was instrumental in developing a cyber threat intelligence community and maturing threat-hunting capabilities.
Since joining Sysdig in 2022 as a Threat Research Engineer on the company’s Threat Research Team, Morin has focused on understanding and preventing cloud-based attacks. Her expertise lies in bridging the gap between business and security teams, ensuring both sides comprehend the risks and threats they face.
The regulatory landscape
“For banks and fintech companies, particularly those operating in the European Union (EU), the last few years have been a whirlwind of understanding and implementing security regulations and compliance requirements,” notes Morin. “The EU has led the way with a revision and update to the 2016 Network and Information System (NIS) Directive, now known as NIS2, and the creation of the Digital Operational Resilience Act (DORA) to provide guidance on how to make financial services and banking systems more resilient.”
Emphasizing on the importance of these regulations, stating, “For banks and fintech organizations (and honestly any business that touches them), these security-enhancing regulations establish comprehensive standards for risk management and incident reporting, aiming to bolster these organizations’ cybersecurity posture. These are a safety net for both companies and their customers.”
The reality
Despite the importance of these regulations, Morin points out a key challenge: “NIS2 is still not completely implemented in Member States’ laws and statutes. The European Commission carried out legal action against 23 states whose governments had yet to transpose NIS2 into their national laws by November 2024, one month after the rules were due (a task that they had 21 months to do prior to the laws going into effect). This lack of consistent adoption poses a challenge to global organizations that do business across multiple EU countries.”
Morin further clarifies the complexity of compliance: “It’s also not enough to look at NIS2 or DORA on their own and think that compliance with one of these regulations will be enough to cover you for both. With regards to incident reporting, DORA mandates reporting within four hours, whereas NIS2 requires that a breach is reported within 24 hours. There are differences in preventive security measures as well. Like the reporting guidelines, DORA also has stricter security and resilience testing than NIS2, so the two are not directly equatable.”
Looking beyond the immediate regulations, Morin advises, “Determining what regulations your organization is required to abide by and adhering to the strictest of the benchmarks is the best way to keep your security processes compliant, but it doesn’t mean you’re out of the water yet. The EU Cyber Resilience Act (CRA) entered into force in December 2024 and will legally apply in December 2027 – and global organizations must also keep in mind international regulations, as well. Just to name a couple, the United States’ Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) goes live in October 2025, Hong Kong’s Cybersecurity Law goes into effect in 2026, and both will impact the financial sector.”
Implementation challenges
Morin likens security compliance to a complex puzzle: “Adding to a security compliance stack is like completing a puzzle. For many security and compliance teams, adhering to NIS2 and DORA requirements started with looking at how their existing processes fit within the new requirements – seeing where the puzzle pieces fit. Some examples include the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF), ISO 27001 and 27002, or the variety of security benchmarks from the Center for Internet Security (CIS), which are all great building blocks that organizations use to structure their security policies and procedures. However, just following these guidelines will not automatically deliver compliance with global directives and regulations. The requirements from DORA, in particular, are not fully covered by ISO 27001 or 27002 certifications, so it is important to find and cover those gaps.”
She also addresses the different challenges faced by various institutions: “There are also differences in how cloud-native fintech companies must think about compliance compared to banking institutions using hybrid environments. Banks may still have a wider range of platforms in place that they have to support and keep secure, from older mainframes and legacy applications to more modern applications for customer experience. This might mean they have more platforms to consider for compliance and reporting. Where they have cloud deployments, they may use multiple deployments and availability zones for operational redundancy.”
“For modern cloud-native companies,” Morin explains, “DORA and NIS2 might force them to consider whether their cloud service provider (CSP) is a single point of failure. With so many companies relying on cloud, the risk is that a provider outage could lead to a wider market issue and prevent payments or transfers from taking place – a reason for cloud-native companies to choose to develop multi-cloud architecture. Ensuring that CSPs take resilience seriously is only one element, but it also encourages cloud-native fintech businesses to design their systems for reliability and resilience.”
She emphasizes the severity of non-compliance penalties: “There are penalties for non-compliance with these regulations, and they are serious. Under NIS2, non-compliance could lead to fines of €10,000,000 or 2% of global annual revenue, whichever is higher. Under DORA, institutions can face fines of up to 2% of their global annual turnover or 1% of their average global daily turnover. DORA regulations also state that individuals at institutions can be held personally liable for breaches, with fines up to €1,000,000. Furthermore, DORA states that third-party ICT providers can be fined up to €5,000,000 or €500,000 for individuals. This personal liability aligns with what the U.S. Securities and Exchange Commission (SEC) implemented for individuals liable within publicly listed companies in 2023.”
The security-compliance evolution
Looking ahead, Morin predicts continued evolution in the regulatory landscape: “There is still a long road ahead as NIS2 Member State laws come into place, and more global regulations are on the horizon. To that end, banks and fintech companies should be prepared for the possibility of having to move some of those security puzzle pieces around. The evolution of the global regulatory landscape also requires balancing innovation with compliance when deploying new technologies. Both the impact and the use of artificial intelligence are currently weighing heavily on the security community, though the addition of any tool or feature to an organization must pass a compliance check first to avoid non-compliance and liability fees.”
She concludes with a call to proactive action: “At the same time, organizations must go beyond just meeting regulatory requirements and checking boxes. They must proactively defend their customers, data, and reputations. Security is an ongoing, cyclical process that adapts to new threats and attack campaigns, so as security processes change according to the threat landscape, compliance must also be continuously validated. While regulations may sometimes feel like a burden, organizations that remain agile and adjust accordingly will be best positioned to navigate the ever-changing landscape with stronger security.”
