In the wake of the 2008 financial crisis, the EU passed several new regulations designed to mitigate systemic risks in the financial sector. Initially these efforts focused on ensuring adequate capital requirements to withstand future credit crunches. But as the years went by, regulators began to recognize that an increasingly sophisticated cyber threat landscape, combined with the lack of a uniformand robust legal regime for cyber security, also posed a systemic risk to the financial system.