The FSCA Joint Standard 2 Makes Every Tech SME a Regulated Entity

Posted on 19 February 2026 10:43

In the interconnected landscape of the South African financial sector, a quiet but monumental shift has occurred. With the implementation of FSCA Joint Standard 2 of 2024: Cybersecurity and Cyber Resilience Requirements (JS2), the regulatory spotlight has expanded beyond the marble hallways of banks and insurers to illuminate the server rooms of every SME providing them with services. The message is unequivocal: in the eyes of the regulator, your cybersecurity is now their cybersecurity.

A common and dangerous misconception is that JS2 is "someone else's problem." In reality, the "downstream" impact on non-financial service providers is not just transformative, it is a fundamental shift in the cost of doing business with the financial sector.

The Compliance Cascade: Why JS2 Matters to Your SME

JS2 mandates that financial institutions (FIs) manage Third-Party Risk Management (TPRM) with surgical precision. For an FI to remain compliant, they must ensure that their service providers, the SMEs providing cloud hosting, software development, payroll, or even specialized consulting, meet the same rigorous cybersecurity standards. Your business is no longer just a "vendor", you are a "critical information asset" in their regulated ecosystem.

Navigating the Framework Question: Prescription vs. Pragmatism

A frequent question I hear is: "Which framework do we have to use?" The answer requires understanding the difference between regulatory prescription and market expectation.

You are correct in your understanding: JS2 is not strictly prescriptive about which framework you must use. It is, however, prescriptive about the outcomes. Section 5(1)(a) requires a "documented cybersecurity strategy and framework" that is "proportionate to the nature, size, and complexity" of the business. While the regulator won't force you to pick ISO 27001 over NIST CSF, they will require you to prove that your chosen framework demonstrably addresses the specific "Fundamentals" and "Hygiene Practices" laid out in Sections 7 and 8.

This is where proportionality meets market reality. A five-person marketing agency supporting a bank's communications team faces a different risk profile than a 50-person firm hosting critical core-banking infrastructure. The FI's scrutiny, and the framework expected, should, in theory, reflect that difference. However, in the South African executive landscape, ISO 27001 remains the undeniable gold standard for irrefutable "evidence." When a Tier-1 bank conducts due diligence, "We follow NIST and here's how it maps to JS2" can be a valid, robust conversation. But "We are ISO 27001 certified" is often a closed ticket. The certification provides a shorthand for competence that a self-assessed framework, however well-executed, struggles to match.

The Downstream Requirements: Five Pillars of Evidence

Under JS2, you should expect your FI clients to request evidence supporting the following five pillars. The depth of evidence will be proportionate to the criticality of the service you provide.

A. Governance and Accountability

FIs must verify that their service providers have a governing body that takes formal responsibility for cybersecurity.

• The Evidence: Board minutes or management resolutions approving a Cybersecurity Strategy, and a designated individual (CISO, IT Director, or even a competent, mandated partner) accountable for its execution.

B. The 24-Hour Incident Notification Rule

Section 9 of JS2 mandates that FIs report material incidents to the Authorities within 24 hours. This creates a tight contractual cascade.

• The Downstream Impact: Your contract with an FI will likely be updated to require you to notify them immediately, often within 2–6 hours, so they can meet their own regulatory window. This SLA must be realistic and tested.
• The Evidence: A formal Incident Response Plan (IRP) that specifically includes the contact details, escalation paths, and agreed-upon notification SLAs for your FI clients.

C. Non-Negotiable Cybersecurity Hygiene

Section 8 outlines fundamental "hygiene" practices that are not optional.

• The Evidence: Proof of Multi-Factor Authentication (MFA) across all accessible systems, an active Patch Management Policy with evidence of consistent application, and records of regular Vulnerability Assessments or Penetration Testing appropriate to your environment.

D. Cyber Resilience and Business Continuity

While the specific "2-Hour Rule" for recovery applies to National Payment System participants under SARB Directive 01/2024, the "spirit" of resilience in JS2 (Section 11 on Outsourcing) requires that critical systems can be recovered. You will need to demonstrate that your plans are not just documents on a shelf.

• The Evidence: Alignment with a standard like ISO 22301 is beneficial, but the core requirement is proof of tested backups and a demonstrable understanding of the Recovery Time Objectives (RTO) that your FI clients' risk appetite demands.

E. Data Privacy and POPIA Alignment

POPIA's Condition 7 (Security Safeguards) is mirrored in JS2's requirements for "appropriate, reasonable technical and organizational measures." Compliance with one supports compliance with the other.

• The Evidence: A maintained Record of Processing Activities (ROPA) and documented evidence that all staff with access to personal information have undergone regular privacy and security awareness training.

The Strategic Shift: Turning Compliance into a Competitive Advantage

For many South African SMEs, this regulatory burden is viewed as a "grudge purchase", a costly hurdle to doing business. However, I argue the opposite.

In a market where the FSCA is tightening the screws, demonstrable compliance is your competitive moat. If you can proactively provide a "compliance pack" containing your independently audited framework (ideally ISO 27001), your JS2-aligned IRP, and your POPIA manual, you remove the friction from the FI's procurement and risk teams. You transform from a potential liability into a low-risk, easy-to-onboard partner.

A Note on Implementation: Working Smarter, Not Harder

Mapping these controls manually is an exercise in futility. The overlap between ISO 27001, POPIA, and JS2 is significant. Roughly 70-80% of the controls are shared. Attempting to manage them in spreadsheets leads to duplication, errors, and audit fatigue.

This is precisely the problem Exponuity was designed to solve. By using a unified platform, you perform the control implementation and evidence mapping once. When an FI asks for "JS2 compliance," you aren't starting from scratch; you are simply filtering your existing ISO/POPIA controls to generate a report that speaks the regulator's language. The principle, however, is sound regardless of the tool: manage to a comprehensive standard and report against multiple requirements.

Conclusion

The FSCA Joint Standard 2 has effectively turned South African Financial Institutions into "mini-regulators" of their own supply chains. For SMEs, the message is clear: the era of "security by obscurity" is over. The ability to evidence your controls proportionately, robustly, and ideally against a recognized standard, is now a prerequisite for participation in the financial economy. Those who view this as an investment in resilience and market access will thrive, those who delay will find themselves locked out.

References

• FSCA & PA (2024). Joint Standard 2 of 2024: Cybersecurity and Cyber Resilience Requirements for Financial Institutions.
• Republic of South Africa (2013). Protection of Personal Information Act (POPIA), Act No. 4 of 2013.
• SARB (2024). Directive No. 01 of 2024: Cybersecurity and Cyber-Resilience within the National Payment System.
• International Organization for Standardization (2022). ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection.