JS2 of 2024 · South Africa · Licensed FSPs

Your bridge between
board governance
and cyber compliance

CyberMax Advisory guides South African financial service providers through full JS2 of 2024 compliance — translating FSCA cybersecurity requirements into practical, proportionate governance your board can stand behind.

Explore Our Services Our Methodology

1 Jun 2025
Commencement date

R16m Maximum penalty
per contravention

6 Core JS2 control
domains

100% Board-level
accountability

⚠ Compliance Status

JS2 of 2024 is now in force. FSCA-licensed providers must demonstrate active compliance or face material regulatory and personal liability.

The Regulation

Why JS2 of 2024
demands attention

Joint Standard 2 of 2024 is a binding FSCA and PA standard applying to all licensed financial service providers. It goes beyond IT policy — it mandates board-owned cybersecurity governance with documented frameworks, tested controls, and ongoing risk management.

Binding on all FSPs — asset managers, stockbrokers, insurers, discretionary FSPs and more. No carve-outs for size.
Proportionality applies — the standard scales to your organisation's size and risk profile. We help you define and evidence your proportionate position.
Board personal liability — directors may be held personally accountable for non-compliance. Documented governance protects your leadership.
Third-party risk — your IT service providers are in scope. We help you build compliant contract schedules and oversight frameworks.
Incident notification — mandatory FSCA notification requirements are specific and time-bound. Your response plan must be ready before an incident occurs.

Issuing Authority

Financial Sector Conduct Authority (FSCA) & Prudential Authority (PA)

Commencement

1 June 2025 — active enforcement

Applies To

All licensed FSPs, banks, insurers, and market infrastructure operators

Core Domains

Governance · Risk Management · Controls · Third-Party Risk · Incident Response · Recovery

R16m

Maximum administrative
penalty per contravention
under the FSRA

Our Services

Practical compliance,
not just documentation

We operate as your external cybersecurity governance partner — bringing regulatory expertise and board-level communication skills to close the gap between your IT environment and your JS2 obligations.

◎

JS2 Readiness Assessment

A structured baseline assessment mapping your current cybersecurity posture against all JS2 control domains — producing a clear gap analysis and remediation roadmap.

Gap analysis report
Risk-rated findings
Prioritised remediation plan
Board executive summary

▦

Cybersecurity Framework Build

End-to-end development of your JS2-compliant cybersecurity framework — including strategy, governance structures, roles & responsibilities, and control documentation.

Cybersecurity strategy document
Roles & responsibilities matrix
IT provider contract schedules
Policy suite (JS2-aligned)

◈

Board Readiness & Advisory

Preparing your board and executive team to own, evidence, and report on cybersecurity governance — from sign-off templates to regulatory engagement support.

Board sign-off documentation
Director briefing sessions
Regulatory correspondence support
Ongoing governance advisory

⬡

Third-Party Risk Management

Assessing and formalising your IT service provider relationships in line with JS2's third-party risk requirements, including contract schedules and oversight frameworks.

Provider risk assessments
JS2 contract schedule (Parts A & B)
Oversight monitoring framework
Due diligence templates

◐

Incident Response Planning

Developing and testing your cyber incident response plan to meet JS2's notification and recovery requirements — so you're prepared before an incident occurs.

Incident response plan
FSCA notification procedures
Tabletop exercise facilitation
Recovery plan documentation

◻

Pre-Audit Readiness Review

A final structured review before any regulatory inspection or internal audit — validating your evidence base, identifying residual gaps, and preparing your team for scrutiny.

Evidence portfolio review
Readiness scorecard
Remediation tracker close-out
Regulatory Q&A simulation

Staff Training · JS2 Requirement

Cybersecurity Awareness Training Programme

JS2 mandates ongoing staff cybersecurity awareness. Our interactive, self-paced training platform covers all JS2-relevant topics — phishing, data handling, incident reporting, and more — with built-in quizzes, AI-powered personalised guidance, and a printable completion certificate for your compliance records.

Launch Training →

How We Work

A six-phase methodology
built for regulated firms

Our engagement model mirrors the JS2 compliance lifecycle — structured, documented, and designed to produce evidence your board can rely on and your regulator can inspect.

Phase 01

Initial Engagement & Scoping

Define your regulatory perimeter, organisational profile, and proportionality position. Establish project governance and stakeholder roles.

Phase 02

Baseline Assessment

Structured review of current cybersecurity controls across all JS2 domains. RAG-rated gap analysis with risk prioritisation.

Phase 03

Framework Development

Build your JS2-compliant documentation suite — strategy, policies, roles, contracts, and board governance materials.

Phase 04

Implementation Support

Guide your team through embedding controls, managing third-party obligations, and operationalising your framework.

Phase 05

Testing & Validation

Incident response tabletop exercises, control testing, and evidence validation to confirm your framework functions as designed.

Phase 06

Pre-Audit Readiness

Final review of your evidence portfolio, readiness scorecard sign-off, and preparation for regulatory inspection or internal audit.

Who We Serve

Built for South Africa's
regulated financial sector

We work with small to mid-size FSPs who need expert JS2 guidance without retaining a full-time cybersecurity executive. Our value is in bridging governance and security — not in technical delivery.

Business-to-security bridge: we translate complex requirements into board-level decisions
Proportionality-led: we help you define and evidence your proportionate compliance position
Documentation-grade outputs: every deliverable is regulator-ready from day one
Independent and objective: no vendor relationships, no technology sales
Hands-on advisory: we work alongside your team, not above them

📊

Discretionary FSPs

Portfolio managers and discretionary investment managers under FSCA licence

🏦

Wealth Managers

Private client wealth and advisory firms managing client assets

🔒

Stockbrokers & Traders

JSE-member firms and Category I / II FSP licence holders

🛡️

Insurance Intermediaries

Short-term and long-term insurance brokers under FSCA oversight

💼

Fund Administrators

Third-party fund administrators and LISP platforms

📋

Financial Advisors

Independently licensed Cat I FSPs and advisory practices

Your bridge between board governance and cyber compliance

Why JS2 of 2024demands attention

Practical compliance,not just documentation

A six-phase methodologybuilt for regulated firms

Built for South Africa'sregulated financial sector

Ready to get compliant?

Your bridge between
board governance
and cyber compliance

Why JS2 of 2024
demands attention

Practical compliance,
not just documentation

A six-phase methodology
built for regulated firms

Built for South Africa's
regulated financial sector