NIS2 And Cybersecurity act

NIS2 is the European Union’s new cybersecurity directive, implemented in Finland through national legislation known as the Cybersecurity Act. Companies have been required to comply with the directive since October 2024.
The NIS2 directive requires an increasing number of European companies to make significant investments in administrative and technical information security. The directive aims to improve the level of cybersecurity across the entire Union. Its scope is very broad, covering a wide range of functions that are important for societal security and everyday life, such as the energy sector and the food industry.
In Finland, the Cybersecurity Act based on the NIS2 directive sets requirements for the level of information security among companies within its scope. The law primarily applies to medium-sized and larger companies (at least 50 employees, or a turnover or balance sheet total of at least €10 million) operating in the relevant sectors. For some critical operators, the directive and the Cybersecurity Act apply regardless of size.
It is worth noting that the directive — and by extension the Cybersecurity Act — also covers the supply chains of these companies. Smaller operators will therefore also be expected to comply with some of the requirements.

• Energy
• Trtansport
• Financial sector
• Water supply
•  Healthcare
• Digital infrastructure
• ICT service management
• Public administration
• Space sector operators
• Postal and courier services
• Food manufacturing, production and distribution
• Manufacturing industry
• Chemical industry
• Waste management
• Digital service providers
• Research activities

The directive therefore covers significantly more companies than the first NIS directive.

The requirements of the directive are also more extensive. The new directive places the following obligations on companies:

• Documented risk analyses of information security areas
• Established policies for handling information security incidents — such as a lost or stolen device, falling victim to phishing, or an unauthorised person accessing premises
• Business continuity management, including backup and recovery planning as well as crisis management
• Understanding and assessing supply chain security, including evaluating the security aspects of relationships with suppliers within the procurement chain and their direct suppliers and service providers
• Ensuring the security of network and information systems throughout procurement, development and maintenance — including requirements for vulnerability handling and disclosure
• Policies and procedures for assessing the effectiveness of cybersecurity risk management measures
• Documented cyber hygiene practices and cybersecurity training
• Policies and procedures relating to cryptography and, where applicable, encryption
• Measures relating to personnel security, access management policies and asset management
• Where appropriate, the use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications, and secure emergency communication systems

The requirements above effectively compel organisations to establish a documented information security management system. As such, the clearest and most practical path to meeting the NIS2 directive requirements — for many companies — is to work towards an information security management system aligned with the ISO/IEC 27001 standard.
Obtaining the certification itself is also likely a wise step, as a standard-compliant system audited by a third party and backed by a certificate is easier to present as a condition of trade than a supplier’s own system that requires separate verification.
NIS2 requires the companies it covers to also verify the information security of their supply chains. The requirements therefore partially extend to companies that supply services or products as subcontractors to organisations falling under NIS2 obligations.
Whether or not certification is pursued, it is essential to document your own management system in preparation for any potential inspections by the authorities.