The new cybersecurity directive NIS2 recently entered into force in the European Union. It aims to harmonise cybersecurity-related requirements and the implementation of cybersecurity measures between Member States. The NIS2 Directive replaces the earlier NIS cybersecurity directive. The obligations included in NIS2 must be transposed into national law by October 2024, and the Ministry of Transport and Communications launched the national implementation at the start of this year.
28.3.2023
Cybersecurity directive NIS2 sets out new obligations for enterprises in critical sectors
Kim Parviainen
Related services
Regulated industries and operators
In addition to public entities, the NIS2 Directive lays down obligations mainly for large and medium-sized enterprises in critical sectors. Critical sectors under NIS2 include, for example, energy, finance, healthcare, transport and digital infrastructure. Certain highly critical enterprises would be subject to the obligations regardless of their size.
New obligations to the management bodies of entities under the Directive’s scope
One of the aims of the NIS2 Directive is to ensure a high level of responsibility for the cybersecurity risk-management measures and reporting obligations at the level of the entities under the Directive’s scope. With this in mind, NIS2 sets out new obligations for the management bodies of such entities.
NIS2 does not define management bodies in more detail; this will be a task for national legislators instead. However, based on the different language versions and the wording of NIS2, we find it likely that in Finland, these obligations would concern at least the boards of entities. Nevertheless, we will only know the exact definition when the draft bill for national legislation is published.
As for the obligations, the management body must approve the cybersecurity risk-management measures taken by the entity and oversee their implementation. The minimum requirements for such measures are laid down in more detail in NIS2, but they include at least the following:
Members of management bodies are also required to follow cybersecurity training in order to better identify potential cybersecurity risks and assess cybersecurity risk-management practices.
Liability rules extended to individual representatives of entities
NIS2 requires that Member States enforce a number of sanction mechanisms – such as administrative orders or fines – for infringements of the NIS2 Directive’s obligations. In certain situations, the new Directive extends liability rules from entities to their individual representatives.
Members of management bodies could be personally liable in case they neglect their obligation to ensure compliance with the entity’s cybersecurity obligations. When certain conditions are met, persons in management positions could also be temporarily suspended.
Now is a good time to start preparing for the changes
All in all, the NIS2 Directive sets out a number of new obligations for the critical sector entities under its scope. NIS2 also expects the management bodies of such entities to take on a more active role in ensuring cybersecurity. In future, individual members of management bodies can be held personally liable if they are unable to ensure compliance with the cybersecurity obligations under NIS2.
The obligations under NIS2 will only be fully outlined with national implementation, which must be completed by October 2024. However, entities falling under the Directive’s scope should start evaluating their cybersecurity practices and risk-management measures in good time, also with respect to their supply chains.
Latest insights
Article published 10.10.2024 – Data & Technology
New act on dual-use items entered into force in September – what companies need to know
Article published 5.9.2024 – Data & Technology
Technology acquisitions can boost companies’ growth – or cause them to fail
Article published 6.5.2024 – Employment
Outsourcing company functions – four key points for success
Article published 7.12.2023 – Data & Technology
Agreements define data sharing and re-use
Kim Parviainen & Lauri Laatunen
Topi Lusenius, Anders Forss & Kim Parviainen
Tomi Kemppainen, Kim Parviainen & Eija Warma-Lehtinen
Latest references
SuperOffice – Acquisition of Lyyti
We acted as Finnish counsel to SuperOffice AS, backed by Axcel, in its acquisition of Lyyti Oy from Finnish private equity firm Vaaka Partners and other sellers. Lyyti is a leading event management software company for physical, digital and hybrid events with a strong customer base in Finland, Sweden and France. SuperOffice is a leading provider of customer relationship management (CRM) software for small and medium-sized businesses across Northern Europe. Axcel is a Nordic private equity firm with a focus on technology, business services and industrials, healthcare, and consumer sectors.
Case published 9.12.2025
Lantmännen – Acquisition of Leipurin from Aspo
We advised Lantmännen ek för in its contemplated acquisition of Leipurin from Aspo Plc. Lantmännen is an agricultural cooperative and Northern Europe’s leader in agriculture, machinery, bioenergy and food products. Lantmännen is owned by 17,000 Swedish farmers and has 12,000 employees in over 20 countries. Leipurin is a leading Nordic supplier of bakery ingredients, equipment, and expert services to professional bakeries, confectioneries, and food manufacturers. The company operates across Finland, Sweden, and the Baltic countries with subsidiaries located in the aforementioned countries, providing comprehensive solutions to the baking industry. The closing of the transaction remains subject to regulatory approvals.
Case published 25.8.2025
Oomi – Expansion into mobile telecommunications
We assisted Oomi Oy in its expansion into the mobile telecommunications market with the launch of Oomi Mobiili, a new MVNO brand. Our work covered the preceding due diligence process as well as structuring and negotiating key partner agreements, laying a solid foundation for Oomi’s entry into the new market. Oomi Mobiili will operate as a virtual mobile network operator, offering customers the option to purchase a mobile subscription together with their electricity contract. The phased launch is set to begin in autumn 2025, with nationwide availability targeted for early 2026.
Case published 15.8.2025
Nevel – Acquisition of Labio’s business
We advised Nevel Oy in its acquisition of the business of Labio Oy. Lahti Aqua Oy and Salpakierto Oy sold their entire shareholdings in Labio to Nevel, expanding Nevel’s already significant biogas portfolio. The transaction will have no impact on Lahti Aqua’s water utility operations or Salpakierto’s municipal waste management responsibilities. Labio’s operations and customer relationships will continue as before. ‘This partnership is a natural next step for us as we continue investing in sustainable material efficiency and renewable energy solutions. By integrating Labio’s comprehensive offerings and expertise, we can provide customers with a strong platform for material circularity. We are also strengthening our market position as one of Finland’s leading material efficiency solution providers,’ says Ville Koikkalainen, Director of Industrial and Biogas Business at Nevel. Nevel is an energy infrastructure company offering advanced, climate-positive solutions for industry and real estate. It operates more than 130 energy production plants and manages over 40 district heating networks. Nevel’s annual turnover is EUR 150 million, and it employs 190 experts in Finland, Sweden and Estonia.
Case published 16.7.2025