The new cybersecurity directive NIS2 recently entered into force in the European Union. It aims to harmonise cybersecurity-related requirements and the implementation of cybersecurity measures between Member States. The NIS2 Directive replaces the earlier NIS cybersecurity directive. The obligations included in NIS2 must be transposed into national law by October 2024, and the Ministry of Transport and Communications launched the national implementation at the start of this year.
28.3.2023
Cybersecurity directive NIS2 sets out new obligations for enterprises in critical sectors
Kim Parviainen
Related services
Regulated industries and operators
In addition to public entities, the NIS2 Directive lays down obligations mainly for large and medium-sized enterprises in critical sectors. Critical sectors under NIS2 include, for example, energy, finance, healthcare, transport and digital infrastructure. Certain highly critical enterprises would be subject to the obligations regardless of their size.
New obligations to the management bodies of entities under the Directive’s scope
One of the aims of the NIS2 Directive is to ensure a high level of responsibility for the cybersecurity risk-management measures and reporting obligations at the level of the entities under the Directive’s scope. With this in mind, NIS2 sets out new obligations for the management bodies of such entities.
NIS2 does not define management bodies in more detail; this will be a task for national legislators instead. However, based on the different language versions and the wording of NIS2, we find it likely that in Finland, these obligations would concern at least the boards of entities. Nevertheless, we will only know the exact definition when the draft bill for national legislation is published.
As for the obligations, the management body must approve the cybersecurity risk-management measures taken by the entity and oversee their implementation. The minimum requirements for such measures are laid down in more detail in NIS2, but they include at least the following:
Members of management bodies are also required to follow cybersecurity training in order to better identify potential cybersecurity risks and assess cybersecurity risk-management practices.
Liability rules extended to individual representatives of entities
NIS2 requires that Member States enforce a number of sanction mechanisms – such as administrative orders or fines – for infringements of the NIS2 Directive’s obligations. In certain situations, the new Directive extends liability rules from entities to their individual representatives.
Members of management bodies could be personally liable in case they neglect their obligation to ensure compliance with the entity’s cybersecurity obligations. When certain conditions are met, persons in management positions could also be temporarily suspended.
Now is a good time to start preparing for the changes
All in all, the NIS2 Directive sets out a number of new obligations for the critical sector entities under its scope. NIS2 also expects the management bodies of such entities to take on a more active role in ensuring cybersecurity. In future, individual members of management bodies can be held personally liable if they are unable to ensure compliance with the cybersecurity obligations under NIS2.
The obligations under NIS2 will only be fully outlined with national implementation, which must be completed by October 2024. However, entities falling under the Directive’s scope should start evaluating their cybersecurity practices and risk-management measures in good time, also with respect to their supply chains.
Latest insights
Article published 10.10.2024 – Data & Technology
New act on dual-use items entered into force in September – what companies need to know
Article published 5.9.2024 – Data & Technology
Technology acquisitions can boost companies’ growth – or cause them to fail
Article published 6.5.2024 – Employment
Outsourcing company functions – four key points for success
Article published 7.12.2023 – Data & Technology
Agreements define data sharing and re-use
Kim Parviainen, Lauri Laatunen & Joakim Jaulimo
Topi Lusenius, Anders Forss & Kim Parviainen
Tomi Kemppainen, Kim Parviainen & Eija Warma-Lehtinen
Latest references
PwC – Public tender in Kela’s Eepos procurement process
We are proud to have provided legal assistance to PwC in the successful public tendering process for the comprehensive renewal of Kela’s benefits processing systems. Kela is the Social Insurance Institution of Finland, and this project is a significant cornerstone in modernising Finland’s social security infrastructure. PwC was selected as Kela’s strategic partner to implement a comprehensive overhaul of the benefits processing systems, digital services, customer relationship management, and information exchange platforms. The project aims to meet the demands of the future digital environment and enhance customer experience through the adoption of Salesforce technology. The new systems are expected to simplify benefit processes, enhance user experience for both customers, employees and other stakeholders, and ensure adaptability to future legislative changes. Castrén & Snellman provided strategic legal support to PwC throughout its successful bidding process, which was carried out through a competitive negotiated procedure. We extend our warmest congratulations to PwC for their successful bid and look forward to seeing the positive impact of this project on Finland’s social security system.
Case published 24.4.2025
Savings Banks Group – Sale of Sb Life Insurance
We advised the Savings Banks Group on an arrangement whereby the shares in Sp-Henkivakuutus Oy were sold to Henki-Fennia and at the same time the parties agreed on a long-term distribution cooperation for insurance savings and loan protection products. The closing of the transaction remains subject to regulatory approvals. Sb Life Insurance is a domestic life insurance company, established in 2007, offering insurance savings and risk insurance products to private customers and companies. The Savings Banks and Oma Säästöpankki Oyj act as agents for Sp-Life Insurance. Henki-Fennia is a subsidiary of Keskinäinen Vakuutusyhtiö Fennia, specialising in voluntary life, pension and savings insurance.
Case published 11.4.2025
Valio – Acquisition of the Härkis® and Beanit® fava bean brands
We advised Valio Oy in its acquisition of Raisio Oyj’s plant protein business, related fixed assets and the Härkis® and Beanit® fava bean brands. The fixed assets include, among other things, the production equipment of the factory that makes plant protein products in Kauhava. The transaction supports Valio’s strategy to grow from a dairy company to a food company. This business acquisition will make us an even more significant developer and producer of plant-based protein products. The demand for these products will grow in the long term, and a great deal of growth potential still remains. In 2022, we acquired the Gold&Green® business and, since then, we have been carrying out strong product development and renewed the brand. Following successful product launches, sales in the last quarter of 2024 increased by about 50% from the previous quarter. With this acquisition, we are building our own production capacity. The production equipment of the Kauhava factory is just right for our needs and situation. says Kimmo Luoma, Valio’s Senior Vice President. Valio is a Finnish dairy and food company founded in 1905 and owned by Finnish dairy cooperatives. Valio has subsidiaries in Sweden, Estonia, the United States and China. In 2023, the Group had a turnover of EUR 2 278 million and more than 4 000 employees.
Case published 14.2.2025
WithSecure – Sale of cyber security consulting business
We advised WithSecure Corporation in the sale of its cybersecurity consulting business to Neqst. WithSecure is a global cyber security company (listed on NASDAQ OMX Helsinki). Neqst is a Swedish investment firm, focusing on technology companies. The closing of the transaction remains subject to customary conditions and regulatory approvals.
Case published 24.1.2025