28.3.2023

Cybersecurity directive NIS2 sets out new obligations for enterprises in critical sectors

The new cybersecurity directive NIS2 recently entered into force in the European Union. It aims to harmonise cybersecurity-related requirements and the implementation of cybersecurity measures between Member States. The NIS2 Directive replaces the earlier NIS cybersecurity directive. The obligations included in NIS2 must be transposed into national law by October 2024, and the Ministry of Transport and Communications launched the national implementation at the start of this year.

Regulated industries and operators

In addition to public entities, the NIS2 Directive lays down obligations mainly for large and medium-sized enterprises in critical sectors. Critical sectors under NIS2 include, for example, energy, finance, healthcare, transport and digital infrastructure. Certain highly critical enterprises would be subject to the obligations regardless of their size.

New obligations to the management bodies of entities under the Directive’s scope

One of the aims of the NIS2 Directive is to ensure a high level of responsibility for the cybersecurity risk-management measures and reporting obligations at the level of the entities under the Directive’s scope. With this in mind, NIS2 sets out new obligations for the management bodies of such entities.

NIS2 does not define management bodies in more detail; this will be a task for national legislators instead. However, based on the different language versions and the wording of NIS2, we find it likely that in Finland, these obligations would concern at least the boards of entities. Nevertheless, we will only know the exact definition when the draft bill for national legislation is published.

As for the obligations, the management body must approve the cybersecurity risk-management measures taken by the entity and oversee their implementation. The minimum requirements for such measures are laid down in more detail in NIS2, but they include at least the following:

Members of management bodies are also required to follow cybersecurity training in order to better identify potential cybersecurity risks and assess cybersecurity risk-management practices.

Liability rules extended to individual representatives of entities

NIS2 requires that Member States enforce a number of sanction mechanisms – such as administrative orders or fines – for infringements of the NIS2 Directive’s obligations. In certain situations, the new Directive extends liability rules from entities to their individual representatives.

Members of management bodies could be personally liable in case they neglect their obligation to ensure compliance with the entity’s cybersecurity obligations. When certain conditions are met, persons in management positions could also be temporarily suspended.

Now is a good time to start preparing for the changes

All in all, the NIS2 Directive sets out a number of new obligations for the critical sector entities under its scope. NIS2 also expects the management bodies of such entities to take on a more active role in ensuring cybersecurity. In future, individual members of management bodies can be held personally liable if they are unable to ensure compliance with the cybersecurity obligations under NIS2.

The obligations under NIS2 will only be fully outlined with national implementation, which must be completed by October 2024. However, entities falling under the Directive’s scope should start evaluating their cybersecurity practices and risk-management measures in good time, also with respect to their supply chains.

Latest references

We advised WithSecure Corporation in the sale of its cybersecurity consulting business to Neqst. WithSecure is a global cyber security company (listed on NASDAQ OMX Helsinki). Neqst is a Swedish investment firm, focusing on technology companies. The closing of the transaction remains subject to customary conditions and regulatory approvals.
Case published 24.1.2025
We assisted Smarter Contracts Ltd in the process where the Finnish Transport and Communications Agency Traficom confirmed it to be an EU-recognised data intermediation service. Non-EU companies must have a legal representative in some EU country so that they can offer data intermediation services in accordance with the Data Governance Act. Smarter Contracts is based in Great Britain and selected Finland for the task. Smarter Contracts is the first non-EU data intermediation service registered by Traficom. Wayne Lloyd, Founder & CEO of Smarter Contracts, remarked:  The support from the Castrén team was exceptional from start to finish. Pioneering new territory is never without its challenges, and as the first non-EU data intermediation service provider, we faced significant legal uncertainties. Despite these complexities, the Castrén team expertly guided us through each step with remarkable efficiency, providing the certainty we needed. Smarter Contracts leverages its proprietary Pulse Permissions Protocol® to deliver advanced consent and access rights management services. This milestone highlights Castrén & Snellman’s proficiency in navigating intricate regulatory landscapes, whilst recognising the relevance of Smarter Contracts’ innovative approach to secure, compliant data management.
Case published 11.12.2024
We assisted Pharmaca Health Intelligence in its acquisition of Mediaattori Ltd’s PODIUM Connect® and PODIUM Visits businesses. Through the acquisition, Pharmaca Health Intelligence strengthens its extensive service offerings in medical information, data-driven management, and education for both healthcare and pharmaceutical companies. Pharmaca Health Intelligence is a pioneer in digital medical information and a reliable partner for wellbeing services counties, the private healthcare sector and pharmacies. The company invests in the development of technology and service solutions related to pharmaceutical information, also on an international scale.
Case published 5.12.2024
The Finnish Supreme Administrative Court has handed down decision KHO 2024:115 on balancing data protection and national security interests in cyber security incidents. We acted for the Finnish Ministry of Foreign Affairs in this precedent setting case, in which the Supreme Administrative Court agreed with our client’ core submissions and decided to overturn key parts of a data protection authority decision against our client. The court held that the Ministry had acted lawfully when taking a bit of time between discovering information about a cyber incident concerning certain diplomats and notifying all potentially affected people. The key point of principle for our client was the extent to which Article 34 of the GDPR requires such (essentially public) notifications when foreign policy and national security might require a more discrete initial approach. The court’s reasoning is important: since Finland has voluntarily, but not unreservedly, extended the scope of the GDPR to also cover foreign policy and national security, the primacy of EU law does not apply in that extended context. Thus, more specific local Finnish rules on freedom of information/confidentiality in these areas override the general Article 34 notification obligation (under the classic lex specialis derogat legi generali rule), even absent express statutory carve-outs to Article 34. Had Article 34 applied as a matter of EU law, the outcome could have been different, since the GDPR, under primacy, would override all local Finnish rules, irrespective of whether they are lex specialis or not. It’s important to understand why, and on what basis, an EU law applies to any given situation, since this could affect the principles of interpretation so much that the outcome changes significantly. The court did, however, hold that the Ministry will need to notify the DPA itself within the customary deadlines, since the DPA under Finnish law has the right to receive information confidentiality rules notwithstanding. We hope this outcome will contribute to authorities dealing with foreign policy and national security being able to balance all relevant interests going forward. Read the decision in Finnish or in Swedish .
Case published 15.11.2024