28.3.2023

Cybersecurity directive NIS2 sets out new obligations for enterprises in critical sectors

The new cybersecurity directive NIS2 recently entered into force in the European Union. It aims to harmonise cybersecurity-related requirements and the implementation of cybersecurity measures between Member States. The NIS2 Directive replaces the earlier NIS cybersecurity directive. The obligations included in NIS2 must be transposed into national law by October 2024, and the Ministry of Transport and Communications launched the national implementation at the start of this year.

Regulated industries and operators

In addition to public entities, the NIS2 Directive lays down obligations mainly for large and medium-sized enterprises in critical sectors. Critical sectors under NIS2 include, for example, energy, finance, healthcare, transport and digital infrastructure. Certain highly critical enterprises would be subject to the obligations regardless of their size.

New obligations to the management bodies of entities under the Directive’s scope

One of the aims of the NIS2 Directive is to ensure a high level of responsibility for the cybersecurity risk-management measures and reporting obligations at the level of the entities under the Directive’s scope. With this in mind, NIS2 sets out new obligations for the management bodies of such entities.

NIS2 does not define management bodies in more detail; this will be a task for national legislators instead. However, based on the different language versions and the wording of NIS2, we find it likely that in Finland, these obligations would concern at least the boards of entities. Nevertheless, we will only know the exact definition when the draft bill for national legislation is published.

As for the obligations, the management body must approve the cybersecurity risk-management measures taken by the entity and oversee their implementation. The minimum requirements for such measures are laid down in more detail in NIS2, but they include at least the following:

Members of management bodies are also required to follow cybersecurity training in order to better identify potential cybersecurity risks and assess cybersecurity risk-management practices.

Liability rules extended to individual representatives of entities

NIS2 requires that Member States enforce a number of sanction mechanisms – such as administrative orders or fines – for infringements of the NIS2 Directive’s obligations. In certain situations, the new Directive extends liability rules from entities to their individual representatives.

Members of management bodies could be personally liable in case they neglect their obligation to ensure compliance with the entity’s cybersecurity obligations. When certain conditions are met, persons in management positions could also be temporarily suspended.

Now is a good time to start preparing for the changes

All in all, the NIS2 Directive sets out a number of new obligations for the critical sector entities under its scope. NIS2 also expects the management bodies of such entities to take on a more active role in ensuring cybersecurity. In future, individual members of management bodies can be held personally liable if they are unable to ensure compliance with the cybersecurity obligations under NIS2.

The obligations under NIS2 will only be fully outlined with national implementation, which must be completed by October 2024. However, entities falling under the Directive’s scope should start evaluating their cybersecurity practices and risk-management measures in good time, also with respect to their supply chains.

Latest references

We are acting as the lead counsel to Fortum in a cross-border transaction in which Fortum is selling its recycling and waste business. The business is sold to thematic impact investing firm Summa Equity through its portfolio company NG Group. The debt-free purchase price is approximately EUR 800 million. The transaction is subject to authority approval and customary closing conditions. Fortum’s recycling and waste business to be sold comprises municipal and industrial waste management and end-to-end plastics, metals, ash, slag and hazardous waste treatment and recycling services. These businesses are located in Finland, Sweden, Denmark and Norway and currently employ approximately 900 employees.
Case published 18.7.2024
We advised Andritz Oy, a part of ANDRITZ group, with their acquisition of all the shares in Procemex Oy. The acquisition further strengthens ANDRITZ’s automation and digitalisation portfolio. Procemex is a global leader in integrated web monitoring and web inspection solutions for the pulp and paper industry. It has a team of more than 100 vision systems experts and has subsidiaries in Germany, Japan and the US. ANDRITZ offers a broad portfolio of innovative plants, equipment, systems, services and digital solutions for a wide range of industries and end markets. ANDRITZ is a global market leader in all four of its business areas – Pulp & Paper, Metals, Hydropower and Environment & Energy. The publicly listed group has around 30,000 employees and over 280 locations in more than 80 countries.
Case published 18.7.2024
We successfully acted as the lead external counsel for Citycon Plc in an arrangement whereby Citycon outsourced its Nordic Accounting and Lease Administration operations and related workforce in Finland, Sweden, Norway, Denmark and Estonia to Staria Plc. The outsourcing is expected to take place as of 1 August 2024. With this outsourcing arrangement, Citycon aims to align the size and capabilities of the company’s finance organisation with its future development, ensuring it can adapt to meet the company’s needs at any given time. During the assignment, we assisted Citycon in drafting the necessary contract documentation and planning the contract negotiations and timetable. We led the outsourcing agreement negotiations and advised Citycon on employee transfer and data privacy related matters. We also coordinated legal advice for other in-scope countries. Citycon is the leading owner and developer of urban hubs in the Nordics and Baltics. Citycon’s 33 mixed-use, necessity-based centres are located in the major cities in Finland, Sweden, Norway, Denmark and Estonia. Citycon transforms unique locations into sustainable communities and cities full of life, serving 140 million people each year and delivering long-term share value. Citycon brings value to communities by developing urban hubs for living, working, socialising and shopping. Citycon has extensive experience as an urban developer and uses its expertise in creating mixed-use centres that include retail, offices, hotels, housing, food & beverage as well as healthcare, culture and leisure services.
Case published 13.5.2024
We acted as Zendesk, Inc.’s Finnish legal counsel in its acquisition of Ultimate Enterprises Oy, an industry leading provider of service automation using AI technology. The cross-border acquisition was completed in cooperation with the transaction’s lead counsel Allen & Overy. Zendesk is a leading global technology company that provides software-as-a-service and customer experience (CX) products based in the US. The acquisition of Ultimate expands Zendesk’s AI-powered CX offerings.
Case published 26.3.2024