Cybersecurity

Cybersecurity

Data is a valuable commodity in many organisations. We help you handle data in a compliant manner and protect it from misuse.

The legal requirements for cybersecurity are scattered across different regulations. The European Union is introducing a growing number of sector-specific regulations on information security requirements, such as DORA, NIS2, CRA and CER. We can help you identify the provisions that apply to your specific business and explain what they mean in practice. We speak the same language as ICT professionals. Several of our legal experts are also computer science graduates.

In addition to day-to-day advice, we can help you with a range of incidents. Data systems are vulnerable to disruptions and outside threats. In emergencies, the statutory and contractual obligations relating to data and personal data must be fulfilled in order to mitigate risks and safeguard your business’s ability to operate as effectively as possible. Our experts are experienced at resolving a wide range of disruptions, whether they originate from inside or outside the company.

Latest references

The Finnish Supreme Administrative Court has handed down decision KHO 2024:115 on balancing data protection and national security interests in cyber security incidents. We acted for the Finnish Ministry of Foreign Affairs in this precedent setting case, in which the Supreme Administrative Court agreed with our client’ core submissions and decided to overturn key parts of a data protection authority decision against our client. The court held that the Ministry had acted lawfully when taking a bit of time between discovering information about a cyber incident concerning certain diplomats and notifying all potentially affected people. The key point of principle for our client was the extent to which Article 34 of the GDPR requires such (essentially public) notifications when foreign policy and national security might require a more discrete initial approach. The court’s reasoning is important: since Finland has voluntarily, but not unreservedly, extended the scope of the GDPR to also cover foreign policy and national security, the primacy of EU law does not apply in that extended context. Thus, more specific local Finnish rules on freedom of information/confidentiality in these areas override the general Article 34 notification obligation (under the classic lex specialis derogat legi generali rule), even absent express statutory carve-outs to Article 34. Had Article 34 applied as a matter of EU law, the outcome could have been different, since the GDPR, under primacy, would override all local Finnish rules, irrespective of whether they are lex specialis or not. It’s important to understand why, and on what basis, an EU law applies to any given situation, since this could affect the principles of interpretation so much that the outcome changes significantly. The court did, however, hold that the Ministry will need to notify the DPA itself within the customary deadlines, since the DPA under Finnish law has the right to receive information confidentiality rules notwithstanding. We hope this outcome will contribute to authorities dealing with foreign policy and national security being able to balance all relevant interests going forward. Read the decision in Finnish or in Swedish .
Case published 15.11.2024
We advised Suominen Corporation in connection with its rights issue. The offering was oversubscribed, and the company raised gross proceeds of approximately EUR 28 million. We also advised Suominen in connection with the renegotiation of the terms of the company’s three-year EUR 100 million syndicated credit facility, under which the maturity was extended and headroom was added to the financial covenants. “I would like to thank our shareholders for their support and confidence in Suominen’s future. The completion of the Offering will enable us to accelerate the implementation of our Full Potential Program while strengthening our capital structure. Our transformation particularly focuses on enhancing the reliability and efficiency of our production and supply, and on reinforcing our commercial capabilities, allowing us to better meet the expectations of our customers and shareholders”, comments Charles Héaulmé, President and CEO of Suominen. Suominen is a nonwovens manufacturer operating in global markets. Suominen creates value by taking fiber raw materials and turning them into nonwovens that the company’s customers convert into both consumer and professional end products. Suominen’s vision is to be the frontrunner for nonwovens innovation and sustainability. Suominen’s net sales in 2025 were EUR 412.4 million and the company has almost 700 professionals working in Europe and in the Americas. Suominen’s shares are listed on Nasdaq Helsinki.
Case published 6.7.2026
We acted as joint legal advisor for Nordea Bank Abp and Avain Yhtiöt in an approximately EUR 48 million financing arrangement which included facilities for refinancing of an existing real estate portfolio and also for acquisition and property development purposes. The financing arrangement strengthens Avain Yhtiöt’s objective to build and maintain a functional, safe and environmentally friendly living environment, as well as to develop the overall quality of housing and construction. Avain Yhtiöt is a Finnish group specialising in housing and housing-related services, construction contracting and new construction. Its goal is to build 1,000 new apartments per year in key growth areas in Finland.
Case published 2.7.2026
We advised the shareholders of Suomen Autohuolto Oy in connection with the sale of the company’s entire share capital, to SAKA Finland Group Oy. Suomen Autohuolto Group is one of Finland’s largest companies specializing in brand-specific automotive maintenance and has locations in Oulu, Tampere, and from July, also in Järvenpää. The transaction is subject to final approval by the Finnish Competition and Consumer Authority (KKV).
Case published 26.6.2026