Cybersecurity

Cybersecurity

Data is a valuable commodity in many organisations. We help you handle data in a compliant manner and protect it from misuse.

The legal requirements for cybersecurity are scattered across different regulations. The European Union is introducing a growing number of sector-specific regulations on information security requirements, such as DORA, NIS2, CRA and CER. We can help you identify the provisions that apply to your specific business and explain what they mean in practice. We speak the same language as ICT professionals. Several of our legal experts are also computer science graduates.

In addition to day-to-day advice, we can help you with a range of incidents. Data systems are vulnerable to disruptions and outside threats. In emergencies, the statutory and contractual obligations relating to data and personal data must be fulfilled in order to mitigate risks and safeguard your business’s ability to operate as effectively as possible. Our experts are experienced at resolving a wide range of disruptions, whether they originate from inside or outside the company.

Latest references

The Finnish Ministry of Foreign Affairs – A precedent setting cyber security incident court case

The Finnish Supreme Administrative Court has handed down decision KHO 2024:115 on balancing data protection and national security interests in cyber security incidents. We acted for the Finnish Ministry of Foreign Affairs in this precedent setting case, in which the Supreme Administrative Court agreed with our client’ core submissions and decided to overturn key parts of a data protection authority decision against our client. The court held that the Ministry had acted lawfully when taking a bit of time between discovering information about a cyber incident concerning certain diplomats and notifying all potentially affected people. The key point of principle for our client was the extent to which Article 34 of the GDPR requires such (essentially public) notifications when foreign policy and national security might require a more discrete initial approach. The court’s reasoning is important: since Finland has voluntarily, but not unreservedly, extended the scope of the GDPR to also cover foreign policy and national security, the primacy of EU law does not apply in that extended context. Thus, more specific local Finnish rules on freedom of information/confidentiality in these areas override the general Article 34 notification obligation (under the classic lex specialis derogat legi generali rule), even absent express statutory carve-outs to Article 34. Had Article 34 applied as a matter of EU law, the outcome could have been different, since the GDPR, under primacy, would override all local Finnish rules, irrespective of whether they are lex specialis or not. It’s important to understand why, and on what basis, an EU law applies to any given situation, since this could affect the principles of interpretation so much that the outcome changes significantly. The court did, however, hold that the Ministry will need to notify the DPA itself within the customary deadlines, since the DPA under Finnish law has the right to receive information confidentiality rules notwithstanding. We hope this outcome will contribute to authorities dealing with foreign policy and national security being able to balance all relevant interests going forward. Read the decision in Finnish or in Swedish .

eQ Community Properties Fund – Sale of two healthcare properties

We assisted eQ Community Properties Fund in the sale of two healthcare properties to a fund managed by Northern Horizon. The properties have a total floor area of approximately 3,500 square meters. The two properties are located in Espoo and Lahti. The Espoo asset was completed in 2018 and the Lahti asset was completed in 2023. Both assets are operated by Attendo, the leading care provider in the Nordic region.

BMW AG – Enforcement of BMW’s trademark and design rights

We successfully represented BMW in an exceptionally long dispute over whether the spare rims sold by the defendant and the hub caps included in them infringed BMW’s trademark and design rights. The Market Court found that the sign used by the defendant caused a likelihood of confusion with BMW’s trademarks. The defendant had used the sign on the hub caps and in the marketing of the hub caps and rims, leading the Market Court to find that the defendant had infringed BMW’s trademark rights. The defendant admitted to infringing BMW’s Community design but denied the related injunction claim. However, the Market Court found that there was no particular reason to refrain from issuing an injunction. The Market Court prohibited the defendant from continuing to infringe BMW’s trademarks and Community design and ordered the defendant to alter or destroy the products and marketing materials that infringed BMW’s rights. Furthermore, the Market Court ordered the defendant to pay BMW EUR 70,000 in reasonable compensation and EUR 80,000 in damages for the trademark infringements, as well as EUR 7,000 in reasonable compensation and EUR 8,000 in damages for the design right infringement. The amounts can be considered exceptionally high in Finland. Additionally, the Market Court ordered the defendant to pay a significant portion of BMW’s legal costs with interest on late payment. In its decision of 11 March 2025, the Supreme Court of Finland did not grant the defendant leave to appeal, and also decided that there was no need to seek a preliminary ruling from the Court of Justice of the European Union. Thus, the Market Court’s judgements (MAO:494/18 ja 517/2023) are final. In addition to the main dispute, BMW demanded in a separate proceeding that one of the defendant’s trademark registrations be revoked. A total of three separate legal proceedings were conducted in the Market Court regarding the revocation. The defendant’s trademark registration was ultimately revoked.

DNA – Global brand portfolio management and IP enforcement

We are advising DNA Plc in brand protection and intellectual property enforcement matters globally. Our intellectual property team manages DNA’s global trademark portfolio, including registration, prosecution, opposition and enforcement. We also advise DNA in questions concerning consumer and marketing law, unfair competition, social media, domain names and cybersquatting. DNA Plc is one of Finland’s leading telecommunication companies. DNA offers connections, services and devices for homes and workplaces, contributing to the digitalisation of society. The company has approximately 3.7 million subscriptions in its fixed and mobile communications networks. In 2024, DNA’s total revenue was EUR 1,100 million, and the company employs about 1,600 people around Finland. DNA is part of Telenor Group.

Latest insights

15.5.2025 Latest regulatory developments for renewable energy in Finland

Marius af Schultén

Konsta Peussa

Marius af Schultén & Konsta Peussa

9.4.2025 – Dispute Resolution New European Court of Justice ruling C-537/23 sheds light on the interpretation and validity of asymmetric jurisdiction clauses – Implications for European businesses

Robin Ollus

Tuomas Lehtinen

Robin Ollus & Tuomas Lehtinen

7.4.2025 – Private Equity & Venture Capital Tax credit for major clean transition investments passed in Parliament – application period until 29 August 2025

Janne Juusela

Mikko Alakare

Samuli Tarkiainen

Marius af Schultén

Jarno Tanhuanpää

Kanerva Sunila

Noora Ahonen

Janne Juusela, Mikko Alakare, Samuli Tarkiainen, Marius af Schultén, Jarno Tanhuanpää, Kanerva Sunila & Noora Ahonen

25.3.2025 – Mergers & Acquisitions How to successfully run a large-scale cross-border M&A project?

Carola Lindholm

Samuli Tarkiainen

Carola Lindholm & Samuli Tarkiainen

Search from the site.