Finland has finally implemented the EU Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555, the “NIS2 Directive“) into national legislation. The new Cybersecurity Act, along with amendments to existing legislation, notably to the Act on Information Management in Public Administration (906/2019 as amended), are applied from 8 April 2025. This marks a significant advancement in national cyber security regulation and a significant overall step towards more regulated cyber security and elevating the review and oversight of cyber security risks to a top management priority.
Our D&I cyber security team has identified the key challenges and success factors with a number of our clients, which are summarised as follows:
1. Fostering a strong cyber security team and collaborative culture
Developing and maintaining a robust cyber security risk management model requires a strong team that values both technical and legal cyber security expertise. Understanding the divergences and links between technical standards and legal cyber security requirements is one of the keys to ensure fruitful implementation of the new requirements. Even though NIS2 legislation does not fundamentally change our understanding of the key cybersecurity measures, lessons learned from the legal side, such as takeaways from disputes and administrative procedures, have significantly enriched several cyber risk management projects.
2. Embracing accountability
To not only achieve compliance but also demonstrate accountability, proper documentation is essential. Selecting and managing different tools and methods is imperative – any tools used should guide to proper and adequate assessments and documentation including management involvement and approval due to the new management responsibilities. Essential entities (listed in the Annex I of the Cybersecurity Act) are the primary targets for supervision of the competent sector authorities.
3. Enhancing procurement procedures and contract terms
The new NIS2 legislation encourages cooperation in upgrading information and data security terms and conditions up to date. The terms and conditions that reflect current common practices may no longer suffice for contractual arrangements of NIS2 entities. A crucial factor for success lies in cooperation between cyber security experts and legal advisors. In accordance with the NIS2 requirements, the terms must be adjusted to the entity’s risk management model and risk management measures subject to it.
4. Contributing to the detection and management of incidents
The core elements behind the new NIS2 requirements are to prevent and manage cyber security incidents and to ensure continuity of the business and operations. Therefore, appropriate measures and sufficient contribution to detecting incidents is imperative. In addition to technical measures, this requires appropriate and functional processes within the organisation and with third-party providers and partners.
5. Bridging the gap between cyber security and data protection
Cyber security and data protection are interconnected on multiple levels. Cyber security management is data-intensive and processed data often includes sensitive data and confidential communications data. Data protection requirements must be combined, included and often reconciled with the cyber security risk management. This underscores that it is time to break down silos and blur borders between cyber security and data protection work. One practical example is data protection impact assessment (DPIA) which has appeared to be not only a legal requirement but also a critical tool in cyber security projects.
D&I team strongly welcomes the new national NIS2 legislation and all future projects towards more secure and sustainable business in the digital environment.
