NIS2 and Finnish Cybersecurity Act
Insights|April 25, 2025
With the ubiquitous digitalization, cybersecurity incidents are ever present and new cyber threats have emerged. In response, the EU is enhancing cybersecurity and resilience within the Union, especially in critical sectors. This effort impacts various entities, systems, and products.
The continuity of essential services even during emergencies and crises is fundamentally important in modern societies. Disruptions in such services could have significant cross-border effects. The EU aims to develop the resilience of essential services, and one element of this work is the Network and Information Systems Directive (Directive EU 2022/2555; “NIS2“).
Network and Information Systems (NIS2) Directive
NIS2 aims to strengthen the level of cybersecurity across the EU in sectors central to society’s functioning, such as energy, health, banking, digital infrastructure, and ICT service management. It updates the cybersecurity rules of the NIS Directive 2016/1148 (“NIS1“) and broadens the scope to new sectors and businesses. Please find our overview of new sectors introduced compared to NIS1 (here). In addition to the sectors covered already by NIS1, the Cybersecurity Act includes new sectors, for example:
- Generation of electricity;
- Research and development activities of medicinal products;
- Waste water;
- Production, processing and distribution of food;
- Manufacture of computer, electronic and optical products;
- Manufacture of medical devices; and
- Manufacture of motor vehicles.
Under NIS2, sectors are classified as either highly critical or critical. This classification is essential in determining the applicable supervisory and enforcement measures. Essential entities include entities in specified industries (Annex I) that are, e.g., (i) Large and medium-sized enterprises, (ii) trust service providers, top-level domain name registries, or DNS service providers, regardless of size, (iii) providers of public electronic communications networks or of publicly available electronic communications services qualifying as medium-sized enterprises, and (iv) entities identified as critical entities under the CER Directive. Other entities in specified industries (Annex I and II) are considered important entities.
Entities covered by NIS2 will have to assess and manage the risks to the security of their communication networks and information systems, including implementing appropriate and proportionate security measures, performing due diligence on the supply chain, and reporting significant anomalies and incidents. Management bodies of essential and important entities must approve risk-management measures and oversee their implementation and compliance. These management bodies can be held liable for infringements.
Member States had until 17 October 2024 to transpose the NIS2 Directive into national law. However, there has been a substantial divergence in adoption timelines and requirements. According to the ECSO tracker, only 10 member states have implemented NIS2 into national legislation to date. In Finland, the Cybersecurity Act (124/2025) implementing NIS2 entered into force on 8 April 2025.
National implementation of NIS2 in Finland
The Finnish Cybersecurity Act implemented NIS2 into national legislation at the minimum level required, both in terms of scope and obligations. Instead of previous sector-specific legislation on cyber security requirements, NIS2 is now implemented centrally through the Cybersecurity Act. The Cybersecurity Act consolidates the obligations related to cybersecurity risk management and incident reporting for entities within its scope. Accordingly, the proposal repeals the sector-specific provisions previously issued for the implementation of NIS1. However, it should be noted that sector-specific legislation may still apply in some instances, such as for digital infrastructure and digital service providers.
Companies falling within the scope of the Cybersecurity Act must register in the list of essential and important entities maintained by the supervisory authority, and the registration must be completed by 8 May 2025. In addition, essential and important entities must have an up-to-date cybersecurity risk-management operating model in place and the operating model must be prepared by 8 July 2025.
In Finland, Cybersecurity obligations will be monitored by several, sector-specific national supervisory authorities, such as the Finnish Transport and Communications Agency (Traficom), the Energy Authority, the Finnish Safety and Chemicals Agency (Tukes), the National Supervisory Authority for Welfare and Health (Valvira), and the Finnish Medicines Agency (Fimea). However, Traficom’s National Cyber Security Centre will coordinate the cooperation between the supervisory authorities and serve as the single point of contact referred to in Article 8(3) of NIS2. Also, the tasks of the national computer security incident response team (CSIRT) will be assigned to Traficom’s National Cyber Security Centre.
Administrative fines will be imposed by a board consisting of members appointed by the supervisory authorities, which will be established separately.
As the first deadlines approach quickly, we encourage all entities operating in the sectors covered by the Cybersecurity Act to assess whether they are within the scope of the new legislation, if not already done so.
How about Sweden?
In Sweden, the legislator is currently awaiting a governmental bill from the Ministry of Defense, but a draft to pass the national law implementing NIS2 is expected to be issued later this spring.
The current estimate of the legislator is that the law will be implemented and enforced by no earlier than the end of 2025. The national law will then be complemented by additional regulations (Sw. föreskrifter) issued by authorities.
We are available and will gladly assist with any questions you may have regarding NIS2 and its national implementation. Please see also our Data Economy & Digitalization website, which provides general information about European rules regarding the data economy and cybersecurity (here).