The European Union’s new cybersecurity directive, NIS2, sets new requirements for both companies and public administration. Operators in Finland must also prepare and make the necessary investments in information security, or there may be sanctions.
The NIS2 directive regulates information security obligations and incident reporting in several sectors. With the directive, the EU aims to strengthen critical actors in its member states, such as public administration, energy production and digital services against cyber threats.
There are also operators in Finland that are subject to the NIS2 directive. The obligations of the directive are imposed on medium-sized and large companies operating either in highly critical sectors or in other sectors identified as critical. These include, for example, public administration, the energy and chemicals sectors, and digital services.
In addition, the directive applies to all operators defined as nationally critical, regardless of size. These include food and water supply, the energy and financial system, and transport and mobility.
Although the directive only applies to medium-sized and large operators in these sectors, they must ensure the compliance of their entire supply chain. This will extend the effects of the directive to a whole range of companies.
“The indirect impact on smaller subcontractors will also be significant, even though they may not directly bound by the directive,” says information security expert Olli Rajala, who consults on industry information security at technology company Huld.
“This is because, ultimately, large industrial players are responsible for the entire supply chain of their product, which includes their subcontractors.”
The NIS2 directive makes the company’s top management responsible for implementing and supervising cybersecurity requirements. If the NIS2 directive is not complied with, the penalties can be extensive.
“The penalty payments are proportional to the violation and the total annual turnover of the company in question. For example, the maximum sanction for a central actor will be either EUR 10 million euros or 2% of the global turnover of the previous financial year. However, there are no court cases yet, so the exact amounts will become concrete over time,” Rajala calculates.
Rajala advises companies to start with checking whether they fall under the critical sectors or subcontracting chains defined by the directive. The next step is to map the company’s situation in terms of cybersecurity risks, software vulnerabilities, and reporting obligations.
“If the company’s own resources are not sufficient to meet the requirements of the directive, it is worth considering an external partner. Information security is an area of expertise in its own right, which must take into account the laws and other defining features of different operating environments and industries.”
The NIS2 directive will enter into force on October 18th.
“The earlier companies prepare for the changes, the smoother the transition will be for them,” Rajala estimates.
Read more about Huld’s NIS2 services here.