Finnish Companies Face Stricter Security Requirements – EU Cybersecurity Directive Takes Effect in October

The European Union’s new cybersecurity directive, NIS2, will enter into force nationally in October. Finnish companies and public administration must urgently make the necessary investments in information security to avoid sanctions. 

The new directive tightens data security obligations and incident reporting in several sectors.  

With the directive, the EU aims to strengthen critical actors in its member states, such as public administration, energy production and digital services against cyber threats. 

The Directive Impacts Finnish Companies 

The obligations of the Directive are imposed on medium-sized and large enterprises operating either in highly critical sectors or in other critical sectors. These include public administration, the energy and chemicals sectors, and digital services. 

Cactos, a Finnish manufacturer of smart electricity storage systems, is prepared for the requirements of the upcoming directive. Information security plays a key role at Cactos, as electricity storage systems provide critical stabilization services for the national grid. The devices also guarantee the supply of electricity to customers’ properties.  

“I see the NIS2 directive as a positive change, as it has naturally increased attention to data security. With the new requirements, we can also be sure that our partners’ security practices are compatible with us,” says Kim Dikert, Head of Software Development at Cactos 

In addition, the NIS2 Directive applies to all operators defined as nationally critical, regardless of size. These include food and water supply, health care and transport. 

Significant Sanctions for Negligence 

The NIS2 Directive makes the company’s top management responsible for implementing and supervising cybersecurity requirements. Penalties for non-compliance with the Directive can be significant. 

“The penalty payments are proportional to the violation and the company’s total annual turnover. For example, the maximum sanction for a key player will be either EUR 10 million or 2% of the global turnover of the previous financial year. Naturally, there are no court cases yet, so the exact amounts will become concrete over time,” says Tarmo Kellomäki, who is responsible for security consulting at technology company Huld.  

Kellomäki recommends that the first thing to find out is whether the company belongs to the sectors or subcontracting chains of the directive. The next step is to map the company’s situation in terms of cybersecurity risks, software vulnerabilities and reporting obligations. 

“If the company’s own resources are not sufficient to meet the requirements of the directive, it is worth considering an external partner. Information security is an area of expertise in its own right, and the laws of different operating environments and industries must be taken into account.” 

The national obligations of the NIS2 Directive (Cyber Security Act) will enter into force on 18 October. 

Read more about Huld’s NIS2 services here.


The NIS2 Directive 

  • The NIS2 Directive is EU-wide cybersecurity legislation. It replaces and expands the scope and requirements of its predecessor. 
  • The Directive defines the minimum measures that operators must take in cyber security risk management and reporting. 
  • The aim of the NIS2 Directive is to harmonise and improve the level of cyber security in the EU as a whole and in its member states. 
  • The directive will enter into force on 18.10.2024.