Cybersecurity: The NIS2 Directive Takes Effect in Finland

What is NIS2?

NIS2 (Network and Information Security Directive 2) is a cybersecurity directive of the European Union. Its goals are to:

• improve organisations’ capabilities to prevent and detect cyber threats
• ensure the continuity of critical and essential services in society
• establish harmonised security requirements across the EU

In practice, NIS2 requires a wide range of companies and public organisations to systematically and thoroughly identify, manage and report cybersecurity risks in a planned and documented way.

Who does NIS2 apply to?

A wider range of entities now falls under the scope of the new regulations.

NIS2 applies to operators in sectors such as energy, transport, banking, healthcare and digital infrastructure. You can explore the specific sectors in more detail through this table provided by the National Cyber Security Centre (table in Finnish).

What does NIS2 require?

The directive is not just about firewalls or changing passwords. It demands a comprehensive approach to cybersecurity. The key requirements include:

1. Risk management: Cyber risks must be continuously identified, assessed, managed, and documented.
2. Incident preparedness: Services must remain operational even during cyber disruptions.
3. Reporting obligation: Security breaches must be reported promptly to Traficom (Finnish Transport and Communications Agency).
4. Clear responsibilities: Organizations must appoint designated individuals responsible for cybersecurity.
5. Supply chain security: The security of subcontractors and technical partners must also be ensured.

In practice, NIS2 requires companies to properly manage and document their cybersecurity processes. And yes, the law includes penalties. In worst cases, administrative fines can reach into the millions.

How does NIS2 affect us, websites and other digital services?

If you offer or use digital services – such as websites, e-services or other online solutions – NIS2 may impact you on several levels:

• Choice of servers and data centers: Where and how your website is hosted is a cybersecurity issue.
• User and access management: Who can access your systems and with what permissions.
• Update policies and technical maintenance: Fixing vulnerabilities and keeping systems up to date.
• Documentation and contingency planning: What happens if your site goes down due to a cyberattack?

At Into-Digital, we build digital services that stand the test of time and cyber threats. With NIS2, more and more of our clients are asking: how is our website’s cybersecurity managed?

A good question, and a very timely one.

While NIS2 does not apply to us directly, we are a partner to many clients who are affected by the regulation. This makes us part of the supply chain that must meet the obligations and expectations placed on our clients – with high standards and reliability.

How to prepare?

Here’s a checklist for addressing NIS2 requirements:

• Determine whether your organisation falls under the scope of NIS2
• Assess your current level of cybersecurity and documentation
• Appoint responsible personnel and ensure their competence
• Develop a plan covering risk management, preparedness and communication
• Talk to your technical partners (like us) about the security of your services
• Involve your internal experts who understand both technology and regulatory requirements

We are happy to help

We are a partner who does more than just build digital services. We advance our clients’ business through digital solutions. Cybersecurity is a key part of this whole. We help our clients to:

• design and develop NIS2-compliant web services
• ensure the technical and operational security of websites and platforms
• document solutions in a way that meets the directive’s requirements

Antti Lassila

CTO