Who is affected by NIS2, and what requirements does it put on companies?

Written By Marvel Consulting Team

The cybersecurity law based on the EU NIS2 directive entered into force in Finland on Tuesday, April 8. This new legislation applies to medium-sized and large companies that are critical to society, and imposes various cybersecurity requirements on them. The NIS2 directive entered into force in the EU area in October, so Finland, like many other EU member states, was late to the EU’s timetable. 

We wrote about the NIS2 directive and the DORA regulation on our blog last June. If you want to read basic information about both, click here!

The NIS2 Directive applies to large and medium-sized companies in critical sectors

The new NIS2 directive and the Finnish Cybersecurity Act apply in particular to large and medium-sized companies in the following sectors:

  • Energy 

  • Transport

  • Banking

  • Financial market infrastructures

  • Health

  • Drinking water

  • Wastewater

  • Digital infrastructure

  • ICT service management (B2B)

  • Public administration

  • Space

  • Postal and courier services

  • Waste management

  • Manufacture, production and distribution of chemicals

  • Production, processing and distribution of food

  • Manufacturing

  • Digital providers

  • Research

However, Marvel Consulting’s own Cybersecurity Expert Janne reminds that the legislation can also indirectly affect other companies: 

"One challenge with NIS2 has been that it affects companies that are not directly subject to NIS2, but are part of a critical chain that is. This is why they are also subject to NIS2. For example, transport companies that are part of the healthcare chain, such as transporting medicines to pharmacies."

Requirements set by NIS2 for companies 

The NIS2 directive and the Finnish Cybersecurity Act set various requirements for companies within their scope. The purpose is to ensure that the cybersecurity of operators in critical sectors is sufficient. This, in turn, helps ensure that data leaks or cyber attacks do not occur unexpectedly or go unnoticed.

This legislation requires companies to join a sector-specific list of entities, report significant incidents in communication networks or information systems, and comply with cybersecurity risk management obligations.

Cybersecurity risk management obligations

Traficom (National Cyber Security Centre) lists cybersecurity risk management obligations:

  1. Cybersecurity risk management policies and the assessment of the effectiveness of management measures.

  2. Policies concerning the security of communications networks and information systems.

  3. Security in communications network and information systems acquisition, development and maintenance, and the measures required for vulnerability handling and disclosure.

  4. The overall quality and resilience of products and services of direct suppliers and service providers in the supply chain, the management measures embedded in the products and services and the cybersecurity practices of direct suppliers and service providers.

  5. Asset management and the identification of activities important to its security.

  6. Human resources security and cybersecurity training.

  7. Access control and authentication procedures.

  8. Policies and procedures regarding the use of cryptography and, where necessary, measures for the use of secure electronic communications.

  9. Observation and handling of incidents to restore and maintain security and reliability.

  10. Backup management, disaster recovery, crisis management and other business continuity and, if necessary, the use of secure backup communications systems.

  11. Baseline information security practices to ensure the security of operations, telecommunications, hardware, software and datasets.

  12. Measures to ensure the security of the physical environment and facilities of communications networks and information systems and the necessary resources.

To summarize, the company must maintain an up-to-date cybersecurity risk management procedure. The necessary risk management measures must also be proportionate, for example, to the foreseeable impacts, probability of an incident, and vulnerability of communication networks and information systems to risks. 

Non-compliance with requirements 

If a company within the legislation's scope does not comply with the requirements, the penalty fee can be up to 10,000,000 € or 2 % of the total worldwide annual turnover in the preceding financial year. 

Do you need help with the measures required by NIS2?

Although the legislation came into force in Finland just over a week ago, many companies have a three-month transition period. So the right time to ensure compliance with the obligations is now. If you need help, our consultants can do just that. Get in touch and let’s talk!

You can read more about this on Traficom’s website.

Marvel Consulting Team
Previous

Marvelous Match in 24 Hours: Get an IT Consultant Quickly and Flexibly with Marvel Consulting
Next

Partnership in IT consulting: How to become part of Marvel Consulting's network