NIS2 Directive — Strengthened Cybersecurity Requirements

Nis2

The NIS2 Directive, which entered into force on 8 April 2025, obligates essential and important entities in EU Member States to raise their level of cybersecurity. The objective is to strengthen the resilience and operational continuity of the entire European Union against cyberattacks. Ignoring NIS2 can be extremely costly: the EU foresees sanctions such as multimillion-euro fines, suspension of business operations, and even disqualification from executive positions.

Who does NIS2 apply to?

A detailed sector classification can be found on the National Cyber Security Centre Finland website. In summary, NIS2 applies to essential and important entities operating in the following sectors:

  • Energy
  • Transport
  • Banking
  • Digital infrastructure
  • Public administration
  • Drinking water and wastewater
  • Healthcare
  • ICT services
  • Space
  • Postal services
  • Waste management
  • Chemicals
  • Food
  • Manufacturing
  • Digital services
  • Research

When these sectors maintain adequate cybersecurity, Finland can continue operating even under large-scale cyberattacks.

Does complying with NIS2 require extensive work?

It depends entirely on the organisation’s current state. Companies that already utilize good cybersecurity practices and network protections across their value chain typically need only incremental improvements. However, organisations that have neglected cybersecurity for years will face significantly more work.

If your company falls under NIS2, your first task is to identify the competent authority to which you must report incidents. The classification made by the National Cyber Security Centre can be found on their website. NIS2-regulated entities must register in the NIS2 operator registry and be prepared for a mandatory three-stage incident notification process.

What does NIS2 require?

If your organisation detects an incident that negatively affects your own operations or your partner network, it must be reported in three stages:

  • Initial notification within 24 hours — preliminary information about the incident
  • Detailed notification within 72 hours — a more complete situational report
  • Final report within one month — comprehensive analysis including root cause, impact assessment, long-term effects, and corrective actions

However, NIS2 requires far more than incident reporting. The full list of obligations is extensive, and an excellent guide can be found at Teknologiateollisuus (FISC). As a rule of thumb, cybersecurity should follow these phases:

Identify

Recognise threats, vulnerabilities, and risks — and document them.

Protect

Implement technical and procedural safeguards against attacks.

Detect

Establish and document methods to identify security breaches.

Respond

Minimize impact during an incident with defined response procedures.

Recover

Restore systems after an attack and ensure the issue cannot recur.

Detailed focus areas according to the above model:

  • Assets: Management of assets, systems, and configurations
  • Threats: Handling known threats and vulnerabilities
  • Risks: Management of predicted risks
  • Access: Identity and access management for systems and physical facilities
  • Situation: Up-to-date situational awareness and dependencies across systems and partners
  • Response: Incident and disruption management; continuity planning
  • Third parties: Managing partner and supply chain cybersecurity risks
  • Workforce: Personnel leadership, training, and protected working environments
  • Architecture: Documented cybersecurity architecture
  • Program: Cybersecurity governance, processes, and responsible personnel
  • Critical: Protection of critical services

Achieving full NIS2 compliance requires additional work, but addressing the above areas already takes organisations significantly forward.

How to get started easily?

Does this feel like a lot to review internally? Is your organisation missing the expertise or technical skills? Has documentation disappeared over the years as staff has changed?

Getting started is significantly easier when you let us verify your organisation’s NIS2 compliance.

Tunninen Oy has 20 years of experience in corporate cybersecurity. As a member of Kyberala ry (FISC), we contribute to improving Finland’s nationwide cybersecurity. We support companies of all maturity levels — from minimal protection to advanced environments. We install required equipment, secure your network, and help develop your cybersecurity processes to meet NIS2 requirements.

Contact us through the Contact Us section to request an assessment.

Benefits of strong cybersecurity go far beyond legal requirements:

  • Ensures operational continuity during disruptions
  • Minimises financial losses from cyberattacks and downtime
  • Protects critical business information and data
  • Builds trust with partners and customers

What if your company is not subject to NIS2?

Even if your organisation does not fall under the directive, cybersecurity should not be ignored. Unprotected devices and companies significantly contribute to enabling large-scale attacks. Malware often remains dormant until activated as part of a coordinated campaign.

Strengthen your cybersecurity — both organisationally and personally. Every action improves Finland’s overall resilience.

Explore Tunninen Cybersecurity 360°