What is the NIS2 Directive?
The NIS2 Directive is coming into force in Finland in 2025. Essential and important service providers must significantly improve their cybersecurity.
April 2, 2026
What is the NIS2 Directive?
The NIS2 Directive, also known as the Cybersecurity Act, is coming into force in Finland in 2025. Essential and important service providers must significantly improve their cybersecurity.
What is the NIS2 Directive?
The NIS2 Directive (Network and Information Security Directive 2) is the European Union's updated legislation that sets new and stricter requirements for strengthening cybersecurity in critical and important sectors across member states.
It is a continuation of the original NIS Directive and aims to improve the EU's cybersecurity level by harmonizing practices and strengthening cooperation between member states, businesses, and other organizations.
The directive entered into force and its provisions were supposed to be transposed into member states' national legislation by 17 October 2024. However, Finland, along with other member states, has been delayed, and the estimated transposition will take place at the earliest in spring 2025.
Who does the NIS2 Directive apply to?
The NIS2 Directive significantly expands the scope of its predecessor, covering more sectors and organizations than before.
The directive divides entities into large and medium-sized entities:
- Large entities: Companies with at least 250 employees or annual turnover exceeding EUR 50 million and balance sheet total exceeding EUR 43 million
- Medium-sized entities: 50–249 employees or annual turnover and balance sheet total exceeding EUR 10 million
Essential entities
- Energy (electricity, oil, gas, district heating and cooling, hydrogen)
- Transport (air, rail, water, and road transport)
- Healthcare
- Water supply (drinking water, wastewater)
- Digital infrastructure
- Finance
- Public administration
- Space
Important entities
- Postal and courier services
- Waste management
- Chemicals
- Food
- Manufacturing
- Digital service providers
- Research
- Domain name registration service providers
What requirements does the NIS2 Directive contain?
Cybersecurity risk management
Organizations must have an up-to-date risk management framework for protecting communication networks, information systems, and their physical environment.
- Risk analyses and information system security policies
- Incident handling
- Business continuity management
- Supply chain security
- Security in network and information system acquisition, development, and maintenance
- Assessment of risk management measure effectiveness
- Cyber hygiene practices and cybersecurity training
- Cryptography and encryption
- Personnel security, access control, and asset management
- Multi-factor authentication and secure communication solutions
Obligation to report significant incidents
- Initial notification within 24 hours of detecting the incident.
- Follow-up notification within 72 hours.
- Final report after the incident has been resolved.
Penalties
Essential entities: up to EUR 10,000,000 or 2% of global annual turnover.
Other entities: up to EUR 7,000,000 or 1.4% of global annual turnover.
Related blogs & news
Stay Ahead with Fresh News and Expert Tips
What is the NIS2 Directive?
The NIS2 Directive is coming into force in Finland in 2025. Essential and important service providers must significantly improve their cybersecurity.
What is the CER Directive?
The CER Directive strengthens the resilience of critical entities and infrastructure essential to society across the entire EU.
What is ISO 42001?
ISO/IEC 42001 is the first international standard for an AI Management System (AIMS). It aligns well with the EU AI Act.
Universal Compliance.
Manage Risk. Build Trust.
Gover turns complex compliance into a simple workflow that adapts to any legal, regulatory or sector-specific standard, with enterprise-grade risk management.
100+ standards and regulations
24/7 support
Easy to get started
