The new EU cybersecurity directive NIS2 was published 14.12.2022. It will become part of our national legislation from 18.10.2024 onwards. Unlike the previous NIS1 directive, the new NIS2 requires companies and organizations to take active cybersecurity risk management actions and processes in addition to reporting significant information security breaches. Obligations include technology-neutral risk analysis, business continuity management, deviation processing, and monitoring.

The NIS2 legislation will apply to all critical operators in our society, regardless of their size. The operators within the scope of the law are divided into two categories – high criticality and other critical sectors:

Even though some companies are outside the scope of NIS2, in practice the directive may still apply to them if they act as subcontractors to companies within the scope of NIS2. The neglect of even the smallest operator’s cybersecurity within the value chain weakens the security of the entire chain.

Each company is responsible to determine whether the law applies to it, it’s all operations or just some entities. Neglecting the NIS2 obligations is highly sanctioned.

NIS2 sets requirements for companies to plan their operations from the perspective of cybersecurity and maintenance readiness in exceptional situations, which is good for both companies, their employees, customers, and our entire society. Depending on one’s perspective, the new law is either a cost or even an opportunity for new business for your company.

Don’t hesitate to contact us when you need help and objective view of the impact of the NIS2 and its national legislation on your company.

Merja Vane-Tempest

Program Director


Jouni Marttila

Program Director