Contact Us

Cybersecurity Act emphasises management responsibility – What boards and CEOs need to know about their new personal duties?

Under Finland’s new Cybersecurity Act, directors and CEOs now face personal liability for material deficiencies in cybersecurity. The legislation, which implements the EU’s NIS 2 Directive, fundamentally shifts cybersecurity from a back-office function to boardroom responsibility with risks of temporary disqualification from management positions and significant fines for negligence.

European Union’s NIS 2 Directive has been implemented in Finland through the Cybersecurity Act (124/2025), which entered into force on 8 April 2025. The Cybersecurity Act has fundamentally changed the role of cybersecurity in companies. Cybersecurity is no longer merely a technical item for the IT department; ensuring cybersecurity has become a statutory duty of care and supervision for management. Negligence and failure to acquire the necessary knowledge can lead to significant consequences for both the company in general and its management personally. The management has explicit ultimate responsibility, meaning that the board of directors and the CEO must maintain their expertise and ensure compliance in the companies’ operations.


What has changed?

In practice, NIS 2 and the Cybersecurity Act require management to approve cybersecurity risk management measures and oversee their implementation and resourcing. In addition, management must ensure that regular training is provided within the organisation. In other words, cybersecurity has become a strategic responsibility, not merely a compliance formality. By setting specific management responsibilities, the directive has emphasised the importance of cybersecurity as a focal point in Member States’ security frameworks.

At a minimum, management must:

  • Approve a cyber security risk management policy
  • Organise the implementation and resourcing of risk management
  • Monitor the effectiveness and adequacy of risk management in practice
  • Ensure regular training and its organisation for staff

Although the tasks may be delegated to experts within the company, management retains ultimate responsibility for the implementation and monitoring of risk management. This responsibility is particularly critical when cybersecurity risks are significant in the company’s field of activity.


What are the consequences of non-compliance?

  • Administrative fines: A breach of the Cybersecurity Act may result in a fine, assessed based on the severity of the breach, of up to EUR 10 million or 2% of the company’s global turnover.
  • Temporary disqualification: Serious or repeated negligence may result in a temporary ban on a member of management from acting in management or administrative positions.
  • Personal liability for damages: If a penalty payment is imposed on the company, individuals in management positions may also be held personally liable for damages to the company in connection with a breach of their duty of care under the business judgement rule.

Accordingly, with the introduction of the Cybersecurity Act, cybersecurity risk management has become one of the core responsibilities of management.


Which entities does the Act apply to?

The Cybersecurity Act applies broadly to critical actors in society, such as the energy, transport, health and financial sectors, as well as public administration and digital infrastructure. The obligations cover not only the security of physical infrastructure but also information systems and mainly concern large and medium-sized companies that provide essential or otherwise important services. In addition, the obligations apply regardless of size to critical operators of digital infrastructure, such as electronic communications networks and DNS service providers.


What should the company management do?

Cybersecurity should be integrated into the company’s risk management framework. In practice, this involves three key steps:

  • Assess applicability: Does the company fall within the scope of the law?
  • Register: The company must register in the list of operators (Fi: toimijaluettelo) applicable to its sector.
  • Implementation: Identify and enact obligations.
    While management is not expected to develop enhanced technical expertise in cybersecurity, it remains responsible for ensuring that cybersecurity is managed in a professional and systematic manner.


Five key tasks for management

  • Identify and assess cybersecurity risks
  • Adopt a clear risk management operating model
  • Ensure regular reporting
  • Assign responsibilities and secure resources
  • Continuous monitoring.


Summary: cybersecurity now falls under management’s legal responsibility

The Cybersecurity Act has incorporated cybersecurity as one of the core responsibilities of corporate management. It is no longer simply a question of technical protection, but also one of legal and personal responsibility, and failure to perform these duties may result in significant penalties.

Proactive action, a clear division of responsibilities and careful documentation are critical steps in minimising risks and meeting legal obligations.


Would you like support in evaluating your cybersecurity obligations?

HPP’s experts are happy to help you assess the applicability of cybersecurity obligations and ensure their lawful and effective implementation.

Lasse

Riski

Partner

Technology

Lotta

Lavonen

Associate

Transactions

Share content

Read also

  • Articles, News

Finland’s pension reform opens up new opportunities in real estate finance

  • News

Securing Europe’s digital backbone: The EU ICT Supply Chain Security Toolbox

  • Articles, News

Meta’s WhatsApp AI ban: Why the European Commission’s interim measures matter for digital markets and innovation

Services

Industries

Experts

References

News

Company

Your Sustainability Partner

Greentransition
Linkedin Instagram

CONTACT US