On Tuesday 13 March, the Finnish Parliament approved the implementation of the NIS2 directive in Finland, along with recent adjustments on the transition periods. The NIS2 Directive will be implemented primarily through a new Cybersecurity Act (in Finnish “kyberturvallisuuslaki”) and additionally through changes to other applicable legislations and regulations. However, Parliament has left the date of entry into force open, which shall be announced as the final stages of confirmation of the amendments to related legislation are completed.
Brief Summary on NIS2
- Imposes risk management obligations in 18 critical sectors of society in order to strengthen cybersecurity
- Creates reporting obligations on significant incidents related to cybersecurity
- Lists the minimum measures that all applicable entities must take to manage cybersecurity risks in their activities, for example, considering and implementing a risk management approach
- The law applies to medium-sized and larger companies operating in the critical sectors (at least 50 employees or a turnover or balance sheet value of EUR M10 in total) as well as their supply chains. However, the following entities will be covered by the requirements irrespective of their size: 1) a provider of public electronic communications networks or publicly available electronic communications services, 2) a provider of a ‘trusted service’ (In Finnish: “luottamuspalvelun tarjoaja”), 3) the operator of the regional code register or (4) a DNS service provider.
- ‘All-hazards’ approach meaning that entities must be prepared to address a wide range of threats, from cyberattacks to physical disruptions, ensuring comprehensive protection and resilience in their operations
The list of applicable critical sectors includes e.g. the energy, healthcare and financial sectors.
The topic is preponderant as the list of applicable industries is wide and the regulations shall have short transition periods that shall be indicated in each applicable law once confirmed. For instance, the time limit for notifying to relevant registries will be one month from the date of entry into force and companies have three months from the date of entry into force to adopt the so-called risk management approach.
It should be noted that even if a company is not established in the EU, but offers services within the EU, it shall designate a representative in one of the EU countries where it offers services and will be subject to reporting obligations based on the jurisdiction where the representative is established.
Given that it is to be anticipated that the date for entry into force will be fixed in the near future, companies who are or may be affected by the implementation into Finnish national law, should take steps now to prepare to comply with the relevant provisions. Deal-makers will also need to consider whether Finnish targets in affected industries have a clear path to compliance with their NIS2 obligations already at this stage, with associated compliance costs taken into account in valuation.
HPP’s market-leading Technology and Transactions teams would be happy to provide further guidance on the scope of the obligations NIS2 will create for qualifying companies and the steps which should and can be taken to facilitate compliance with those obligations. Please contact Andrew Cotton or Roosa Raikko to discuss your specific circumstances.
