The NIS2 Directive (EU 2022/2555, Directive on measures for a high common level of cybersecurity across the Union) replaces the NIS Directive. It aims to enhance the resilience of both private and public sector entities against cyberattacks.
The Directive outlines security requirements for entities, the penalties for breaches, as well as national and EU mechanisms for maintaining cybersecurity situational awareness.
The NIS2 Directive will be implemented in Finland through the Cybersecurity Law (124/2025). The application of this law was initially set to begin on 18 October 2024, but it was delayed and it came into force on 8 April 2025.
Key requirements of the NIS2 Directive
Among the measures required from entities, the most critical is risk assessment. Based on the assessment, an operational model must be established to protect network and information systems and their physical environment from anomalies. Operational model is typically part of cybersecurity management system. This operational model must consider, among other factors:
- Prevention, detection, and response to cybersecurity incidents
- Ensuring the security of supply chains
- Ensuring the security of network and information systems from procurement through to development and maintenance
- Evaluating the effectiveness of cybersecurity risk management practices
- Business continuity management and crisis management
- Personnel security and cybersecurity training
- Access management
- Asset management
- Physical security of premises
- Use of cryptography and encryption
Additionally, entities are required to report significant cybersecurity incidents.
Management responsibility
The management of the entity is responsible for organising the implementation and oversight of cybersecurity risk management, as well as for approving the cybersecurity risk management operational model and monitoring its execution. The management must possess sufficient knowledge of cybersecurity risk management.
According to the legislative proposal, “management” refers to the entity's board of directors, supervisory board, and chief executive officer, as well as any other person in a similar position who effectively leads the organisation's operations.
Who is affected by the NIS2 Directive
Compared to the NIS1 Directive, NIS2 has expanded its scope to cover several critical sectors for societal functioning, including energy production and distribution, drinking water treatment, waste management, logistics, the production and distribution of chemicals and food, as well as certain manufacturing industries. Comparable regulations for the financial sector are specified in the DORA Regulation.
The organisations covered by the directive are categorised into essential and important entities based on criteria such as size and sector. For instance, critical operators under the CER Directive fall under the category of essential entities in the NIS2 classification. Entities are expected to conduct risk assessments considering all threat factors and develop operational models to protect their network and information systems as well as their physical environment from anomalies. When assessing risks, it is important to consider the extent to which the entity is exposed to risks, the size of the entity, and the likelihood and severity of anomalies. Besides the entity’s operations, societal and economic impacts should also be taken into account.
NIS2 affects entities in the following sectors
Very critical sectors
Banking
Health
Drinking water
Energy
Financial market infrastructures
Information and communication technology
Digital infrastructure
Public administration
Space
Transportation
Wastewater
Other critical sectors
Digital service providers (e-commerce, search engines, social media platforms)
Food production, processing, and distribution
Chemicals production, manufacturing, and distribution
Manufacturing
Postal and courier services
Waste management
Research activities
How we can help you
We support businesses in achieving NIS2 readiness. Our services include threat and risk assessments tailored to the specific industry, covering both production and administrative cybersecurity. We assist in developing the cybersecurity management system across all areas, such as enhancing cybersecurity awareness, improving asset management, continuity and crisis planning, conducting exercises, enhancing supply chain security, and procuring cybersecurity services and systems. The cybersecurity management system can be based on standards such as ISO/IEC 27001 but using it or obtaining certification is not mandatory. The essential aspect is that the management system covers activities in accordance with the NIS2 Directive and does not solely relate to ICT environment management.
We independently assess compliance with NIS2 requirements. We can also conduct technical cybersecurity testing of systems and organise crisis exercises.
Why PwC?
We offer comprehensive cybersecurity services from the perspective of information security management systems, industrial automation cybersecurity, and technical cybersecurity. We possess in-depth and up-to-date knowledge of cybersecurity regulation and its practical implementation. Furthermore, we have strong expertise in identifying and mitigating cybersecurity threats and risks across various sectors.
In addition to our local team, we have a robust global network. This global network complements local expertise and allows for a broader application of our knowledge. Our global network ensures access to the latest information and best practices in the field of cybersecurity worldwide.
Do you need help with NIS2 Directive?
Contact our specialists
Contact us
