With the introduction of the NIS2 Directive and the Finnish Cybersecurity Act, organisations across Europe are facing new and concrete obligations in the management of cybersecurity. In this article, experts Mikko Kinnunen (Founder and CEO of Prosecom) and Jukka Mäkitalo (GRC Consultant at Granite) share their insights on how compliance can be effectively integrated into the everyday operations of an organisation.
Identifying Requirements: Where to Begin?
The first step towards compliance is understanding whether your organisation is in scope. Mikko Kinnunen emphasised that all organisations should assess their position in relation to the Cybersecurity Act and NIS2 Directive.
“Every organisation should at least evaluate whether they fall under the scope of the legislation, and what role they play,” Kinnunen noted.
In addition, Finnish organisations must notify the appropriate supervisory authority for their sector. This notification is the first tangible requirement, with a compliance deadline for private sector organisations set for 8 May 2025.
Every organisation should at least evaluate whether they fall under the scope of the legislation, and what role they play.
Practical Measures: What’s Expected?
Identifying the requirements and notifying authorities is only the beginning. The Cybersecurity Act also mandates the establishment of a robust risk management process tailored to cybersecurity risks.
“It’s not a one-off exercise; it’s about continuous risk management,” Kinnunen stressed.
In practice, this includes:
- Systematic identification, assessment, and management of cybersecurity risks
- Documenting core information security principles
- Extending risk management across supply chains, including contracts and audits
- Ensuring staff awareness and providing security training
- Building capabilities for detecting security incidents and establishing reporting procedures
Supply chain risk management emerged as a particularly critical area. Traditional SLA agreements may fall short; organisations may need dedicated security clauses and provisions for external audits.
Building an Effective Governance Model
Beyond risk management, organisations must also implement a comprehensive governance framework that supports both compliance and continuous improvement.
“Alongside risk management, there must be clearly defined principles, responsibilities, and incident processes aligned with normal management systems,” explained Mäkitalo.
A solid governance model should include:
- Clearly assigned responsibilities for risk and incident reporting
- Criteria for assessing risks and incidents
- Regular evaluation of risk management effectiveness
- Procedures for handling and reporting incidents (including the requirement to notify Traficom of major incidents within 24 hours)
It is advisable to integrate cybersecurity governance into existing management and risk frameworks, thereby reinforcing organisational resilience rather than creating isolated projects.
Cybersecurity must become part of day-to-day decision-making and operations – not a detached special project.
Best Practices for Implementation
Kinnunen recommended making use of established frameworks and standards, particularly ISO 27001 and ISO 27005, to build a sound structure for risk management.
“Following ISO 27001 is a fairly safe bet,” he remarked.
These standards help organisations objectively assess their current state, identify gaps, and develop actionable improvement plans. For organisations in critical sectors – such as communications or energy – the accuracy and scope of risk management should reflect the importance of the function.
Tips for Successful Implementation
Kinnunen and Mäkitalo also shared practical advice for getting started. Key takeaways include:
- Conduct a current state assessment: Evaluate your operations against the law and directive.
- Develop a governance model with timelines in mind: Risk management models should be ready by early July in Finland.
- Integrate cybersecurity into existing risk frameworks: Build on what already works.
- Define clear reporting protocols for incidents: Who reports, under what circumstances, and how.
- Invest in staff awareness: Without people’s commitment, risk management cannot succeed.
Making Cybersecurity Part of Everyday Business
The NIS2 Directive and Cybersecurity Act are bringing cybersecurity requirements into the core of organisational management. This shift demands more than just documentation and technical solutions – it calls for a cultural change.
“Cybersecurity must become part of day-to-day decision-making and operations – not a detached special project,” summarised Mäkitalo.
When compliance becomes a seamless part of leadership and operational practices, organisations not only meet regulatory demands but genuinely enhance their security posture and resilience against emerging threats.
The article was published on 7 May 2025