The NIS2 Directive improves security across Europe, making internationalising business easier

The NIS2 Directive sets a new minimum level of risk management measures and reporting obligations regarding cyber security. Companies need to invest in a security strategy, basic cyber hygiene practices, and cyber security training for employees and partners. NIS2 is a continuation of the NIS1 Directive, which covered a significantly narrower number of industries. NIS2 also extends responsibility to the highest level of management – members of administrative bodies may be held personally liable if the organisation neglects its obligations.

Kaapro Kanto, DNA Vice President, Network & Cloud, has a positive view about the increasing data security regulation:

“Regulation is good in this case. More comprehensive regulation will guide companies toward better security and force them to invest in it. After all, information security is the key element of the information society. The management’s stronger responsibility can also raise the cyber security priority in organisations and improve its level across Europe.”

According to Telenor’s recent digital security report*, NIS2 highlights the need for closer Nordic collaboration. By harmonising data protection legislation and actively sharing information about threats, security is improved throughout the region. The report notes that consistent regulation can also reduce bureaucracy and thus make it easier for companies to internationalise.

Kanto points out that telecommunication operators play an important role in the security of the information society:

“As society’s services are increasingly transferred to the cloud, we as an operator have a responsibility to maintain secure network connections and support our customers in developing their security. Good information security benefits society as a whole: companies, the government, and, ultimately, citizens.”

The NIS2 Directive has impact beyond its direct scope of application

Upon its entry into force, the NIS2 Directive will apply to organisations operating in critical industries, employing at least 50 persons and having a turnover of more than €10 million. Organisations employing more than 250 people are automatically covered by NIS2. However, many smaller businesses have NIS2-obligated companies as their customers that need to provide the right level of data protection throughout their supply chain. In practice, NIS2 will impact most Finnish companies.

“And on the other hand, even if the regulation would not extend to some party even through the supply chain, it does list a lot of good practices that are very good to follow just for the sake of the customers and for one’s own business,” Kanto says.

Kanto adds that NIS2 is just one new directive that is embedded in existing regulation covering different sectors. As the digital transformation progresses, companies should expect even future changes to the regulatory environment. Some insight on future developments can be found in the EU Digital Decade Programme, which lists several targets for developing digital transformation in competence, infrastructure, business and government areas by 2030.

*Telenor’s Nordic Digital Security 2024 report: dna.fi/yrityksille/digital-security-2024

Media enquiries:

Kaapro Kanto, DNA Vice President, Network & Cloud, Corporate Business, tel. +358 40 059 9020, kaapro.kanto@dna.fi

DNA Corporate Communications, tel. +358 44 044 8000, communications@dna.fi