Gofore

We offer expert knowledge in digitalization.

Ensure compliance with laws and regulations

NIS2 – The new legislation on cybersecurity

Managing cybersecurity risks is a responsibility that involves the entire organisation. For organisations critical to the functioning of society, it is a core capability. Is your organisation already compliant with the EU-wide NIS2 Directive?

Get in touch

NIS2 in a nutshell

What is the essence of the NIS2 directive?

NIS2 is an extension of its preceding directive, the NIS Directive. In Finland, the NIS2 directive is implemented with the new legislation on cybersecurity. The new legislation covers a broader range of sectors classified as critical to society. These include:

  • Energy, healthcare, transport, drinking- and wastewater, space, and finance sector, including their infrastructure
  • Public administration, ICT-sector (security and operations services), and digital infrastructure
  • Food industry, waste management, postal and courier services
  • Manufacturing industry e.g., medical device and the chemical sector
  • Digital services (marketplaces, search engines) and research
  • Healthcare providers, EU reference laboratories, pharmaceutical research and development, and pharmaceutical manufacturers
  • Manufacturers of critical medical device in potential public health emergencies.

It is important to understand that if your organisation has customers or e.g., partners who are categorized as critical by the legislation, you are very likely included in their supply chain. As a result, the legislative requirements also apply to your organisation. Typically, the legislative requirements extend at least to the primary subcontractors.

What obligations does the new legislation impose?

Obligations for organisations are expanding with the new legislation:

  • Organisations are required to adopt a risk management model. The purpose of this operating model is to recognize and manage threats and risks within daily operations.
  • Merely identifying and documenting risks is not enough. Measuring the effectiveness of risk mitigation is also required.
  • Organisations must develop their incident management capabilities to guarantee that, in the event of an incident, there is a clearly defined and mutually accepted operational model, along with assigned responsibilities for restoring operations.
  • The legislation mandates that organisations report security incidents in a more thorough and timely manner.
  • The law also establishes substantial fines for non-compliance. Additionally, authorities will be granted enhanced powers to uphold the legislation.

What is the purpose of the new legislation?

The new legislation broadens the responsibilities of critical entities mentioned earlier. Its objective is to enhance the cyber resilience of EU Member States by holding organisational executives accountable for managing cyber risks and implementing measures to bolster cybersecurity. The legislation requires continuous preparedness for incidents and recovery.

Services

How to prepare for cyber threats?

Development of situational management

In the case of an incident, it is essential for leadership and IT to have strong situation management abilities. Practicing situation management is crucial, as a well-prepared organisation can recover more quickly and reduce the adverse financial impacts and reputational damage resulting from an incident.

Situational management development services by Gofore are designed and delivered in cooperation with our partner IMS Finland.

  • Prepare your leadership and IT with the following services
  • A current state assessment for situational management
  • Situational management model trainings Situational management exercises

Capability development

Are you aware of the skills that legislation mandates for your organisation, and do you possess those skills? Get ready for the changes introduced by the legislation and enhance your organisation’s abilities to meet the set requirements. It is also essential to recognize that these changes impact the daily lives of people. Thus, improving compliance should be supported by structured and people-driven change management.

Our services for developing organisational cybersecurity capabilities

  • Clarifying the compliance requirements specific to your organisation
  • A compliance assessment of your operations in relation to the specific requirements to your organisation
  • Development of a Cybersecurity Risk Management Model
  • Development of an Incident Management Model
  • Development of supply chain cybersecurity
  • Implementing change in the organisation, supporting change management, and measuring change

    • Dive deeper

    The NIS2 Directive and the upcoming Law on Cybersecurity Risk Management – what are they all about?

    Read the recent blog post by Markus Asikainen, Gofore’s Director of Cybersecurity Business.

    Read the blog

    Contact us

    Markus Asikainen

    Head of Business, Cyber Security

    markus.asikainen@gofore.com

    +358 50 4328 322

    Read more about our perspectives on cybersecurity

    06.02.2024 INTELLIGENT INDUSTRY

    The NIS2 Directive and the upcoming Law on Cybersecurity Risk Management – what is it all about?

    20.11.2023 DIGITAL SOCIETY

    Security as baseline for life event based service development

    17.10.2023 INTELLIGENT INDUSTRY

    Security requirements for digitalised product lifecycle management

    Our journey with NIS2

    Getting ready for NIS2

    In this video series, CIO Ville Hurnonen goes through Gofore’s preparations for NIS2 requirements.

    Double click the videos for a full screen mode.

    Organisational perspective

    Top management perspective

    Back to top