NIS2 Directive: What it means, who it affects and what you should do now

Short summary

  • NIS2 is an EU cybersecurity directive that came into force in April 2025 — and it affects far more organisations than its predecessor
  • Even if your company isn’t directly in scope, supply chain obligations may still apply to you
  • Management liability is now personal — and significant security incidents must be reported to authorities within 24 hours
  • Achieving NIS2 compliance doesn’t require massive investments — done right, it’s also a competitive advantage

Have you been coming across the term NIS2 lately and wondering whether it applies to your organisation — or whether it’s yet another EU acronym you can safely hand off to someone else

Spoiler alert: it’s probably something you should care about. And the good news is that it’s not as complicated as it sounds.

What is NIS2, really?

Let’s start with the basics. NIS2 is the EU’s cybersecurity directive, which entered into force in Finland in April 2025 through the Cybersecurity Act (124/2025). It replaces its predecessor, the NIS1 Directive, and significantly expands its scope.

But what does it actually mean in practice? Here’s a simple way to put it:

NIS2 is EU-level legislation covering information security across organisations. It’s designed to ensure that companies act responsibly when it comes to cybersecurity in the broadest sense — not just in handling personal data, which is GDPR’s territory, but across information security as a whole.

Think of it this way: GDPR is like a specialist focused on personal data. NIS2 is a broader framework that covers the entire field of information security, with GDPR complementing it in its own specific area.

Why is NIS2 generating so much buzz right now?

One word: scope.

The original NIS1 Directive covered mainly the most critical societal infrastructure — power grids, water utilities, banks. NIS2 has multiplied that scope many times over. Suddenly, organisations across energy, healthcare, transport, food production, various manufacturing sectors, digital services and public administration all fall under the directive.

And when those organisations come under regulation, their supply chains follow.

This is perhaps the most important practical impact of NIS2 for many companies: the supply chain obligation. Organisations in scope are responsible for ensuring that their subcontractors also meet basic cybersecurity requirements. If you supply goods or services to an organisation subject to NIS2, your customer will require a certain level of cybersecurity — and evidence of it. Without that evidence, contracts will most likely not materialise.

This means NIS2 extends much further than the letter of the law might suggest.

Who does NIS2 apply to?

The directive primarily covers medium and large organisations in defined sectors — those with more than 50 employees or annual turnover exceeding €10 million. Smaller organisations can also fall within scope if they are considered critical operators. For precise definitions, Traficom’s Cybersecurity Centre is the authoritative source.

Essential entities:

  • Energy, transport, banking and financial markets
  • Healthcare, drinking water and wastewater
  • Digital infrastructure and ICT services
  • Public administration, space

Important entities:

  • Postal and courier services, waste management
  • Chemicals, food production
  • Manufacturing (electronics, machinery, electrical equipment)
  • Digital services and research

And as noted — if you supply to any of these organisations, the requirements may apply to you indirectly too.

What does NIS2 require in practice?

This might be the point where some leaders roll their eyes: “Another regulatory jungle.” But there’s good news: NIS2 compliance genuinely isn’t rocket science, and the key requirements can often be built on top of existing practices — without necessarily demanding significant financial or time investments.

Building NIS2-compliant risk and information security management does deliver real value, though. Beyond protecting your own organisation’s data and people, you’re also safeguarding your customers’ information and assets — and you can communicate that clearly.

In practice, the directive requires, among other things:

Risk management and information security policy. Organisations need a documented understanding of their risks and a framework for managing them.

Management accountability. This is one of NIS2’s most significant changes from its predecessor. Responsibility is no longer vaguely distributed across the organisation — senior leadership is personally accountable for compliance, including approving risk management practices and overseeing their implementation.

Supply chain security. Beyond your own operations, you’re responsible for ensuring that key suppliers also maintain adequate cybersecurity.

Business continuity. Backups, recovery plans and crisis management can’t just be items at the bottom of a checklist — they need to be tested practices embedded in everyday operations.
Incident reporting. Significant security incidents must be reported to the supervisory authority within 24 hours of detection. A follow-up report is due within 72 hours, and a final report is generally required within one month.

Training. NIS2 requires that organisations maintain sufficient cybersecurity competence and the ability to manage risks. In practice, this means role-appropriate training for staff — and particularly for leadership and board members.

“We still have time” — do you?

That mindset is worth challenging. If you approach this thinking “we’ve still got 16 months, no rush” — you’ll find yourself in trouble.

The law is already in force. The obligation to report significant incidents began in April 2025. And while regulators may not be knocking on your door tomorrow, cyberattacks don’t ask permission in advance.

It’s also worth keeping the human side of this in mind. After a security breach, regulators will assess whether the organisation acted responsibly. If documentation is missing, if leadership has never discussed the topic, and if obvious vulnerabilities were knowingly left unaddressed — the situation looks very different from that of an organisation that can demonstrate genuine efforts to get things in order.

The analogy works in everyday life too: it’s hard to explain away a break-in when the thief walked in through a front door with a broken lock that you knew about but decided not to fix.

The Finnish challenge: being thorough without being rigid

Finnish organisations have a well-earned reputation for following the rules — if there’s one thing we do well, it’s compliance to the letter. But there’s a flip side to that.

We may not have quite the same comfort with flexible interpretation that you see in some other countries. We want to do things properly — which is genuinely admirable — but the law isn’t always that black and white. Organisations can go overboard: money is spent, time disappears, documentation piles up into hundreds of pages, but the practical benefit ends up feeling mostly like paperwork.

The key message here is that NIS2 compliance is, for most organisations, a business decision — and it can be implemented with the resources and tools already available. A perfect system on paper that nobody understands or uses is weaker than a simpler, functioning structure that people actually follow day to day.

What if NIS2 were actually your competitive edge?

What if NIS2 isn’t just a burden, but an opportunity?

It’s worth seeing this legislation not only as a compliance requirement, but as a chance to stand out from the competition — with the mindset of “we don’t do things because we have to, but because it’s the right thing to do.”

Think about it. A company with a clear security structure, documented risk management and the ability to demonstrate compliance is well positioned in:

  • public tenders, where NIS2 requirements are increasingly showing up in contract requirements
  • negotiations with larger customers who are scrutinising their supply chains
  • recruitment, where cybersecurity is a fast-growing area of expertise

Meeting the minimum requirements of the law is, as one way of thinking about it, the baseline for responsible conduct. On top of that, you can build layers that protect your business, your people and your customers — and communicate that with confidence.

Where to start?

If NIS2 still feels unclear, or you’re unsure whether it applies to your organisation, don’t sit with that uncertainty alone. A good starting point comes in three steps:

  1. Determine your scope. Does your organisation fall directly under the directive? What about indirectly through supply chain relationships? Traficom’s Cybersecurity Centre website is a solid starting point, and a Greenstep expert can help you figure it out quickly.
  2. Do a current state analysis. Where do things stand right now? What are the key risks and gaps? A current state analysis isn’t an end in itself — it’s done to identify what concretely needs to happen next.
  3. Build a framework that works in practice. Documentation, risk management processes, incident reporting procedures, staff training — together these create something that actually works, rather than just looking good on a shelf.

Greenstep’s CIO team helps organisations achieve NIS2 readiness in a practical, right-sized way. Getting started is easy: book a free 30-minute sparring session where we’ll walk through your situation and give you concrete guidance on the next steps.

Published

Are you unsure if NIS2 applies to your organisation?

Book a 30 minute sparring session with our expert to find out!

Book a time
Rasmus Kurtén

Rasmus Kurtén

Inbound Manager

+3584578721404 rasmus.kurten@greenstep.fi