Full name: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)

(Link to original text)

Type: Directive

Objective and key elements:

• Enhances the preparedness of the Member States, such as forming and cooperating among other Member states through a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems (NIS) authority and EU-wide Cooperation Group
• Requirements to form a culture of security across sectors that are vital for the EU economy and society and that rely heavily on ICTs, such as:
  • energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure
• Operators of essential services (as appointed) in the above sectors will be obliged to take appropriate security measures and notify relevant national authorities of serious incidents
• Key digital service providers, such as search engines, cloud computing services, and online marketplaces, will have to comply with the security and notification requirements under NIS 2

Relevant to: Operators of essential services as well as key digital service providers.

Status: In force since 16 January 2023, applicable from 18 October 2024.

Related legislation: Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (CER-directive) (Link to original text)

Guidance:

• European Commission: NIS2 Directive - FAQs

(Last updated 21 October 2024)

• The Cybersecurity Act (124/2025)
• Several changes to other national legislation, such as the Act on Information Management in Public Administration (906/2019) and the Act on Electronic Communications Services (917/2014), comprehensive changes available in the Parliament’s response EV 15/2025 vp, available here
• FIN-FSA’s status as a competent authority was adopted by the Act amending the Act on the Financial Supervisory Authority (610/2024)

Status:

• In force

Competent authorities: The Cybersecurity Act introduces sector-specific competent authorities:

• The Finnish Transport and Communications Agency (Traficom) is the competent authority in relation to operators carrying out activities related to airway traffic, rail traffic, waterborne traffic, road traffic, digital infrastructure, and ICT services, as well as ground station or radar activities or other maintainers of ground-based infrastructure that support the provision of space-based services, owned, managed, and operated by member states or private entities, excluding providers of public electronic communications networks;
• The Energy Authority is the competent authority in relation to operators carrying out activities related to electricity and proprietors of district heating or district cooling as defined in Directive (EU) 2018/2001 of the European Parliament and of the Council of 11 December 2018 on the promotion of the use of energy from renewable sources and certain operators concerning natural gas and hydrogen;
• The Finnish Safety and Chemicals Agency (Tukes) is the competent authority for certain operators involved in natural gas, oil, hydrogen production and storage, chemicals, and undertakings referred to in NACE Rev. 2 Section C Divisions 26 to 28.
• The National Supervisory Authority for Welfare and Health (Valvira) is the competent authority in relation to certain operators carrying out activities concerning natural gas, oil, the production and storage of hydrogen, certain operators carrying out activities in relation to chemicals, and undertakings referred to in NACE Rev. 2 Section C Divisions 26 to 28;
• The Centre for Economic Development, Transport and the Environment of South Savo (ELY Centre) is the competent authority in relation to certain operators distributing water intended for human consumption and certain operators in the field of urban waste-water treatment;
• The Finnish Food Authority is the competent authority in relation to both public and private profit and non-profit undertakings carrying out any of the activities related to any stage of the production, processing, and distribution of food;
• The Finnish Medicines Agency (Fimea) is the competent authority in relation to operators involved in the research and development of specified medicinal products, undertakings referred to in NACE Rev. 2 Section C Division 21, operators manufacturing critical medical devices, operators carrying out activities relative to blood establishments, pharmacies, and suppliers of medicinal products and medical devices;
• The Financial Supervisory Authority (FIN-FSA) is the competent authority in relation to banking and financial market infrastructure.

Single point of contact: National Cyber Security Centre

(Last updated 14 April 2025)