Cybersecurity Act introduces strict requirements and significant penalties
After two years of regulatory development, the Cybersecurity Act (124/2025), based on the EU NIS2 Directive, entered into force on 8 April 2025.
The legislation is based on the EU’s original NIS Directive (2016) and incorporates elements from the updated NIS2 Directive. It introduces comprehensive cybersecurity obligations for organizations operating in sectors such as energy, transport, healthcare, water supply, banking, finance, digital infrastructure, and public administration.
The scope of the law extends beyond traditional IT security. It encompasses the protection of networks and information systems, as well as the security of ICT products, services, and processes. Entities covered by the law must implement measures for prevention, detection, mitigation, and reporting of security incidents. A key requirement is that the initial notification for reporting of such incidents should come within 24 hours, followed by a detailed report within 72 hours. Risk assessments must be reviewed at least annually to ensure continuity and preparedness.
Applicability and reporting obligations
The law applies to providers of essential services in sectors such as energy, transport, healthcare, water supply, banking, finance, digital infrastructure, and certain digital services. Organizations must determine whether they fall within the scope of the legislation and, if so, report to the relevant sector-specific authorities such as Traficom, Valvira, Fimea, and ELY Centres.
Management accountability and financial penalties
Responsibility for compliance lies with the organization, but the law also introduces personal accountability for executive leadership. Board members, CEOs, and other de facto decision-makers may be held personally liable for non-compliance, particularly if security assessments and follow-ups are neglected. This shift emphasizes the importance of top-level oversight in cybersecurity governance.
Violations may result in substantial fines. These can reach up to €10 million or 2% of global annual turnover, whichever is higher. Exceptions to security measures must be formally approved, documented, and reported to the appropriate authority.
Third-party and supply chain considerations
Organizations are also responsible for ensuring that third-party providers do not compromise the security of their systems. This includes both physical and digital security. Third parties must not compromise system security and should be included in preparedness and response planning where relevant.
Security management and documentation requirements
Entities subject to the law must establish robust security and risk management frameworks. This includes conducting thorough risk assessments, documenting vulnerabilities, and implementing mitigation strategies. The law also mandates clear procedures for incident handling, reporting, and follow-up.
Compliance will likely require investments in updated security infrastructure, staff training, and the development of incident management protocols. While the requirements may appear extensive, organizations are encouraged to tailor their implementation strategies to suit their operational context.
Regulatory oversight
All entities covered by the Digital Security Act will be subject to supervision by designated authorities. This oversight aims to ensure consistent application of the law and to support the broader goal of enhancing digital resilience across critical sectors.
For iLOQ, our approach to cybersecurity is proactive and comprehensive. NIS2 compliance is not just a regulatory requirement, it’s a strategic priority. You can read more about how we are protecting sensitive information and our digital infrastructure to ensure operational continuity and trust here. And don’t hesitate to get in touch using the form below.
Contact us
Contact your local iLOQ team for a free consultation.
