Finnish companies have a lot of work ahead in implementing the European Network and Information Systems Directive

The European Network and Information Systems Directive (NIS2) aims to ensure a common level of cybersecurity throughout the European Union. This directive will become part of national legislation in Finland during this year. The requirements of the directive apply to a large portion of Finnish companies, either directly or through subcontracting chains. The study reveals that Nordic companies perceive their cybersecurity levels and threats similarly.

Nearly all Nordic companies consider themselves somewhat aware of cyber threats

However, one crucial aspect of cybersecurity is employee awareness of cyber risks and appropriate responses. NIS2 emphasizes better communication and training on cybersecurity matters for employees. Surprisingly, in Finland, approximately 49% of respondents mentioned that they currently provide the required cybersecurity training related to NIS2 for their staff. In Norway, 61% of companies offer such training, while in Sweden and Denmark, approximately one-third of companies do so.

“Of particular concern is the finding that firewall protection is lacking in up to a quarter of companies. This deficiency should raise alarms not only for the companies themselves but also for their customers who use their services. Good cybersecurity practices not only protect the companies but also reduce the risk of infection for partners and customers”, says Dominique Akl, VP, Network and Cloud Solutions at DNA Corporate Business.

According to the survey, only 75% of companies protect their operations with firewall solutions, and nearly the same percentage mention that their company has any malware protection (76%).

As per the directive, responsibility of company’s cybersecurity lies with its management, and executives can be held personally accountable for any negligence. Almost all respondents (95%) felt they were somewhat aware of cybersecurity threats. However, 10% of respondents were unaware of the specific cybersecurity tools their company had in place.

Preparedness plans are lacking in the majority of Finnish companies

When NIS2 comes into force, it requires that cybersecurity risks be analyzed, and policies related to information system security be implemented. Despite this, only about a third (36%) of Finnish companies have developed incident response plans for cybersecurity threats. Nevertheless, a significant portion (86%) of respondents were confident or fairly confident in their ability to respond to cybersecurity incidents. 

Based on the responses, it is likely that a significant number of Finnish companies have weak capabilities to effectively address various security threats. 

Resource constraints and expertise pose obstacles to improving cybersecurity

Meeting NIS2 requirements demands increased investment in cybersecurity capabilities and its maintenance from companies. 

“Every company should act in line with the intentions of the directive, regardless of whether the directive directly obligates the company,” says Akl. 

The most significant barriers to enhancing cybersecurity capabilities were resource and funding constraints (25%), expertise (27%), and staff skills gap (26%). While most respondents (51%) believed that cybersecurity resourcing would increase, only 7% considered it highly likely to happen. 

This press release is based on a web survey conducted by Telenor Group with Norstat in October 2023. The study targeted companies in Finland, Norway, Sweden, and Denmark, with respondents being business directors responsible for their respective companies. The total number of respondents was 2134, including 518 from Finland. The survey’s margin of error is 1.9–4.5 percentage points. 

Media Inquiries:

Attachement: survey summary

Dominique Akl, Vice President, Network and Cloud Solutions, DNA Plc, tel. +38 (0)44 044 2602, dominique.akl@dna.fi

DNA Corporate Communications, tel. +358 44 044 8000, communications@dna.fi