Cybersecurity in 2025: A new act and what it means

The first quarter of 2025 – and the start of Q2 – has been one for the books. On April 8th, the long-awaited Finnish Cybersecurity Act finally came into force. Which means: no more waiting. It’s time for every NIS2-covered organization still hanging back to roll up their sleeves and get things in order.

Now, the law doesn’t require anything outrageous. Get your documentation and processes in shape, get a handle on your risks, and make sure leadership understands their responsibilities – and you’re already well on your way. Sure, a few tech-driven requirements come with the package too, but let’s be honest: most organizations already have the necessary tools lying around. They just haven’t been using them in a way that meets the new requirements.

And yes, for some, this might all feel like a different language. Because, in a way, it is. At first, it’s total gibberish. But then a few words start to stick. You learn what they mean. And then – surprise –you’re speaking Cyber. Maybe not fluently, but enough to get by. And that’s already a big deal. Plus, Finland’s full of great consultants who can help you navigate the swamps of cybersecurity. You don’t have to go it alone.

We’ve been working on all kinds of NIS2 projects since the beginning of the year. For some clients, a quick sparring session does the trick – maybe a leadership training or a review of key documents and processes. Others need a full-scale audit where we dig deep to uncover every NIS2 requirement and deliver a clear, actionable to-do list. It’s been incredibly rewarding to see how eager companies are to get things right – and how much easier it gets when the law is translated into everyday action. Even a small NIS2 project can provide a powerful reality check. What do we really have? What’s critical to us? And how do we protect it? What happens if something essential is suddenly gone – can we keep the business running? Honest reflection like this is always eye-opening, NIS2 or not.

Yes, NIS2 comes with the threat of big fines. But fear of punishment is a terrible motivator. A genuine desire to become a safer, more resilient organization? That’s the real game-changer.

This spring has also included a bunch of speaking gigs. In one session, I somehow managed to cram an hour’s worth of content into a 15-minute crash course on 2025 data protection trends – let’s just say I was gasping for air by the end. I also gave our Pilviraketti clients a down-to-earth walkthrough of the basics of NIS2. Just the core requirements, with a reminder: whether or not NIS2 applies to you, the work is still worth doing.

And there’s more to come. On April 29th, it’s time for the one and only Ihana TuottavuusWappu, a full-day blast of productivity tips and insights. I’ll be there too, talking about the connection between productivity and data protection – and sneaking in a few NIS2 thoughts, of course. Come join us! The price is a steal, and one ticket gets your whole organization in.

As for data protection in general – well, not much has changed since New Year’s, but there’s definitely stuff simmering under the surface. As a privacy person, I’m more than a little nervous about where data transfers to the U.S. are headed. The new U.S. administration has already weakened some of the oversight mechanisms that were crucial for the EU-U.S. data privacy framework. There’s still a long road before the framework gets struck down (like the two before it), but let’s not pretend it’s the world’s most stable or reliable agreement. Still, it’s the legal method we have – and without it, many organizations would be in serious trouble (or drowning in Standard Contractual Clauses). But hey, been there, done that, got the t-shirt. We’ll survive again if we have to.

Oh – and don’t forget: if you want to stay trendy these days, you have to mention AI. The first phase of the AI Act is already in effect, even though the national implementation isn’t expected until August. Since February, rules on prohibited use cases and training requirements for AI literacy in companies have applied. The next big milestone comes in August when obligations for general-purpose models start kicking in. AI is popping up everywhere, so now’s the time to find out what kind of AI is running in your own backyard – and what it’s actually doing.

By all means, use AI – I do too. But keep your porridge and soup separate: no personal data in the AI-data bucket, and always keep your human brain switched on when reviewing AI outputs. That’ll take you far.

Spring’s rolling on, the cyber sun is shining, and even though the world can be a dark and messy place sometimes, let’s stick to the bright side – where people are kind, responsibility isn’t ducked, and we’ve got each other’s backs.