We are committed to security and compliance of the software we develop, and all of our work with our customers & their data

Greenstep became ISO27001 certified in 2023.

“The ISO27001 certificate is a testament to the quality of the policies, procedures and processes at Greenstep”
Anne Kulla, Partner & Head of Compliance

Our policies include:

• Secure development policy – At Greenstep, all developers follow our Secure Development Guidelines. Our culture values and rewards the detection and mitigation of vulnerabilities. Please contact us if you wish to know more about our Secure Development practices.
• Code of conduct
• Information security policy
• People management policy
• Secure architecture and engineering policy
• Business continuity policy
• Office policy/ Physical security policy
• Cryptography policy
• Responsible disclosure policy
• Access Control Policy
• Supplier policy
• Testing policy
• Endpoint device policy
• Backup policy
• Privacy policy
• Information retention policy
• Password policy
• Logging policy
• Information classification policy
• Secure development policy
• Insurance policy
• Penetration testing policy

The compliance to these policies is followed through our controls which adhere to the ISO27001.2002 framework and are audited yearly.

Greenstep compliance with the NIS2 Directive

The NIS2 Directive (Directive (EU) 2022/2555)) (the “NIS2”) aims to achieve a high common level of cybersecurity across the European Union. It is to data security what the General Data Protection Regulation (GDPR) is to personal data and data protection.

The NIS2 has been transposed into local legislation in 2025 and Greenstep has been registered as an operator under NIS2.

Text updated: 8/2024.

From the point of view of companies, the most important new national regulation enacted on the basis of the NIS2 is Cybersecurity Act. The new legislation, for example, sets a registration obligation for certain companies, as well as obligation of cybersecurity-related risk management and incident reporting. In the event of non-compliance of risk management or reporting, the competent authority may impose an administrative fine in accordance with the NIS2 and the related applicable legislation. In addition, a sector-specific supervising authority may carry out ex ante and ex post supervision of the company’s operations based on company classification as an important or essential entity.

The extent of the applicability is quite wide. For example, in Finland, Cybersecurity Act is estimated to apply to 2,500 to 5,000 entities. Of these organisations only about 10 to 20 % fall under the obligation of the previous NIS1 Directive (Directive (EU) 2016/1148).

Scope: essential and digital services of certain company size

Overall, the scope of the NIS2 is large including several sectors. The primary target of this regulation is operators linked to emergency supply, such as electricity, energy and water. However, this EU law also extends the requirements to other industries such as the pharmaceutical industry, financial institutions and software suppliers, but to some extent also to, for example, accounting firms.

As a general rule, the NIS2 applies to providers of digital services. A software company that develops and produces a cloud service is clearly in the scope of the NIS2. If an accounting firm offers its clients self-developed software as a cloud service, it is also naturally within the scope of the NIS2, just like any other software firm. In addition, if an accounting firm offers its clients accounting or payroll software or other software produced and maintained by a software company, it is covered by the NIS2, if it takes care of, for example, access rights management, offers access control to the software through the identification of its own website, or otherwise manages the use of a cloud service. In the field of cloud services, there will be a nominated authority who can carry out supervision of the company´s operations.

The NIS2 imposes specific size limits that determine its applicability to companies. These limits are categorised into two main classifications: important entities and essential entities:

• A company is classified as an important entity if it meets at least one of the following criteria: the company employs at least 50 employees, or both the annual turnover and the balance sheet total exceed EUR 10 million.

• A company is classified as an essential entity if it exceeds the ceiling for medium-sized enterprises, specifically: more than 250 employees or a turnover of EUR 50 million and a balance sheet of more than EUR 43 million. The regulations governing essential entities are more stringent compared to those for important entities. In addition, these are subject to ex ante supervision.

Applicability to Greenstep

As regards Greenstep group of companies, based on the above, the parent company Greenstep Oy (Finland) is regarded as an essential entity under the NIS2 and is subject to ex ante supervision. In contrast, for example, Renance – Automated Financial Services Oy (Bezala) is not in the scope of the NIS2 due to the size limitation. Similarly, the NIS2 does not apply to our operations in Estonia or the Netherlands. Additionally, it is important to note that Norway and the United Kingdom are currently partly outside the scope of the NIS2.

In case of Greenstep Oy, the services specifically within the scope of the NIS2 include accounting and payroll.

Compliance team shall continue to monitor the development of the NIS2-related regulation at the country-level to make sure that there are no compliance gaps. Even if not all individual companies within the Greenstep Group fall under the specific NIS2 definitions, they adhere to the Group’s comprehensive information and cybersecurity practices. These practices are structured according to the management model outlined in the ISO 27001:2022 standard and are designed to support the implementation of the NIS2 regulations.

Three-stage reporting of significant cybersecurity incidents

The NIS2 includes a three-stage reporting obligation of significant cybersecurity incidents. First, an incident is to be reported without undue delay and in any event within 24 hours (early warning) to the competent authority. That early warning should be followed by an incident notification. The entities concerned should submit an incident notification without undue delay and in any event within 72 hours of becoming aware of the significant incident. A final report should be submitted not later than one month after the incident notification.

Greenstep already complies with general incident reporting requirements on the basis of the GDPR, customer agreements, and the ISO27001 standard. However, the NIS2-specific procedures, e.g. templates, shall be prepared as necessary.

Legislation

EU: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2555

Finland: https://www.eduskunta.fi/FI/vaski/HallituksenEsitys/Sivut/HE_57+2024.aspx

Sweden: Nya regler om cybersäkerhet – Regeringen.se

Estonia: Implementation of the NIS Directive in Estonia | Shaping Europe’s digital future (europa.eu)

Norway: the NIS2 Directive is not included in the EEA Agreement

The Netherlands: Cyberbeveiligingswet (NIS2-richtlijn) | Wet beveiliging netwerk- en informatiesystemen (Wbni) | Rijksinspectie Digitale Infrastructuur (RDI)

The UK: Introduction to the Cyber Assessment Framework – NCSC.GOV.UK

Greenstep is GDPR compliant

In addition to GDPR, there are local laws that we need to follow, which in some cases go above GDPR. For Example, an employee of our customer does not have the right to be forgotten immediately in some countries when it comes to payroll, as the local payroll and accounting laws dictate how long the material should be saved.

Privacy Policy

You can read our privacy policy here: Privacy policy (greenstep.com)

Greenstep is authorized in Finland

As a member of the Financial Management Association of Finland, we are audited yearly on our accounting processes as an organization and as individuals. We have over 40 authorized personnel within both accounting and payroll.

Greenstep is authorized in Sweden

We are audited members of the Swedish Association of Accounting and Payroll consultants. Multiple people of our staff are Authorized Accountants who must follow the Swedish standard of accountancy, called Rex. Individuals must undergo regular quality checks made by SRF-konsulterna every six years. The Authorization is a stamp of approval from SRF and warrants the accountants high level of competence and experience.

Greenstep has right to conduct accounting in Norway

Finanstilsynet has granted Greenstep the right to conduct accounting in Norway.

Greenstep is a supporting member of the association of accountants in Estonia

Know Your Customer (KYC) is an essential process for Greenstep as an accounting firm to verify the identity of their clients and comply with anti-money laundering (AML) regulations

Greenstep follows the Anti-Money Laundering Directive (2015/849; “AML Directive”) which constitutes the main legal instrument. The AML Directive has been codified into Member States’ legislation and is followed in each Greenstep country. In Finland, Åland, Sweden, Norway and Estonia Greenstep have been registered as a service provider under KYC as an accounting firm. The EU law concerns many fields, but in Greenstep’s case accounting offices are responsible and liable to prevent money laundering and terrorist financing.

For Greenstep, the scope of the KYC requirements extends to all our customers. ​There are different levels of due diligence, and it depends on the risk factors identified during onboarding and continuous monitoring. ​

Only in very rare cases we can disregard the requirement of KYC. Often, even in cases such as a listed company, we will complete the KYC, but with the information we are able to gather from public sources.

Guidance from authorities:

• Aluehallintovirasto in Finland Rahanpesulain valvonta – Raha ja omaisuus – Valvonta ja kantelut – Yritys-tai yhteisö – Aluehallintovirasto (avi.fi)
• Rahanpesu – Poliisi
• Ekobrotsmyndigheten in Sweden Penningtvättsbrott | Ekobrottsmyndigheten
• Finanstillsynet in Norway Money laundering and financing of terrorism – Finanstilsynet.no
• Finantsinspektsioon in Estonia Prevention of money laundering in general | FSA (fi.ee)

Accounting Softwares:

Payroll Softwares

Greenstep promotes responsible business methods and fosters an ethical way of acting. We take all illegal, unethical or any acts that go against our guidelines seriously. We encourage you to bring these to our attention every time there is a suspicion of misconduct.

It is crucial that the employees, associates and other stakeholders of Greenstep inform us of their concerns and suspicions regarding misconduct not in line with the organization’s guidelines. Therefore, primarily we encourage you to contact a supervisor in our organization. However, if this is not an option, you can report a concern via the reporting channel.

You do not need to have firm evidence of misconduct; however, reports should be submitted honestly and in good faith. Deliberate reporting of false information is strictly forbidden.

Avoid revealing personal information, especially delicate information, while submitting a report. If the message contains any information prohibited by law, we might not be allowed to process it.

You may leave your name and contact information during reporting, but we provide you with this opportunity to express your concern through this confidential channel anonymously. In addition, the service removes all metadata automatically in case there are any attachments added to the report.

Lexia Asianajotoimisto Oy is responsible for the service package as well as for the lawful processing of reports.

After sending the report, you will receive a unique token on the screen that enables you to continue communicating anonymously with us in the future. Save this in a secure manner. When needed, we might submit follow-up questions via the reporting channel and inform you how the investigation is proceeding.

All reports are investigated confidentially and in accordance with specified procedures. Possible resulting steps are taken only after the investigation has been concluded. The information from the report or the investigation can only be accessed by the people who need it to complete the investigation.

You create an incident from here https://app.easywhistle.com/report/greenstep/about