EU NIS2 in Finland

Country

EU NIS2 will be transposed in Finland into national law by the Cybersecurity Act, Kyberturvallisuuslaki, the Finnish NIS2 implementation law. It transposes EU minimum requirements for cybersecurity of the EU NIS2 directive into Finnish law.

  1. Status of NIS2
  2. NIS2 Requirements
  3. Further information

On May 23, the Finnish Government submitted a proposal of the draft law to the parliament. As in other EU member states, it is expected to come into force on October 18, 2024. Finland defines sector-specific supervision authorities and does not introduce mandatory regular audits.

EU NIS2 Webinar

EU NIS2 Implementation in EU Member States

Discussion on national NIS2 implementation in: DE, BE, CZ, FI, HR
Webinar ∙ Register on LinkedIn ∙ English ∙ 27. February 2024

Implementation in Finland

Current status

The Finnish NIS2 implementation law is expected to come into force on October 18, 2024. NIS2 implementation is being driven nationally by the Ministry of Transport and Communications, Liikenne- ja viestintäministeri (LVM), in close cooperation with a working group of the Ministry of Finance (VM) for public sector matters.

The Finnish Transport and Communications Agency (Traficom) is responsible for implementing the Finnish Cybersecurity Act and has published a guideline document on the risk management measures defined in the draft law.

On May 23, the Finnish Government submitted a proposal of the draft law to the parliament. Previously, a draft version from October underwent a two-month consultation period until the end of November 2023.

up

National NIS2 differences

The Finnish Cybersecurity Act sets out general obligations that affect both essential and important entities. In principle, the obligations and deadlines for essential and important entities are the same.

up

Scope

Entities

The Finnish draft law affects all companies meeting or exceeding the thresholds for medium-sized enterprises as defined in Commission Recommendation 2003/361/EC §3. Additionally, companies may also be affected regardless of their size §4.

Unlike the EU NIS2 Directive, which distinguishes between essential and important entities, the Finnish NIS2 implementation refers to all affected parties uniformly as operators. This singular classification diverges from EU NIS2 by consolidating affected entities into one category:

The draft law also explicitly outlines scenarios for operators not subject to its provisions: §4

up

Sectors

Finland aligns it sector definitions closely with EU NIS2. Sector definitions for public administration, banking, and financial market infrastructures are missing in the draft of the Cybersecurity Act. Finland does not introduce any additional sectors.

In Finland, supervising authorities are assigned on a per-service basis. Therefore, it is possible that a sector has multiple supervising authorities.

Annex I Sectors

Mapping of EU NIS2 Annex I sectors to Finnish NIS2 implementation sectors
own data, August 2024
Sub-Sector Services Supervising Authority
Energia
Energy
Sähkö
Electricity
Electricity supply companies
Distribution system operators
Transmission system operators
Electricity producers
Electricity market operators
Aggregators
Demand response providers
Energy storage providers
Charging point operators
Energiavirasto
Kaukolämmitys ja -jäähdytys
District Heating and Cooling
District heating and cooling operators Energiavirasto
Öljy
Oil
Operators of oil pipelines
Operators of oil production, refining, processing facilities
Operators handling oil storage and transport
Central storage units
Tukes
Kaasu
Gas
Natural gas suppliers Energiavirasto
Distribution network operators Energiavirasto
Transmission system operators Energiavirasto
Holders of storage facilities Tukes
Owners of liquefied natural gas processing equipment Tukes
Companies in the natural gas sector Tukes
Holders of refining and processing equipment Tukes
Vety
Hydrogen
Production and storage
Transfer
Tukes
Energiavirasto
Liikenne
Transport
Ilmaliikenne
Air transport
Commercial air transport operators
Airport operators
Air navigation service providers
Traficom
Raideliikenne
Rail transport
Rail network operators
Traffic management companies
Railway companies
Service facility operators
Traficom
Vesiliikenne
Water transport
Passenger and freight transport companies on inland waterways, seas, and coasts
Port operators
Providers of port infrastructure and facilities
Vessel traffic service providers
Traficom
Tieliikenne
Road transport
Providers of road traffic management and control services
Operators of intelligent transport systems
Traficom
Pankkitoiminta
Banking
Finanssivalvonta
Finanssimarkkinoiden infrastruktuurit
Financial Market Infrastructures
Finanssivalvonta
Terveys
Health
Healthcare providers Valvira
EU Reference Laboratories Valvira
R&D of Medicinal Products Fimea
Manufacturing of medicinal products Fimea
Manufacturing of medical devices being critical during a public health emergency Fimea
Blood service institutions
Pharmacies
Providers of medicinal products and medical devices under EU Directive 2011/24/EU
Fimea
Juomavesi
Drinking Water
Suppliers and distributors of water intended for human consumption Etelä-Savon ELY-keskus
Jätevesi
Waste Water
Companies collecting, disposing of, or treating urban, domestic, or industrial wastewater Etelä-Savon ELY-keskus
Digitaalinen infrastruktuuri
Digital Infrastructure
Internet exchange point operators
DNS service providers, except root name servers
Regional internet registries
Cloud service providers
Data centre service providers
Content delivery network providers
Trust service providers
Providers of public electronic communications networks
Providers of publicly available electronic communications services
Traficom
TVT-palvelujen hallinta (yritysten välinen)
ICT Service Management (B2B)
Providers of management services
Cybersecurity service providers
Traficom
Julkishallinto
Public Administration
Traficom
Avaruus
Space
Operators of ground-based infrastructure supporting space-based services Traficom

Annex II Sectors

Mapping of EU NIS2 Annex II sectors to Finnish NIS2 implementation sectors
own data, August 2024
Sub-Sector Services Supervising Authority
Posti- ja kuriiripalvelut
Postal and Courier Services
Courier service providers
Postal service providers
Traficom
Jätehuolto
Waste Management
Waste management, excluding companies where waste management is not the main economic activity Etelä-Savon ELY-keskus
Kemikaalien valmistus, tuotanto ja jakelu
Manufacture, Production and Distribution of Chemicals
manufacturing substances
distributing substances or mixtures
producing articles
Tukes
Elintarvikkeiden tuotanto, jalostus ja jakelu
Production, Processing and Distribution of Food
wholesale
industrial production, processing
Ruokavirasto
Valmistus
Manufacturing
Lääkinnällisten laitteiden ja in vitro -diagnostiikkaan tarkoitettujen lääkinnällisten laitteiden valmistus
Manufacturing of Medical Devices and In Vitro Diagnostic Medical Devices
Companies manufacturing medical devices as defined in Article 2(1) of Regulation (EU) 2017/745
Companies manufacturing in vitro diagnostic medical devices as defined in Article 2(2) of Regulation (EU) 2017/746
Fimea
Tietokoneiden sekä elektronisten ja optisten tuotteiden valmistus
Manufacturing of Computer, Electronic and Optical Products
Companies manufacturing computer, electronic, and optical products as defined in NACE Rev. 2 Division 26 Tukes
Sähkölaitteiden valmistus
Manufacturing of Electrical Equipment
Companies manufacturing electrical equipment as defined in NACE Rev. 2 Division 27 Tukes
Muiden koneiden ja laitteiden valmistus
Manufacturing of Machinery and Equipment n.e.c.
Companies manufacturing machinery and equipment n.e.c. as defined in NACE Rev. 2 Division 28 Tukes
Moottoriajoneuvojen, perävaunujen ja puoliperävaunujen valmistus
Manufacturing of Motor Vehicles, Trailers and Semi-Trailers
Companies manufacturing motor vehicles, trailers, and semi-trailers as defined in NACE Rev. 2 Division 29 Traficom
Muiden kulkuneuvojen valmistus
Manufacturing of Other Transport Equipment
Companies manufacturing other transport equipment as defined in NACE Rev. 2 Division 30 Traficom
Digitaalisen palvelun tarjoajat
Digital Service Providers
Providers of online marketplaces
Providers of online search engines
Providers of online social networking services
Traficom
Tutkimustoiminta
Research
Research organizations in applied research or experimental development for commercial purposes, excluding higher education institutions Traficom

up

Requirements

Security

Risk Management

The Finnish Cybersecurity Act defines risk management-related obligations that closely align with EU NIS2. These obligations are defined in §9, where §9 outlines 13 high-level risk management requirements.

Operators are required to identify, assess and manage risks that may affect the communication networks and information systems used in their operations. The risk management measures must be timely, proportionate and adequate §7 and include: §9

Operators must establish and maintain an up-to-date cybersecurity risk management policy, as stipulated in §8. This policy should adopt an all-hazards approach, addressing the protection of communication networks, information systems, and the physical environment. The policy must explicitly define the objectives, procedures, and responsibilities related to cybersecurity risks as well as technical, operational, and organizational control measures.

The Cybersecurity Act defines 12 risk management measures in §9 which closely align with EU NIS2. The §8-policy must contain technical, operational, or organizational control measures incorporating the following risk management measures of §9:

Supervisory authorities can introduce further regulations to specify risk management obligations within their sectors.

Security measures

Traficom has released a draft document that outlines guidelines for implementing the risk management measures detailed in §8. Each section of this document offers guidance on one of the 13 risk management requirements in §8 by detailing:

up

Information and authorities

Registration

The registration obligations are closely aligned with EU NIS2. Operators are required to notify their supervisory authority of the typical details like contact information, IP address ranges, the relevant sector and more §41.

Affected operators must register until December 31, 2024 §47. Changes to this data must be reported within two weeks.

Special types of operators must register more data §41. This includes providers of DNS services, cloud services, online marketplaces and more. This includes details about the principal business address and other legal establishments within the EU. Changes to additional data must be reported to the supervisory authority within three weeks.

Reporting

The reporting obligations are closely aligned with EU NIS2. Operators must notify their supervisory authority of significant incidents through a series of notifications:

The definition of a significant incident and the required notification contents and are closely aligned with EU NIS2. §11-13

Supervisory authorities are empowered to issue more detailed regulations regarding the content, technical format, and procedures for notifications within their supervisory scope §11.

Sanctions

The draft law defines the sanctions in §§35 - 40.

§35 defines administrative offenses for which sanctions can be imposed if the operator fails to:

The draft law also introduces a comprehensive procedure for imposing administrative fines, including the establishment of a penalty fee board within the Ministry of Transport and Communications, as specified in §36.

The Finnish implementation of NIS2 aligns the penalty amounts with those outlined in EU NIS2 §38:

Audits

Audit obligations in Finland are expected to be different in comparison with other EU Member States. The current draft law does not mandate self-assessments or regular audits §30.

However, supervisory authorities can require an operator to conduct a security audit focused on cyber security risk management, given that the operator:

Supervisory authorities have the right to obtain information on the results of the conducted security audit and may require an entity to implement reasonable and proportionate measures.

up

Further Information

Sources


  1. NIS2 Implementation Draft in Finnish, Finnish Government website, May 23, 2024
  2. FAQ on NIS2 in Finland with Supervisory Authorities by Sector, Traficom website, July 22, 2024
  3. Overview of NIS2 Implementation Progress, Finnish Government website, November 29, 2023
  4. Project Progress of the NIS2 Working Group, Finnish Government website, October 09, 2023
  5. Press Release on the Publication of the Government Proposal for NIS2 Implementation, Finnish Government website, June 06, 2024
  6. Traficom Guidelines on NIS2 Cybersecurity Risk Management Measures, Finnish Consultation Service website