EU NIS2 in Finland
EU NIS2 will be transposed in Finland into national law by the Cybersecurity Act, Kyberturvallisuuslaki
, the Finnish NIS2 implementation law.
It transposes EU minimum requirements for cybersecurity of the EU NIS2 directive into Finnish law.
On May 23, the Finnish Government submitted a proposal of the draft law to the parliament. As in other EU member states, it is expected to come into force on October 18, 2024. Finland defines sector-specific supervision authorities and does not introduce mandatory regular audits.
EU NIS2 Implementation in EU Member States
Discussion on national NIS2 implementation in: DE, BE, CZ, FI, HR
Webinar ∙ Register on LinkedIn ∙ English ∙ 27. February 2024
Implementation in Finland
Current status
The Finnish NIS2 implementation law is expected to come into force on October 18, 2024.
NIS2 implementation is being driven nationally by the Ministry of Transport and Communications, Liikenne- ja viestintäministeri
(LVM), in close cooperation with a working group of the Ministry of Finance (VM) for public sector matters.
The Finnish Transport and Communications Agency (Traficom) is responsible for implementing the Finnish Cybersecurity Act and has published a guideline document on the risk management measures defined in the draft law.
On May 23, the Finnish Government submitted a proposal of the draft law to the parliament. Previously, a draft version from October underwent a two-month consultation period until the end of November 2023.
National NIS2 differences
The Finnish Cybersecurity Act sets out general obligations that affect both essential and important entities. In principle, the obligations and deadlines for essential and important entities are the same.
- Entities: The Finnish draft law does not distinguish between essential and important entities. Consequently, the defined obligations and transition periods are in principle the same for all companies regardless of their size.
- Transition period for registration: Affected companies must register by December 31, 2024.
- Lack of regular audits: The draft law does not oblige entities to conduct audits or self-assessments. However, according to §30, the Ministry of Transport and Communications is authorized to require operators to conduct an audit focused on cyber security risk management, given that the company experienced a significant incident, violated the obligations or neglected to implement the cybersecurity risk management model of §8.
- Extensive legislative changes: The Finnish NIS2 implementation amends a number of other laws. The main affected laws are:
- Act on Information Management in Public Administration (Laki julkisen hallinnon tiedonhallinnasta)
- Act on Electronic Communications Services (Laki sähköisen viestinnän palveluista)
Scope
Entities
The Finnish draft law affects all companies exceeding the thresholds for medium-sized enterprises as defined in Commission Recommendation 2003/361/EC §3. Additionally, companies may also be affected regardless of their size §4.
Unlike the EU NIS2 Directive, which distinguishes between essential and important entities, the Finnish NIS2 implementation refers to all affected parties uniformly as operators.
This singular classification diverges from EU NIS2 by consolidating affected entities into one category:
- Operators based on company size in NIS sectors 1 2
- Companies with ≥ 50 FTE or
- Companies with > 10m EUR yearly revenue and balance > 10m EUR
- Size-independent: qTSP, TLD, DNS, telco, critical facilities
- Size-independent for special reasons: critical societal or economic functions, significant impact on public safety, significant systemic risk, particular importance for the sector
The draft law also explicitly outlines scenarios for operators not subject to its provisions: §4
- Operators solely providing services for national security, defense, public order and safety, or criminal prosecution
- Operators providing services in Annex 1 and 2 only on an occasional basis
Sectors
Finland aligns it sector definitions closely with EU NIS2. Sector definitions for public administration, banking, and financial market infrastructures are missing in the draft of the Cybersecurity Act. Finland does not introduce any additional sectors.
In Finland, supervising authorities are assigned on a per-service basis. Therefore, it is possible that a sector has multiple supervising authorities.
Annex I Sectors
| Sub-Sector | Services | Supervising Authority |
|---|---|---|
| Energia Energy |
||
| Sähkö Electricity |
Electricity supply companies Distribution system operators Transmission system operators Electricity producers Electricity market operators Aggregators Demand response providers Energy storage providers Charging point operators |
Energiavirasto |
| Kaukolämmitys ja -jäähdytys District Heating and Cooling |
District heating and cooling operators | Energiavirasto |
| Öljy Oil |
Operators of oil pipelines Operators of oil production, refining, processing facilities Operators handling oil storage and transport Central storage units |
Tukes |
| Kaasu Gas |
Natural gas suppliers | Energiavirasto |
| Distribution network operators | Energiavirasto | |
| Transmission system operators | Energiavirasto | |
| Holders of storage facilities | Tukes | |
| Owners of liquefied natural gas processing equipment | Tukes | |
| Companies in the natural gas sector | Tukes | |
| Holders of refining and processing equipment | Tukes | |
| Vety Hydrogen |
Production and storage Transfer |
Tukes Energiavirasto |
| Liikenne Transport |
||
| Ilmaliikenne Air transport |
Commercial air transport operators Airport operators Air navigation service providers |
Traficom |
| Raideliikenne Rail transport |
Rail network operators Traffic management companies Railway companies Service facility operators |
Traficom |
| Vesiliikenne Water transport |
Passenger and freight transport companies on inland waterways, seas, and coasts Port operators Providers of port infrastructure and facilities Vessel traffic service providers |
Traficom |
| Tieliikenne Road transport |
Providers of road traffic management and control services Operators of intelligent transport systems |
Traficom |
| Pankkitoiminta Banking |
Finanssivalvonta | |
| Finanssimarkkinoiden infrastruktuurit Financial Market Infrastructures |
Finanssivalvonta | |
| Terveys Health |
Healthcare providers | Valvira |
| EU Reference Laboratories | Valvira | |
| R&D of Medicinal Products | Fimea | |
| Manufacturing of medicinal products | Fimea | |
| Manufacturing of medical devices being critical during a public health emergency | Fimea | |
| Blood service institutions Pharmacies Providers of medicinal products and medical devices under EU Directive 2011/24/EU |
Fimea | |
| Juomavesi Drinking Water |
Suppliers and distributors of water intended for human consumption | Etelä-Savon ELY-keskus |
| Jätevesi Waste Water |
Companies collecting, disposing of, or treating urban, domestic, or industrial wastewater | Etelä-Savon ELY-keskus |
| Digitaalinen infrastruktuuri Digital Infrastructure |
||
| Internet exchange point operators DNS service providers, except root name servers Regional internet registries Cloud service providers Data centre service providers Content delivery network providers Trust service providers Providers of public electronic communications networks Providers of publicly available electronic communications services |
Traficom | |
| TVT-palvelujen hallinta (yritysten välinen) ICT Service Management (B2B) |
||
| Providers of management services Cybersecurity service providers |
Traficom | |
| Julkishallinto Public Administration |
Traficom | |
| Avaruus Space |
Operators of ground-based infrastructure supporting space-based services | Traficom |
Annex II Sectors
| Sub-Sector | Services | Supervising Authority |
|---|---|---|
| Posti- ja kuriiripalvelut Postal and Courier Services |
Courier service providers Postal service providers |
Traficom |
| Jätehuolto Waste Management |
Waste management, excluding companies where waste management is not the main economic activity | Etelä-Savon ELY-keskus |
| Kemikaalien valmistus, tuotanto ja jakelu Manufacture, Production and Distribution of Chemicals |
||
| manufacturing substances distributing substances or mixtures producing articles |
Tukes | |
| Elintarvikkeiden tuotanto, jalostus ja jakelu Production, Processing and Distribution of Food |
||
| wholesale industrial production, processing |
Ruokavirasto | |
| Valmistus Manufacturing |
||
| Lääkinnällisten laitteiden ja in vitro -diagnostiikkaan tarkoitettujen lääkinnällisten laitteiden valmistus Manufacturing of Medical Devices and In Vitro Diagnostic Medical Devices |
Companies manufacturing medical devices as defined in Article 2(1) of Regulation (EU) 2017/745 Companies manufacturing in vitro diagnostic medical devices as defined in Article 2(2) of Regulation (EU) 2017/746 |
Fimea |
| Tietokoneiden sekä elektronisten ja optisten tuotteiden valmistus Manufacturing of Computer, Electronic and Optical Products |
Companies manufacturing computer, electronic, and optical products as defined in NACE Rev. 2 Division 26 | Tukes |
| Sähkölaitteiden valmistus Manufacturing of Electrical Equipment |
Companies manufacturing electrical equipment as defined in NACE Rev. 2 Division 27 | Tukes |
| Muiden koneiden ja laitteiden valmistus Manufacturing of Machinery and Equipment n.e.c. |
Companies manufacturing machinery and equipment n.e.c. as defined in NACE Rev. 2 Division 28 | Tukes |
| Moottoriajoneuvojen, perävaunujen ja puoliperävaunujen valmistus Manufacturing of Motor Vehicles, Trailers and Semi-Trailers |
Companies manufacturing motor vehicles, trailers, and semi-trailers as defined in NACE Rev. 2 Division 29 | Traficom |
| Muiden kulkuneuvojen valmistus Manufacturing of Other Transport Equipment |
Companies manufacturing other transport equipment as defined in NACE Rev. 2 Division 30 | Traficom |
| Digitaalisen palvelun tarjoajat Digital Service Providers |
Providers of online marketplaces Providers of online search engines Providers of online social networking services |
Traficom |
| Tutkimustoiminta Research |
Research organizations in applied research or experimental development for commercial purposes, excluding higher education institutions | Traficom |
Requirements
Security
Risk Management
The Finnish Cybersecurity Act defines risk management-related obligations that closely align with EU NIS2. These obligations are defined in §9, where §9 outlines 13 high-level risk management requirements.
Operators are required to identify, assess and manage risks
that may affect the communication networks and information systems used in their operations. The risk management measures must be timely, proportionate and adequate
§7 and include: §9
- scope of the operations
- foreseeable impacts of an incident
- risk exposure of the communication networks and information systems
- likelihood and severity of incidents, costs of the measures
- available technical possibilities to counter threats
- considering current developments
Operators must establish and maintain an up-to-date cybersecurity risk management policy, as stipulated in §8. This policy should adopt an all-hazards approach, addressing the protection of communication networks, information systems, and the physical environment. The policy must explicitly define the objectives, procedures, and responsibilities related to cybersecurity risks as well as technical, operational, and organizational control measures.
The Cybersecurity Act defines 12 risk management measures in §9 which closely align with EU NIS2. The §8-policy must contain technical, operational, or organizational control measures
incorporating the following risk management measures of §9:
- Risk management principles and control measures effectiveness
- Communication networks and information systems security
- Procurement, development, and maintenance security; vulnerability handling
- Supplier product/service quality, resilience, and cybersecurity practices
- Asset management and critical security functions identification
- Personnel security and cybersecurity training
- and more
Supervisory authorities can introduce further regulations to specify risk management obligations within their sectors.
Security measures
Traficom has released a draft document that outlines guidelines for implementing the risk management measures detailed in §8. Each section of this document offers guidance on one of the 13 risk management requirements in §8 by detailing:
- Implementation examples: Guidance on implementing the recommendation based on aspects like company size, industry or typical threats. The necessary measures can vary significantly from the implementation examples
- Verification: Verification methods a supervisory authority might use to assess the implemented measures. Supervision can be based on documentation or self-assessments (category 1), interviews, configuration reviews or similar evidence (category 2), as well as different programs and tools to interpret technical data, including various scans (category 3)
- Justifications: Justifies for the measure and describes intended goals. This can form a basis for discussions between supervisory authority and operator
- References: Standards, frameworks, guidelines for additional information or descriptions of commonly used implementations
- Tools: tools used by supervisory authority for supervisory activities. Tools are also available for operators to measure the maturity level
Information and authorities
Registration
The registration obligations are closely aligned with EU NIS2. Operators are required to notify their supervisory authority of the typical details like contact information, IP address ranges, the relevant sector and more §41.
Affected operators must register until December 31, 2024 §47. Changes to this data must be reported within two weeks.
Special types of operators must register more data §41. This includes providers of DNS services, cloud services, online marketplaces and more. This includes details about the principal business address and other legal establishments within the EU. Changes to additional data must be reported to the supervisory authority within three weeks.
Reporting
The reporting obligations are closely aligned with EU NIS2. Operators must notify their supervisory authority of significant incidents through a series of notifications:
- Initial notification within 24 hours of detecting the incident §11
- Follow-up notification within 72 hours of detecting the incident §11
- Final report within 1 month after the follow-up notification or upon concluding incident §13
- Progress report on request or after one month if the incident is ongoing §12
The definition of a significant incident and the required notification contents and are closely aligned with EU NIS2. §11-13
Supervisory authorities are empowered to issue more detailed regulations regarding the content, technical format, and procedures for notifications within their supervisory scope §11.
Sanctions
The draft law defines the sanctions in §§35 - 40.
§35 defines administrative offenses for which sanctions can be imposed if the operator fails to:
- Manage risks §7, establish cybersecurity risk management framework §8, consider elements in §9(1)
- Implement measures in §9(2)
- Submit incident notification §11, interim report §12, final report §13 to supervisory authority
- Provide information required under §41 to supervisory authority
The draft law also introduces a comprehensive procedure for imposing administrative fines, including the establishment of a penalty fee board within the Ministry of Transport and Communications, as specified in §36.
The Finnish implementation of NIS2 aligns the penalty amounts with those outlined in EU NIS2 §38:
- 10m EUR or 2% of the total annual worldwide turnover in the preceding financial year for essential entities
- 7m EUR or 1,4% of the total annual worldwide turnover in the preceding financial year for any other operators
Audits
Audit obligations in Finland are expected to be different in comparison with other EU Member States. The current draft law does not mandate self-assessments or regular audits §30.
However, supervisory authorities can require an operator to conduct a security audit focused on cyber security risk management, given that the operator:
- Significant incident causing serious service disruption or substantial damage
- Serious violation of legal obligations
- Neglected to implement cybersecurity risk management model (§8)
Supervisory authorities have the right to obtain information on the results of the conducted security audit and may require an entity to implement reasonable and proportionate measures.
Further Information
Sources
NIS2 Implementation Draft in Finnish, Finnish Government website, May 23, 2024- FAQ on NIS2 in Finland with Supervisory Authorities by Sector, Traficom website, July 22, 2024
- Overview of NIS2 Implementation Progress, Finnish Government website, November 29, 2023
- Project Progress of the NIS2 Working Group, Finnish Government website, October 09, 2023
- Press Release on the Publication of the Government Proposal for NIS2 Implementation, Finnish Government website, June 06, 2024
- Traficom Guidelines on NIS2 Cybersecurity Risk Management Measures, Finnish Consultation Service website