On 23 May 2024, the Finnish Government submitted its proposal regarding the implementation of EU’s NIS 2 Directive ((EU) 2022/2555, the “Directive”) to the Parliament. The proposal includes, inter alia, the adoption of the new Cybersecurity Act and amendments to the Act on Information Management in Public Administration and the Act on Electronic Communications Services. The objective is that the proposed legislation would enter into force on 18 October 2024.
The NIS2 Directive aims to enhance the level of cybersecurity by laying down risk-management and reporting obligations on certain critical sector entities. The Directive lists the minimum measures that all entities within its scope must take to manage cybersecurity risks in their operations. To this end, the Cybersecurity Act will introduce new compliance requirements relating to cybersecurity risk management and incident reporting.
With this new regulation, cybersecurity will become a significantly more regulated area of activity than it has been in the past, with an emphasis on management responsibility and the risk of sanctions. It is evident that the changes set forth will also result in a form of new contractual practices as the critical sector entities impose further obligations on their service providers and supply chains.
Key observations
1. Scope of application
The new cybersecurity requirements will apply to medium-sized and larger entities that operate in critical sectors. These sectors include energy, transport, health, ICT service management, digital infrastructure and certain manufacturers, just to name a few. Some of the entities under the scope are considered as essential entities and supervision shall be focused on those entities. In addition, the requirements will also apply, regardless of size, to, among others, providers of public electronic communications networks.
2. Cybersecurity risk management and management responsibility
Entities must implement cybersecurity risk management model covering appropriate technical, operational or organisational risk management measures in order to protect network and information systems and to prevent or minimise adverse effects. These measures include the adoption and maintenance of cybersecurity risk management policies, supply chain security management and risk assessments, cybersecurity training as well as incident detection and handling. The cybersecurity risk management model shall be based on a risk-based and all-hazards approach.
The entity’s management is responsible for organising the implementation and monitoring of cybersecurity risk management within the entity. In Finland, management means the board of directors, the CEO and any other person in a similar position who effectively manages the operations of the entity. The entity’s management must have sufficient knowledge of cybersecurity risk management.
3. Incident reporting
Entities must without undue delay notify the supervisory authority of any significant incidents, i.e. incidents that cause operational disruption or financial loss or affect other persons by causing considerable damage.
The notification obligation consists of three steps: (i) an initial notification within 24 hours, (ii) a follow-up notification within 72 hours of becoming aware of the significant incident and (iii) a final report within one month after the submission of the follow-up notification or handling of the incident.
Depending on the nature and duration of the incident, entities may also be required to submit an intermediate report and notify the recipients of their services. In addition, entities are encouraged to voluntarily provide the supervisory authority with information on other relevant issues.
4. Supervisory authorities
In Finland, supervision of the new requirements will be decentralised. The supervisory authority of the sector in which the entity operates shall be responsible for the supervision. For example, the Finnish Transport and Communications Agency (“Traficom”) supervises digital infrastructure entities while the Energy Authority supervises electricity entities. An entity may also be supervised by more than one authority if its activities cover several sectors.
Traficom’s National Cyber Security Centre will act as the single point of contact and coordinate the cooperation between the supervisory authorities. In addition, new requirements and tasks on the national Computer Security Incident Response Team (“CSIRT”) shall be introduced. The CSIRT has been established within Traficom. Among other things, the CSIRT monitors, analyses and assists entities with cyber threats, vulnerabilities and incidents.
5. Enforcement and sanctions
Supervisory authorities will have a range of enforcement measures at their disposal, such as the right to access information necessary to assess the cybersecurity risk management measures adopted, various audit rights, the right to issue orders and warnings as well as the right to impose periodic penalty payments.
An independent Sanctions Board to be established within Traficom may also impose administrative fines on entities. The maximum amount of the administrative fine to be imposed on an essential entity is EUR 10 million or 2% of its total worldwide annual turnover in the preceding financial year, whichever is higher. Similarly, the maximum fine for other than essential entity is EUR 7 million or 1.4% of its turnover. Administrative fines cannot be imposed on public administration entities in Finland.
Going forward
The proposed cybersecurity requirements are expected to enter into force on 18 October 2024. The Government proposal (HE 57/2024 vp) is available here (only in Finnish).
- The scope of the new cybersecurity requirements is broad, and many new sectors are to be covered.
- The cybersecurity risk management model shall be based on a risk-based and all-hazards approach. Entities within the scope shall conduct their own risk assessments and take appropriate measures to mitigate the risks.
- Entities must submit their information to the lists of entities maintained by the supervisory authorities by 31 December 2024.
- The requirements shall be complemented by guidance issued by Traficom and may be further specified by the Finnish Government and the European Commission.
We are happy to discuss the implications of the proposed requirements and keep you updated on the legislative process. For further information and advice, please contact the Head of our Data Protection and Cyber Security practice group, Jukka Lång.