On 23 May 2024, Finland took a significant stride towards strengthening its cybersecurity legislation when the Government submitted to the Parliament a proposal (HE 57/2024 vp) to implement the EU Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555, the “NIS2 Directive“). This legislative initiative aims to bolster cybersecurity measures across various critical sectors, reflecting a heightened regulatory focus on risk management and incident reporting. The proposed Cybersecurity Act, along with amendments to existing legislation, notably to the Act on Information Management in Public Administration (906/2019 as amended), is scheduled to be applicable as of 18 October 2024.
The proposal denotes a significant step towards more regulated cybersecurity and positioning the review and supervision of cybersecurity risks as a top management issue.
Introduction and scope
The NIS2 Directive and its national implementation significantly broaden the scope of cybersecurity requirements, extending them to medium-sized and larger entities in critical sectors. These sectors include energy, transport, health, ICT service management and digital infrastructure, as well as completely new areas such as public administration, food production, waste management and specific manufacturing industries that were not covered by the predecessor (Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union, (the NIS Directive)). Notably, the new requirements also apply to, inter alia, providers of public electronic communications networks and services, regardless of their size. Some of the covered entities fall into the category of “essential entities” and, consequently, be subject to closer supervision.
Consequently, a wide range of entities must reassess and enhance their cybersecurity frameworks and measures to align with the new requirements. These new requirements cover cybersecurity risk-management, management responsibility, incident reporting and registration with a registry of entities. The expanded scope and additional regulatory demands necessitate a thorough review and adaptation of existing practices to ensure compliance with the updated framework.
From the practical point of view, the new requirements will probably end up changing cybersecurity related agreements and contractual terms in a wider field than just within the critical sectors.
Cybersecurity risk management and management responsibility
Under the new requirements, entities must implement a comprehensive cybersecurity risk management model. This model must include technical, operational and organisational measures designed to protect ICT systems and networks, and to mitigate the adverse effects of incidents. The key components of this model are:
- Risk assessment: The risk-management model must be built on risk-based and all-hazards approaches, ensuring that entities proactively identify and address potential threats from various sources.
- Documented risk-management model: Entities must define, describe and document the aims, processes and responsibilities of risk-management. The documented risk-management model must be kept up to date.
- Minimum risk-management measures: The risk-management model must include at least the minimum measures and topics listed in the proposed legislation. These minimum measures include, inter alia, the effective management of supply chain security, provision of cybersecurity training and robust incident detection and response mechanisms.
According to the proposed Cybersecurity Act, the entity’s management bears the responsibility for organising and monitoring the implementation of cybersecurity risk-management. In Finland, “entity’s management” means the board of directors, the CEO and any other person in a similar position who effectively manages the operations of the entity. This underscores the need and requirement for management to possess adequate knowledge of cybersecurity risk management. Additionally, regular training and awareness programmes should encompass the entire organisation.
Along with the new cybersecurity risk-management requirements, supply chains in the ICT environments must be under review. In their risk-management measures, entities must take into account the overall quality, integrated risk-management measures and cybersecurity practices of products and services of their direct suppliers. Entities will be responsible for ensuring that the products and services selected and used by the entity meet the cybersecurity risk-management requirements of the entity’s risk-management model. In practice, this entails close review of the contractual terms with the ICT suppliers.
Incident reporting obligations
The NIS2 Directive and the implementing Cybersecurity Act place a spotlight on incident reporting, emphasising swift and transparent communication. Entities within the scope of the legislation must report to the relevant supervisory authority significant incidents by adhering to the following reporting process:
- Initial notification within 24 hours of becoming aware of a significant incident.
- Follow-up notification within 72 hours of becoming aware of a significant incident.
- Final report within one month after the follow-up notification or resolution of the incident.
Significant incidents include the following incident types:
- Operational disruption: Events that disrupt or can disrupt critical operations, or similarly cause severe disruption affecting services, systems or processes.
- Financial loss to the entity concerned: Incidents resulting in financial loss due to data breaches, system failures or other cybersecurity incidents.
- Substantial damage to third parties: Considerable material or non-material damage caused to external stakeholders, such as customers, partners or the public.
Depending on the incident’s nature and duration, intermediate reports and notifications to service recipients may also be required. Entities are encouraged to provide additional relevant information voluntarily.
Supervisory Authorities and Enforcement
In Finland, the supervision of the Cybersecurity Act will be decentralised. Sector-specific supervisory authorities will oversee compliance within their respective domains. For example, the Finnish Transport and Communications Agency (Traficom) will supervise digital infrastructure entities, while the Energy Authority will monitor electricity entities. An entity operating across multiple sectors may be subject to oversight by more than one authority.
Traficom’s National Cyber Security Centre will serve as the single point of contact and coordinate the activities of supervisory authorities. Additionally, the national Computer Security Incident Response Team (CSIRT), established within Traficom, will play a pivotal role in monitoring, analysing and assisting entities with cyber threats and incidents.
The enforcement framework under the Cybersecurity Act grants supervisory authorities a broad range of powers, including access to information, audit rights and the ability to issue orders and warnings. Moreover, an independent Sanctions Board will have the authority to impose administrative fines on non-compliant entities. The maximum fines are substantial: up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. In Finland, public administration entities are exempt from administrative fines.
Looking Forward
The proposed cybersecurity requirements are expected to become applicable on 18 October 2024, and the covered entities must submit their information with the registry of entities by 31 December 2024. The implementation of these requirements will be supplemented by guidance from the supervisory authorities and may be further detailed by the Finnish Government and the European Commission.
The upcoming government proposal implementing the Directive on the Resilience of Critical Entities (Directive (EU) 2022/2557, the “CER Directive“) adds another layer to the regulatory framework of critical sectors and entities. The CER Directive aims to enhance the resilience of critical entities against both physical and cyber threats. This directive requires entities in sectors such as energy, transport, health and drinking water to undertake comprehensive risk assessments and adopt measures to ensure operational continuity. However, the application of the requirements stemming from the CER Directive is contingent upon the specific designation of an entity as critical. Upon such designation, the critical entity also becomes subject to the provisions stipulated in the Cybersecurity Act, irrespective of its size, and assumes the status of an essential entity.
Key interactions between NIS2 and CER requirements:
- Complementary objectives: Both directives seek to safeguard critical infrastructure, but the NIS2 Directive focuses on cybersecurity, while the CER Directive addresses broader resilience against various threats.
- Risk management synergies: Entities subject to both directives must formulate integrated risk management strategies encompassing a broader spectrum of threats. These threats include those affecting the ICT ecosystem as well as risks impacting other operational components, such as those arising from natural hazards, terrorist attacks, insider threats and sabotage. This holistic approach aims to streamline compliance endeavours and ensure comprehensive protection.
- Reporting obligations: While the requirements stemming from the NIS2 Directive mandates cybersecurity incident reporting, the CER Directive requires reporting on disruptions affecting continuity of essential services. The critical entities must align their reporting mechanisms to meet both directives’ requirements efficiently and within the set timeframes.
The implementation of the NIS2 Directive in Finland, alongside the CER Directive, marks a significant shift towards a more regulated cybersecurity. Entities within the scope must undertake substantial measures to align with the new requirements swiftly, with a particular focus on comprehensive risk management and management responsibility. From 17 January 2025, the legislative framework will be complemented with cybersecurity requirements for the financial sector entities along with the EU Regulation on Digital Operational Resilience for the Financial Sector (the DORA).
Typically, the key questions and steps in building and updating cybersecurity frameworks and models within the Finnish critical entities include:
- identifying the covered entities, and for the entities operating cross borders, identifying relevant jurisdictions and assessing cross-border aspects;
- organising and ensuring sufficient management responsibility;
- reviewing ICT procurement and maintenance processes and supply chains, including vulnerability handling processes; and
- reviewing and building incident detection, recovery and reporting processes to meet the new requirements, including strict incident reporting timeframes.
Effective and compliant cybersecurity risk management is a continuous effort requiring vigilance, adaptation and collaboration across the organisation.