Finland engages actively in upcoming revision of EU Cybersecurity Regulation

The European Commission is expected to submit a proposal on the revision of the Cybersecurity Regulation at the end of 2025. The Finnish Ministry of Transport and Communications submitted a report on this matter to Parliament on 26 May 2025.

The EU Cybersecurity Regulation lays down the tasks of the European Union Agency for Cybersecurity ENISA and establishes a framework for European cybersecurity certification systems. The regulation entered into force in 2019. The forthcoming revision is anticipated to review ENISA’s mandate and the certification framework, and it may also propose harmonised approaches to enhancing the security of information and communication technology (ICT), including the resilience of communication network supply chains.

The cybersecurity landscape has undergone significant changes since the entry into force of the Cybersecurity Regulation. Finland finds it important that this evolution be considered extensively when reviewing the Cybersecurity Regulation. Key priorities for Finland include promoting the preparedness, competitiveness and technological self-sufficiency of the EU.

Finland considers that the Finnish concept for comprehensive security is well suited for strengthening preparedness and crisis response within the EU also in the field cybersecurity. Finland highlights the importance of involving private-sector actors more extensively in enhancing cyber preparedness at the EU level.

Support for streamlined cyber security certification systems

Finland considers it essential that ENISA operates efficiently and transparently. Overlaps with the duties of national authorities and with other EU cybersecurity functions should be avoided.

The EU should have a coherent and streamlined digital and cybersecurity framework.  During the previous Commission term, a substantial body of new cybersecurity legislation was prepared, with extensive impacts on ENISA’s responsibilities, among other things. 

Finland also considers it important that before assigning new tasks, ENISA’s capacity to perform its current tasks will be assessed. When prioritising ENISA’s tasks, the impacts on EU-level cyber security and on the achievement of the EU’s strategic objectives must be considered.

Finland welcomes the objective of streamlining the preparation, approval and review of European cyber security certification systems. Further development of cyber security certification systems is essential for the promotion of cyber security and technology security in the EU. Finland finds that certification should meet the minimum requirements of cyber security laid down in legislation.

The European Commission has announced that it will also examine the security and crisis resilience of ICT supply chains and infrastructure as part of the review of the Cybersecurity Regulation. 

Finland believes that strengthening the security and crisis resilience of ICT supply chains is a core component of the EU’s technological self-sufficiency. Finland is initially in favour of new and possibly more binding EU-level measures to improve the security of ICT supply chains.

Next steps?

The European Commission intends to submit a legislative proposal on the revision of the Cyber Security Regulation at the end of 2025. Finland will take a position on the legislative proposal and its effects once the Commission has submitted its proposal.

Inquiries:

Emma Hokkanen, Senior Specialist, tel. +358 295 342106, [email protected]