Government submits a bill for cybersecurity act for approval

The Government proposes that the President of the Republic approve the bill for cybersecurity act and set its date of entry into force on 8 April 2025. The President of the Republic is to approve the bill on Friday 4 April 2025.

The act implements the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive). The aim of the Directive is to strengthen cybersecurity in critical sectors at the EU and national level. The operators covered by the scope of the Directive must in future assess and manage the risks posed to the security of their communication networks and information systems. In addition, they must notify significant incidents related to their communications networks and information systems. With regard to public administration, the Directive will be implemented by amending the Act on Information Management in Public Administration.

The scope of the national act covers operators in the transport, energy and healthcare sectors and digital infrastructure service providers. It also applies to the food sector, certain manufacturing industries, chemical industry, waste management and postal services. The act mainly applies to medium-sized and large operators engaged in the activities referred to in the annexes to the act.

National provisions on supervisory authorities

The cybersecurity act contains the provisions on obligations set by the Directive that concern risk management and reporting on significant incidents in an organisation. The provisions also cover other official duties required by the implementation, including the supervision of the obligations. The operators within the scope of the application are required to inform their contact details to the supervisory authority once the provisions concerned become applicable. The periods for arranging risk management and information reporting measures under the cyber security act start to run as the act enters into force.

In accordance with the act, the sector-specific supervisory authorities will be the Finnish Transport and Communications Agency Traficom; the Energy Authority; the Finnish Safety and Chemicals Agency; the South Savo Centre for Economic Development, Transport and the Environment; the Finnish Food Authority; the National Supervisory Authority for Welfare and Health (Valvira); and the Finnish Medicines Agency (Fimea). Traficom will coordinate cooperation between the supervisory authorities. Administrative fines will be imposed by a separately established board, which will consist of members appointed by the supervisory authorities.

The tasks of the national computer security incident response team (CSIRT) will be assigned to the National Cyber Security Centre at Traficom. They are very similar to the current tasks of the National Cyber Security Centre, for example in terms of monitoring and analysing cyber threats. The team acts as a national coordinator for the purposes of coordinated vulnerability disclosure within the EU. It can also serve as a coordinator for voluntary cybersecurity information-sharing arrangements.

What’s next?

The legislation is intended to enter into force on 8 April 2025. The Cyber Security Centre and the supervisory authorities will provide information on the implementation of the cyber security act.

Inquiries:

Veikko Vauhkonen, Senior Officer, veikko.vauhkonen@gov.fi, tel. +358 29 534 2168