National implementation of cybersecurity Directive progresses: Government proposes new cybersecurity act

On 23 May 2024, the Government submitted to Parliament a proposal concerning the national implementation of the EU Directive on measures for a high common level of cybersecurity across the Union (NIS 2). The aim of the Directive is to strengthen cybersecurity in critical sectors at the EU and national level.

On 23 May 2024, the Government submitted to Parliament a proposal concerning the national implementation of the EU Directive on measures for a high common level of cybersecurity across the Union (NIS 2). The aim of the Directive is to strengthen cybersecurity in critical sectors at the EU and national level.

The new EU cybersecurity Directive, or the NIS 2 Directive, replaces the earlier Directive concerning measures for a high common level of security of network and information systems across the Union (NIS Directive). The NIS 2 Directive was published in December 2022. The Member States must start applying the Directive no later than 18 October 2024.

The NIS 2 Directive aims to strengthen cybersecurity in sectors essential for the functioning of society across the EU. The operators covered by the scope of the Directive must in future assess the risks posed to the security of their communication networks and information systems. They must also manage these risks. In addition, they must notify the authorities of any significant incidents related to their communications networks and information systems.

For example, the scope of the Directive covers more broadly the energy and healthcare sectors and digital infrastructure service providers. The Directive also applies to entirely new sectors, such as public administration, the food sector, industries manufacturing certain products, and waste management. As a rule, the Directive applies to medium-sized and larger operators in these sectors.

National implementation based on the minimum requirements

The Government proposes that the national implementation of the NIS 2 Directive be based on the minimum requirements set by the Directive. The Government does not propose any additions to the scope of the Directive or the obligations, for example.

The Government proposes that the NIS 2 Directive be implemented by enacting an entirely new cybersecurity act. The cybersecurity act would contain the provisions on those cybersecurity obligations set by the Directive that concern risk management and reporting on significant incidents. The act would also include provisions on the supervision of obligations and on other official duties required by the implementation.

The supervision of compliance with the NIS 2 Directive would be decentralised to sector-specific authorities, just like the supervision under the previous NIS Directive. The supervisory authorities would be the Finnish Transport and Communications Agency (Traficom); the Energy Authority; the Finnish Safety and Chemicals Agency; the South Savo Centre for Economic Development, Transport and the Environment; the Finnish Food Authority; the National Supervisory Authority for Welfare and Health (Valvira); and the Finnish Medicines Agency (Fimea). Traficom would coordinate cooperation between the supervisory authorities. Administrative fines would be imposed by a separately established board for administrative fines, which would consist of members appointed by the supervisory authorities.

The tasks of the national computer security incident response team (CSIRT) would be assigned to the National Cyber Security Centre. These tasks are very similar to the current tasks of the National Cyber Security Centre, for example, when it comes to monitoring and analysing cyber threats. The team would act as a national coordinator for the purposes of coordinated vulnerability disclosure within the EU. It could also serve as a coordinator for voluntary cybersecurity information-sharing arrangements.

The cybersecurity act would lay down provisions on the authorities’ obligation to adopt a national cybersecurity strategy and draw up a large-scale cybersecurity incident and crisis response plan.

The earlier Directive on security of network and information systems (NIS) was repealed when the NIS 2 Directive was adopted. The government proposal would also repeal the provisions on the national implementation of the NIS Directive.

Next steps

A referral debate on the government proposal submitted to Parliament will be conducted in a Parliament plenary session. Information on the date of the session will be available on the Parliament website. After the referral debate, the proposal will be taken to a Parliamentary Committee. Once the Committee’s report is ready, the matter will be discussed in a plenary session.

The statutes contained in the government proposal would enter into force on 18 October 2024. It is proposed that a transition period be set for notifications submitted to the supervisory authorities. The deadline for submitting these notifications, which are used for establishing a list of operators, would be 31 December 2024.

Inquiries:

Veikko Vauhkonen, Senior Officer, [email protected], tel. +358 295 342 168