Security of society’s essential services to be improved
The Ministry of Transport and Communications has sent out for comments a draft proposal for legislative amendments that aim to increase trust and confidence in digital services and improve the information security of essential services to society. The amendments will also implement the EU directive on security of network and information systems (NIS directive).
The draft government proposal sent out for comments aims to amend the legislation that govern the supply and security of certain services essential for the functioning of society. This legislation includes the following acts: Information Society Code, Aviation Act, Railway Act, Vessel Traffic Service Act, Act on Security Measures on certain Ships and in Ports serving them and on monitoring the Security Measures, Act on Transport Services, Electricity Market Act, Natural Gas Market Act, and Water Services Act.
The draft proposes a set of obligations for operators of essential services and for certain digital service providers (online marketplaces, cloud computing services, online search engines) to manage risks posed to the security of information systems and report on security incidents to the supervision authority. Essential services would include services relating to traffic control and infrastructure management as well as distribution of energy and drinking water, among others. It is proposed that, as a rule, each sector's supervisory authority would have the competence to monitor compliance with the regulations. In order to ensure cooperation between authorities, the legislation would, where necessary, also include provisions on information exchange between authorities.
"We have prepared these amendments concerning the security of network and information systems together with stakeholders and experts, for example in a cross-sectoral working group appointed by the Ministry of Transport and Communications. Finland has already in place a well-functioning cooperation model to promote information security. It is based on voluntary collaboration and information exchange between companies and authorities. The now proposed acts would complement this existing collaboration," says Minister of Transport and Communications Anne Berner. "It is important that operators of essential services will even in future have the possibility to integrate the management of information security risks as part of their own risk management. It is also important that the supervisory authorities can ensure the best possible continuity and security of service provision."
Information security is one of the most important goals of the Government's key project to build a growth environment for digital business operations: in a rapidly digitalising society it is important to maintain and increase the trust and confidence of people and business in digital practices. Information security will grow in importance when an increasing number of services will be dependent on the reliable functioning of communication networks and information systems. Moreover, physical security and digital security will become increasingly intertwined along with intelligent transport automation, for example.
The consultation period for the draft proposal for the implementation of the NIS Directive will end on 20 October 2017.
The key measures for the national implementation of the NIS Directive are specified in the national information security strategy. A cross-sectoral working group, appointed by the Ministry of Transport and Communications to support the implementation of the directive, defined the guidelines for the directive implementation in its unanimous final report.
The directive of the European Parliament and of the Council on security of network and information systems entered into force in August 2016. The EU Member States will have to transpose the directive into their national laws by 9 May 2018.
Timo Kievari, Director of Unit, tel. +358 295 34 2620
Maija Rönkä, Senior Officer, tel. +358 295 34 2039