On 23 May 2024, Finland took a significant stride towards strengthening its cybersecurity legislation when the Government submitted to the Parliament a proposal (HE 57/2024 vp) to implement the EU Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555, the “NIS2 Directive“). This legislative initiative aims to bolster cybersecurity measures across various critical sectors, reflecting a heightened regulatory focus on risk management and incident reporting. The proposed Cybersecurity Act, along with amendments to existing legislation, notably to the Act on Information Management in Public Administration (906/2019 as amended), is scheduled to be applicable as of 18 October 2024.
The proposal denotes a significant step towards more regulated cybersecurity and positioning the review and supervision of cybersecurity risks as a top management issue.
Introduction and scope
The NIS2 Directive and its national implementation significantly broaden the scope of cybersecurity requirements, extending them to medium-sized and larger entities in critical sectors. These sectors include energy, transport, health, ICT service management and digital infrastructure, as well as completely new areas such as public administration, food production, waste management and specific manufacturing industries that were not covered by the predecessor (Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union, (the NIS Directive)). Notably, the new requirements also apply to, inter alia, providers of public electronic communications networks and services, regardless of their size. Some of the covered entities fall into the category of “essential entities” and, consequently, be subject to closer supervision.
Consequently, a wide range of entities must reassess and enhance their cybersecurity frameworks and measures to align with the new requirements. These new requirements cover cybersecurity risk-management, management responsibility, incident reporting and registration with a registry of entities. The expanded scope and additional regulatory demands necessitate a thorough review and adaptation of existing practices to ensure compliance with the updated framework.
From the practical point of view, the new requirements will probably end up changing cybersecurity related agreements and contractual terms in a wider field than just within the critical sectors.
