Finland

(a) What is the NIS2 implementation status?

The implementation of the NIS2 Directive in Finland is still under committee review, despite the original deadline of 17 October 2024. A preliminary discussion is scheduled for 13 February at the Transport and Communications Committee, which has now also received the Constitutional Law Committee’s opinion. After the committee review is concluded, the matter will proceed to parliamentary consideration.

(b) What is the envisaged NIS2 implementation timeline?

No official estimate has been provided yet.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The Government proposal suggests enacting a new Cybersecurity Act (“Act”) that consolidates the minimum requirements for cybersecurity risk management and incident reporting as mandated by the NIS2 Directive. The Act will follow the minimum standards of the NIS2 Directive concerning scope, breadth, and supervision. It includes the establishment of supervisory authorities, enforcement powers, administrative fines, and a CSIRT unit for responding to and investigating security breaches, located in The National Cyber Security Centre of the Finnish Transport and Communications Agency.

Additionally, the Government proposal suggests changes to numerous laws using the directive’s implementation will impact various national laws by sector, since provisions about cybersecurity in Finnish law are scattered across multiple laws, including amendments to the Act on Information Management in Public Administration and the Act on Electronic Communications Services.

(d) Who will be the supervisory authority and how are they preparing the market?

Currently, NIS1 sectors have their own supervisory authorities defined by sectors. For the new sectors added by NIS2 the supervisory authorities have not yet been confirmed.

The National Cyber Security Centre of the Finnish Transport and Communications Agency coordinate national and international cooperation and prepares annual reports.

The supervisory authorities together with the government provide information and guidance about the upcoming changes. In addition, the government arranges hearings for relevant parties during the legislative process and conducts reports to determine the impacts of the directive.

(e) What should you be doing/on the lookout for?

Clients should monitor the NIS2 implementation project and familiarise themselves with the directive, expanded sectors, increased regulatory oversight, registration obligation and more strict reporting obligations under penalty of a fine.

Clients are advised to prepare for the upcoming changes by assessing their obligations (and risks) beforehand in the form of, amongst other measures, identifying critical issues, assessing risks and implementing required risk management processes.

Especially for companies operating in the new sectors added to NIS2 it would important to understand whether and how they are affected and take required measures to be ready for the implementation.

The Ministry of Transport and Communications has recommended that the NIS2 risk management obligations should be complied with even if the company would not fall under the NIS2 sectors.

The National Cyber Security Centre and supervisory authorities provide guidance by sectors.