Finland

(a) What is the NIS2 implementation status?

The Government proposal HE 57/2024 (available only in Finnish) has been submitted on 23 May 2024 to the Parliament for consideration and is currently under committee review.

The proposal is related to the Directive of the European Parliament and of the Council on the resilience of critical entities (CER Directive, (EU) 2022/2557) and the legislative project concerning its national implementation (SM047:00/2022 (in Finnish and Swedish)), as well as the legislative project concerning the national implementation of the Regulation on Digital Operational Resilience for the financial sector (DORA Regulation, (EU) 2022/2554) (VM067:00/2023) and the government proposal HE67/2024 (available only in Finnish) submitted on 6 June 2024 to the Parliament.

(b) What is the envisaged NIS2 implementation timeline?

Directive is expected to be implemented within the set deadline 17 October 2024.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The Government proposal suggests enacting a new Cybersecurity Act (“Act”) that consolidates the minimum requirements for cybersecurity risk management and incident reporting as mandated by the NIS2 Directive. The Act will follow the minimum standards of the NIS2 Directive concerning scope, breadth, and supervision. It includes the establishment of supervisory authorities, enforcement powers, administrative fines, and a CSIRT unit for responding to and investigating security breaches, located in The National Cyber Security Centre of the Finnish Transport and Communications Agency.

Additionally, the Government proposal suggests changes to numerous laws using the directive’s implementation will impact various national laws by sector, since provisions about cybersecurity in Finnish law are scattered across multiple laws, including amendments to the Act on Information Management in Public Administration and the Act on Electronic Communications Services.

(d) Who will be the supervisory authority and how are they preparing the market?

Currently NIS 1 sectors have their own supervisory authorities defined by sectors. For the new sectors added by NIS2 the supervisory authorities have not yet been confirmed.

The National Cyber Security Centre of the Finnish Transport and Communications Agency coordinate national and international cooperation and prepares annual reports.

The supervisory authorities together with the government provide information and guidance about the upcoming changes. In addition, the government arranges hearings for relevant parties during the legislative process and conducts reports to determine the impacts of the directive.

(e) What should you be doing/on the lookout for?

Clients should monitor the NIS2 implementation project and familiarise themselves with the directive, expanded sectors, increased regulatory oversight, registration obligation and more strict reporting obligations under penalty of a fine.

Clients are advised to prepare for the upcoming changes by assessing their obligations (and risks) beforehand in the form of, amongst other measures, identifying critical issues, assessing risks and implementing required risk management processes.

Especially for companies operating in the new sectors added to NIS2 it would important to understand whether and how they are affected and take required measures to be ready for the implementation.

The Ministry of Transport and Communications has recommended that the NIS2 risk management obligations should be complied with even if the company would not fall under the NIS2 sectors.

The National Cyber Security Centre and supervisory authorities provide guidance by sectors.