Weekly review of the National Cyber Security Centre Finland (NCSC-FI) - 13/2025

How to communicate about cyberattacks? Traficom issues guidance for organisational crisis communication

In recent years, an increasing number of organisations have fallen victim to cyberattacks. When such an attack occurs, it is crucial for the organisation to focus on clear, instructive and as transparent communication as possible, as the consequences can be serious for individuals, organisations, and even states. On 27 March, Traficom published guidance on communication related to cyberattacks.

How should organisations communicate during a cyberattack?

When a cyberattack takes place, organisations must pay particular attention to communication that is clear, instructive and as transparent as circumstances allow. The demand for information is high.

“Practical experience with cyberattacks has shown that organisations must prepare for and invest in communication strategies tailored to various cyber scenarios. The role and importance of communication in managing and responding to such situations must not be overlooked,” says Anna Karjalainen, Director of Communications and Public Relations at Traficom.

Communication on cyberattacks presents specific challenges

According to Jussi Toivanen, Communications Manager at Traficom, there are unique aspects to communicating about cyberattacks that organisations should be aware of. One of the key challenges is that the situational awareness and understanding of what has happened often evolve as investigations progress. Nevertheless, it is essential to communicate quickly, in a timely manner, and as openly as possible with those affected.

“In a cyberattack scenario, companies or organisations often have to communicate with incomplete or changing information, sometimes over extended periods. Furthermore, some of the usual communication or information-sharing channels may be unavailable in the early stages. Despite this, it remains vital to provide accurate information and clear guidance, even after the situation has been resolved. The victims’ perspective must not be forgotten,” Toivanen emphasises.

Support and guidance for organisational crisis communication in cyber incidents

The NCSC-FI at Traficom has published a crisis communication guide aimed at organisations, providing information on different types of cyberattacks as well as the methods and tactics used by cybercriminals. The guide also offers tips on how to prepare communication strategies in advance and how to communicate effectively during and after a cyberattack.

The guide is intended for organisational leadership, security and communications professionals, and experts responsible for situational awareness and preparedness. It has been developed in collaboration with the Financial Supervisory Authority, the National Bureau of Investigation, the Association of Finnish Local and Regional Authorities, the National Police Board, the Finnish Security Intelligence Service, and the Office of the Data Protection Ombudsman. Draft versions of the guide were reviewed by numerous experts and organisations.

An additional concise information package on crisis communication is available on the NCSC-FI website, including example messages for communicating about various types of cyberattacks. The guide and the website will be available in Finnish and Swedish.

Have your say on the EU Cyber Resilience Act

The European Commission is seeking stakeholder feedback on the draft implementing regulation of the Cyber Resilience Act (CRA), specifically regarding the technical specifications for products listed in Annexes III and IV. The Commission is clarifying the technical details of these annexes, which define important and critical products. Such products may be subject to more stringent conformity assessment procedures under Article 32.

Draft versions of the implementing regulation can be found on the Commission’s website, where instructions for submitting feedback are also available. Comments on the draft regulation can be submitted until 15 April.

The new Cybersecurity Act may require action from you – find out how the new directive affects your organisation

Finland’s new Cybersecurity Act implements the EU’s NIS2 Directive, which came into force last year. The Directive aims to strengthen cybersecurity across the EU and its Member States, particularly in critical sectors. Under the new rules, entities falling within the scope of the Directive must assess and manage risks to the security of the communication networks and information systems they use. They are also required to report significant incidents affecting these networks and systems to the relevant authorities.

The Cybersecurity Act sets out obligations in accordance with the Directive, as well as provisions for their supervision and the related tasks of the authorities. Entities within the scope of the Act must also submit their contact details to the supervisory authority once the law begins to apply.

The coordination of supervisory authorities under the Cybersecurity Act is managed by Traficom. The responsibilities of the CSIRT, which investigates and responds to security incidents, will be placed within the NCSC-FI at Traficom. This unit will continue to perform many of the current functions of NCSC-FI, such as monitoring and analysing cyber threats. It will also coordinate the disclosure of vulnerabilities to the EU and may act as the coordinator of voluntary cybersecurity information-sharing arrangements.

The Government has submitted the bill for the new Cybersecurity Act to the President of the Republic for approval. The Act is expected to enter into force on 8 April 2025.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.