The EU Cybersecurity Directive (‘NIS 2 Directive’) contains provisions on security obligations and incident reports in multiple sectors of society. In Finland, provisions on obligations under the NIS 2 Directive are mainly laid down in the Cybersecurity Act. The NCSC-FI at Traficom supervises the majority of digital infrastructure entities, digital service providers, managed service providers, managed security service providers, research organisations and public administration entities.
For the most part, the NIS 2 Directive and the related supervision only concern medium-sized and large enterprises. Enterprise sizes are defined in Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises. Size limits do not apply to all digital infrastructure entities or to public administration entities. The supervision of different sector is decentralised with competent sectoral authorities carrying out NIS 2 supervision in their respective fields.
Digital infrastructure entities
Digital infrastructure entities under the NCSC-FI’s supervision include internet exchange point providers, top-level domain (TLD) name registries, cloud computing service providers, data centre service providers, content delivery network providers, trust service providers, providers of public electronic communications networks and providers of publicly available electronic communications services.
TLD name registries, trust service providers, providers of public electronic communications networks and providers of publicly available electronic communications services fall within the scope of regulation and supervision regardless of their size.
An internet exchange point (IXP) means a network facility which enables the interconnection of more than two independent networks (autonomous systems), primarily for the purpose of facilitating the exchange of internet traffic, which provides interconnection only for autonomous systems and which neither requires the internet traffic passing between any pair of participating autonomous systems to pass through any third autonomous system nor alters or otherwise interferes with such traffic.
An entity maintaining a top-level domain (TLD) name registry means an entity which has been delegated a specific TLD and is responsible for administering the TLD, including the registration of domain names under the TLD and the technical operation of the TLD.
According to recital 33 of the NIS 2 Directive, services that comply with the definition of cloud computing services include “services that enable on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations. Computing resources include resources such as networks, servers or other infrastructure, operating systems, software, storage, applications and services. The service models of cloud computing include, inter alia, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) and Network as a Service (NaaS). The deployment models of cloud computing should include private, community, public and hybrid cloud. The cloud computing service and deployment models have the same meaning as the terms of service and deployment models defined under ISO/IEC 17788:2014 standard.
The capability of the cloud computing user to unilaterally self-provision computing capabilities, such as server time or network storage, without any human interaction by the cloud computing service provider could be described as on-demand administration. The term ‘broad remote access’ is used to describe that the cloud capabilities are provided over the network and accessed through mechanisms promoting use of heterogeneous thin or thick client platforms, including mobile phones, tablets, laptops and workstations.
The term ‘scalable’ refers to computing resources that are flexibly allocated by the cloud service provider, irrespective of the geographical location of the resources, in order to handle fluctuations in demand. The term ‘elastic pool’ is used to describe computing resources that are provided and released according to demand in order to rapidly increase and decrease resources available depending on workload. The term ‘shareable’ is used to describe computing resources that are provided to multiple users who share a common access to the service, but where the processing is carried out separately for each user, although the service is provided from the same electronic equipment. The term ‘distributed’ is used to describe computing resources that are located on different networked computers or devices and which communicate and coordinate among themselves by message passing.”
A data centre service means a service that encompasses structures, or groups of structures, dedicated to the centralised accommodation, interconnection and operation of IT and network equipment providing data storage, processing and transport services together with all the facilities and infrastructures for power distribution and environmental control. Thus, in accordance with recital 35 of the NIS 2 Directive, the definition of a data centre service does not cover in-house corporate data centres owned and operated by the entity concerned, for its own purposes.
The provision of a content delivery network (CDN) means a network of geographically distributed servers for the purpose of ensuring high availability, accessibility or fast delivery of digital content and services to internet users on behalf of content and service provider.
The responsibility for the supervision of TLD name registries, cloud computing service providers and content delivery network providers is based on the location of the provider’s main establishment.
Digital service providers
Digital service providers include providers of online marketplaces, online search engines and social networking services platforms.
Online marketplaces do not include, for example, ordinary webshops where the seller maintains a webshop for offering products or services within the seller’s own range of products or services. The definition of a marketplace only refers to platforms that enable several sellers/traders to offer products and services so that the consumer concludes a distance contract on the purchase of a product/service with a seller other than the party providing the platform.
An online search engine means an online search engine as defined in Article 2, point (5), of Regulation (EU) 2019/1150 of the European Parliament and of the Council on promoting fairness and transparency for business users of online intermediation services.
A social networking services platform means a platform that enables end-users to connect, share, discover and communicate with each other across multiple devices.
Digital service providers are subject to a supervision framework where supervisory competence depends on the location of the provider’s main establishment.
Providers of managed services and managed security services
In accordance with Article 6, point (39) of the NIS 2 Directive, a managed service provider means an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely.
The term refers, in particular, to entities and operations that enable the outsourcing of operations relating to communications networks and information systems from one entity to a managed service provider. This may involve a wide range of services, but the essential aspect is that operations are outsourced to a managed service provider. The category does not seem to include the development and provision of applications and software for use by the customer entity itself, which would not involve a service or operation being outsourced so that it would be under the responsibility of a managed service provider and implemented on behalf of the entity.
In accordance with Article 6, point (40) of the NIS 2 Directive, a managed security service provider means a managed service provider that carries out or provides assistance for activities relating to cybersecurity risk management. Thus, the provision of a managed security service is considered a special subcategory of the provision of managed services.
Providers of managed services and managed security services are subject to a supervision framework where supervisory competence depends on the location of the provider’s main establishment.
Commission Implementing Regulation on NIS 2
The European Commission adopted on 17 October 2024 Implementing Regulation (EU) 2024/2690 that further specifies the requirements on cybersecurity risk-management measures and the thresholds for the definition of significant incidents. The Regulation is directly applicable in all EU Member States.
The Commission Implementing Regulation only applies to the following entities: DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engine providers, networking services platforms providers and trust service providers.
Supervision based on location of main establishment
According to Article 26(1)(b) of the NIS 2 Directive, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, and the providers of online marketplaces, online search engines or social networking services platforms are under the jurisdiction of the EU Member State in which they have their main establishment.
According to Article 26(2) of the Directive, an entity is considered to have its main establishment in the Union in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken. According to recital 114 of the NIS 2 Directive, this will typically correspond to the place of the entities’ central administration in the Union. If such a Member State cannot be determined or if such decisions are not taken in the Union, the main establishment shall be considered to be in the Member State where cybersecurity operations are carried out. If such a Member State cannot be determined either, the main establishment shall be considered to be in the Member State where the entity concerned has the establishment with the highest number of employees in the Union
The main establishment is therefore determined with three different criteria that applied in the following order if the primary criterion is not applicable.
Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken.
Member State where cybersecurity operations are carried out.
Member State where the entity has the highest number of employees.
Jurisdiction based on the main establishment means that an entity is exclusively under the supervision of the competent authority of the Member State where the entity has its main establishment. This means that an entity can submit all of its incident reports to the competent authority of the Member State where its main establishment is located regardless of whether a significant incident only concerns a single establishment in a Member State or whether it affects multiple Member States. At the same time, the supervisory authority of the main establishment is competent to assess the lawfulness of the entity’s cybersecurity risk-management measures in the entire EU.
The NCSC-FI only supervises those TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, and providers of online marketplaces, online search engines or social networking services platforms whose main establishment is in Finland.
The requirements for information security in telecommunications services and incident reports are provided in the Act on Electronic Communications Services and Traficom's technical regulations supplementing the Act.
In Finland, country-code top-level domains are governed by authorities: the Finnish Transport and Communications Agency Traficom is responsible for the .fi domain and the Government of Åland governs the .ax domain. Provisions concerning these digital infrastructure elements are laid down in the Act on Electronic Communications Services and in the legislation on the openness and information security of government activities. In Finland, we apply the so-called registry-registrar model to domain names. Registrars’ obligations regarding information security and incident reports are laid down in the Act on Electronic Communications Services and Traficom Regulation on domain names that end with .fi or .ax and the registration of such names.