Important information on the European Union Cybersecurity Directive (NIS2)

To whom does the Directive apply?

The organisations subject to the Directive are either essential or important depending on their size, sector and criticality.

In addition to what has been described in the table, the NIS2 Directive is also applied to entities of a type referred to in Annex I or II regardless of their size, when:

• the entity is the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities;
• disruption of the service provided by the entity could have a significant impact on public safety, public security or public health;
• disruption of the service provided by the entity could induce a significant systemic risk, in particular for sectors where such disruption could have a cross-border impact;
• the entity is critical because of its specific importance at the national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State.

The NIS2 Directive also applies to entities identified as critical entities under the CER Directive (External link) regardless of their size 

Both the entities based on an exception regardless of their size as well as CER entities are essential entities.

What requirements does the NIS Directive impose?

Compliance with the cyber security risk management obligations

Operators must use an up-to-date cyber security risk management operating model for protecting communications networks and information systems and their physical environment from incidents and their impact.

Operators must implement proportionate technical, operative or organisational management measures in accordance with the cyber security risk management operating model in order to manage the risks posed to the safety of communications networks and information systems and prevent or minimise harmful effects.

At least the ten key items of Article 21 of the NIS2 Directive must be taken into account and kept up to date in the cyber security risk management operating model and the management measures based on it:

1. policies on risk analysis and information system security;
2. incident handling;
3. business continuity, such as backup management and disaster recovery, and crisis management;
4. supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
5. security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
6. policies and procedures to assess the effectiveness of cyber security risk management measures;
7. basic cyber hygiene practices and cyber security training;
8. policies and procedures regarding the use of cryptography and, where appropriate, encryption;
9. human resources security, access control policies and asset management;
10. the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

The risk management measures must be commensurate to the nature and scope of the activities, the immediate impact of the operator’s incident that can be reasonably predicted, the vulnerability to risk of the operator’s communications networks and information systems, the likelihood and seriousness of incidents, the costs incurred by the measures as well as the level of technical development to defend against the threat.

A recommendation on cyber security risk management measures for supervisory authorities is being prepared by the National Cyber Security Centre Finland (NCSC-FI) of the Finnish Transport and Communications Agency, which also includes recommendations for basic-level information security practices. The preparation of the recommendation follows the schedule of preparation of legislation, and the recommendation will be published after the legislation has been enacted. A consultation for the recommendation will be arranged in the spring of 2024. 

In their sector, the supervisory authorities can issue specifying technical regulations with regard to risk management.

Operators should also follow the implementing act process related to Article 21(5) and Article 23(11) of the NIS2 Directive, based on which the Commission adopts implementing acts. The implementing acts must be approved by 17 October 2024 at the latest for certain operators (e.g. DNS service providers, TLD name registries, cloud computing service providers and data centre service providers), but they can also be adopted concerning other essential and important operators. 

Reporting obligation concerning significant incidents

A significant incident refers to an incident that has caused or is capable of causing severe operational disruption of the services or financial loss for the operator concerned, or an incident that has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

An incident refers to an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, communications networks and information systems.

Operators within the scope of application of the NIS2 Directive must notify the supervisory authority of significant incidents affecting their services without delay. 

The reporting obligation has three stages, meaning that the operator must submit an early warning to the supervisory authority within 24 hours of detecting the incident, and an incident notification within 72 hours of detecting the incident. After the incident has ended, the operator must submit a final report to the supervisory authority.

Operators must notify the recipients of their services about a significant incident without delay, if it is likely that the significant incident will hinder the provision of the operator’s services.

How to report significant incidents?

Operators within the scope of application of the NIS2 Directive must notify the supervisory authority of significant incidents affecting their services without delay. 

In Finland, the NIS2 notification application that is currently being developed by the NCSC-FI of Traficom can be used to submit the notification.

When the NIS2 notification application of the NCSC-FI is used, the information is also sent to the NCSC-FI in addition to the supervisory authority. The NCSC-FI uses the information it receives to create the national cyber security situational picture and provide general information on information security.   

Voluntary reporting to the National Cyber Security Centre Finland of Traficom 

All companies and organisations can report information security breaches targeted at them to the National Cyber Security Centre Finland (NCSC-FI) of the Finnish Transport and Communications Agency Traficom, such as phishing or denial-of-service attacks as well as attempts of such breaches. 

A report should be submitted even if there was no significant information security breach referred to in the NIS Directive involved, because based on the contacts, the NCSC-FI can help the victim with the technical investigation of the information security breach. The NCSC-FI also uses the information it receives in creating the national cyber security situational picture and providing general information on information security. The reports are handled confidentially.

Start filling in the form below by selecting whether you are a private individual or a representative of an organisation. You can also leave an anonymous tip. The form will guide you further and advise you in the most common information security incidents. 

How to prepare for the cyber security risk management requirements of the Directive?

The National Cyber Security Centre Finland (NCSC-FI) of the Finnish Transport and Communications Agency is preparing a recommendation for cyber security risk management measures. The recommendation is drawn up to support the supervisory authorities in applying the cyber security risk management measures provided for in the NIS2 Directive and guiding, advising and supervising operators.

The recommendation is based on the NIS2 Directive and the national regulations that are being prepared, and it complies with general good cyber security practices to ensure that it is also suitable for the needs of operators as well as the authorities and operators in other sectors in addition to the supervisory authorities.

The recommendation will include examples of implementing cyber security risk management measures, authentication methods and links to the most commonly used standards and frameworks as well as tools. However, the recommendation does not propose the adoption of any specific standard or framework.

The recommendation will also include links between cyber security risk management measures and the Kybermittari (Cybermeter) tool provided by the NCSC-FI of the Finnish Transport and Communications Agency; it is a set of indicators created based on good, grouped practices for the periodic assessment, development and reporting of the cyber security maturity level. The aim of the links is to promote the application of the recommendation, interaction between interest groups and the development of cyber security on the national level, too. 

The links provided in connection with the measures in the recommendation lead to sections and objectives that contain various good practices to choose from. In the future, various links that are even more specific can be created on the practical level so that it will be possible to take account of matters such as sector-specific special features and threat profile that affect the capabilities needed for protection against cyber threats and ensuring the continuity of the operations. The Kybermittari tool can also be fully adapted to the organisation’s own needs in this regard. 

How do the authorities support critical operators?

The National Cyber Security Centre Finland (NCSC-FI) of the Finnish Transport and Communications Agency supports organisations subject to the NIS Directive in maintaining and developing their information security with various services. 

The NCSC-FI produces several different kinds of situation awareness products for the use of organisations. The situation awareness products provide their users with up-to-date information about events and phenomena that affect cyber security. 

The NCSC-FI maintains mailing lists for different sectors. Security bulletins on topical issues related to the sector are sent via the lists. You can ask about a subscription to the lists by sending a message to the address kyberturvallisuuskeskus@traficom.fi

Penalty fees

Administrative penalty fees are imposed by the penalty fee board based on a proposal by the supervisory authority. The administrative penalty fee is ordered to be paid to the State.

The maximum amount of an administrative penalty fee for an essential entity is EUR 10,000,000 or 2 per cent of the total global annual turnover of the entity’s previous financial year, depending on which amount is larger. The maximum amount of an administrative penalty fee for parties other than essential entities is EUR 7,000,000 or 1.4 per cent of the total global annual turnover of the entity’s previous financial year, depending on which amount is larger.

What kind of roles do other authorities play in cyber security and data protection matters? 

Police 

The police acts as the competent authority in preventing and investigating information network crimes and bringing them to the consideration of charges. Most of the information network crimes are investigated by the local police. There are units specialising in the processing and analysis of digital evidence in all police departments. The national Police Customer Service Helpline operates (in Finnish and Swedish) at the number +358 295 419 800 (weekdays from 8:00 to 16:15) or by email at neuvontapalvelu@poliisi.fi

The National Bureau of Investigation (NBI) is a national unit of the Finnish Police operating across Finland. The centre for the prevention of cyber offences of the police is a unit of the NBI that specialises in the pre-trial investigation of information network crimes; it mainly investigates extensive information network crimes with social significance targeted at information network environments that act as a precedent. In order to file a police report, fill in the electronic police report form or notify the local police about the case. 

You can file a police report either online or by visiting your local police station. There is also an online tip-off form you can use to report even the smallest cyber disruptions or observations that do not meet the statutory definition of an offence. The organisation is responsible for the first response to an information security event it has detected as well as the restrictive and other measures. For an investigation by the police, the organisation should make sure that the evidence is secured for a potential criminal investigation later. In practice, this means documenting the targets, events, measures and times as accurately as possible. Recovering the systems and telecommunications logs as extensively and comprehensively as possible is of primary importance. Log data must be stored and kept unchanged and in their original format.

Office of the Data Protection Ombudsman 

The Data Protection Ombudsman is a national supervisory authority that monitors compliance with data protection legislation. The duties of the Data Protection Ombudsman include monitoring compliance with the data protection legislation and other laws on the processing of personal data, promoting awareness of the risks, rules, protective measures, obligations and rights related to the processing of personal data, drawing up reports, carrying out inspections and imposing administrative sanctions for violating the General Data Protection Regulation.