The EU Cybersecurity Directive (‘NIS 2 Directive’) contains provisions on security obligations and incident reports in multiple sectors of society. In Finland, provisions on obligations under the NIS 2 Directive are mainly laid down in the Cybersecurity Act. The NCSC-FI at Traficom supervises the majority of digital infrastructure entities, digital service providers, managed service providers, managed security service providers, research organisations and public administration entities.
Public administration entities
In the public administration, NIS 2 Directive is usually applied to central and regional government entities regardless of their size.
At national level, NIS 2 regulation concerning the public administration is included in the provisions of the Act on Information Management in Public Administration (906/2019). Cybersecurity regulation based on the NIS 2 Directive is included in the provisions of chapter 4a, in particular. The cybersecurity provisions in the chapter apply to a smaller number of authorities than the other provisions of the Information Management Act. Chapter 4a of the Act applies to central government administrative authorities, state agencies and bodies, unincorporated state enterprises, independent institutions governed by public law, wellbeing services counties, and the City of Helsinki in the context of services that wellbeing services counties are responsible to organise.
NIS 2 regulation concerning the public administration is usually not applied to municipalities, but if a municipality operates in a sector referred to in an Annex to the Cybersecurity Act, it is governed by the provisions of the Act. An entity may also be subject to the provisions of both acts: for example, wellbeing services counties and joint county authorities for wellbeing services are subject to the provisions of chapter 4a of the Information Management Act and the provisions of the Cybersecurity Act if they operate in the health sector as defined by the Cybersecurity Act. The cybersecurity obligations included in the two acts are mainly aligned.
Research organisations
According to Article 6, point (41) of NIS 2 Directive, a research organisation means an entity which has as its primary goal to conduct applied research or experimental development with a view to exploiting the results of that research for commercial purposes, but which does not include educational institutions. In Finland, this definition is considered to cover VTT Technical Research Centre of Finland Ltd.