The Recommendation concretely implements the cybersecurity risk management obligations set out in national regulation based on the NIS2 Directive. Entities in the scope of the regulation are required to manage cyber risks to the security of communications networks and information systems and to prevent or minimize harmful effects. The Recommendation gathers information and practical examples of what kind of measures the requirements laid down by law may include.
The Recommendation is targeted at the authorities supervising national regulation, but it also supports the cybersecurity risk management planning of the entities part of the legislation. Entities which are not part of the scope can also make use of the fundamental information security practices contained in the Recommendation to assess and improve the maturity level of their organisation's cybersecurity.
The aim of the Recommendation is to harmonise guidance, advice and supervision in the area of national regulation. However, due to differences in sectors, the Recommendation does not address sector-specific special characteristics.
The Recommendation has been prepared as part of the cooperation among authorities and coordination task of the single points of contact designated for the Finnish Transport and Communications Agency. The recommendation is based on the Cybersecurity Act (124/2025) and amendments to the Act on Information Management in Public Administration (125/2025).
Attachments:
- Suositus NIS-valvoville viranomaisille kyberturvallisuuden riskienhallinnan toimenpiteistä.pdf
- Rekommendation till NIS-övervakande myndigheter om åtgärder för riskhantering.pdf
- Recommendation on cybersecurity risk management measures for NIS supervisory authorities.pdf
- Changes made to the Recommendation draft (in Finnish)
- Summary of statements on the Recommendation draft
- Cross-reference table