The Cybersecurity Act entails new risk management and reporting obligations for many sectors. One of the first steps is registering for a list of entities.
Finnish Parliament has passed the government proposal for a national Cybersecurity Act to implement the EU Cybersecurity Directive (NIS 2 Directive). As regards public administration, the relevant requirements included in the Directive are laid down in the Act on Information Management in Public Administration.
The objective of the NIS2 Directive is to enhance both the overall level of cybersecurity in the EU and the level of national cybersecurity in EU Member States for several sectors critical to the functioning of society. The NIS 2 Directive replaces the earlier EU Directive on the security of network and information systems (NIS Directive) that laid down cybersecurity obligations for certain sectors.
The NIS 2 Directive and the related national Cybersecurity Act impose risk management obligations on sectors critical to society, aimed at enhancing cybersecurity, along with a duty to report significant incidents. The Act lists minimum measures that all entities must implement to manage the cybersecurity risks posed to their operations. Entities are also required to notify the relevant supervisory authority of significant information security incidents. Moreover, entities within the scope of the NIS 2 regulatory framework must also register for a list of entities maintained by the authority supervising their sector.
The NIS 2 obligations enter into force gradually. Below you can find general information about the obligations and their entry into force. For more information and guidance, contact the supervisory authority of your own sector.
Check the legal provisions to determine whether your organisation is a NIS 2 entity. Entities must register with their own supervisory authorities. If your organisation is active in more than one sector, register with the supervisory authority of each sector. Please note that the deadline for registration is 8 May 2025.
Familiarise yourself with the risk management obligation set out in the Cybersecurity Act. Entities must establish a risk management procedure by 8 July 2025. In the Information Management Act, provisions on the risk management obligation are included in the new 4a chapter. Please note that public administration entities are not provided with a separate transitional period for establishing a risk management procedure. The obligation enters into force on 8 April 2025.
Traficom has issued a recommendation on risk management measures. The recommendation is targeted at supervisory authorities, but it also supports NIS 2 entities in planning their risk management measures. The European Commission has also adopted a regulation specifying the risk management obligation with respect to digital infrastructure and digital service entities.
Our website includes a NIS 2 incident notification form that you can use to notify the supervisory authority of a significant incident. Entities are required to notify significant incidents as from 8 April 2025. The notification procedure includes three stages.
We encourage entities governed by NIS 2 regulation to submit voluntary notifications to the CSIRT at the National Cyber Security Centre Finland (NCSC-FI) at Traficom also regarding various information security violations, such as phishing or denial-of-service attacks, and their attempts. The NCSC-FI can help entities in the technical investigation of severe information security violations, if necessary. We also use the notifications to maintain national situational awareness of cybersecurity.
The Cybersecurity Act also entails new supervisory duties for Traficom compared to the old NIS Directive. In future, Traficom will be the competent authority supervising cybersecurity issues also in the following sectors: postal and courier services, space, public administration, managed service providers, managed security service providers, research, and the manufacture of vehicles and other transport equipment. New types of entities have also been added to the scope of supervision in sectors that were already covered by NIS regulation.
Competence for the supervision of different sectors is divided among sectoral authorities. The NCSC-FI at Traficom also acts as the single point of contact referred to in the Cybersecurity Act. Its tasks include promoting cooperation and coordination among supervisory authorities.
The NCSC-FI also has a computer security incident response team (CSIRT) whose tasks include responding to incident notifications and, if necessary, assisting the notifying entity in handling the incident. This may also involve the technical investigation of severe information security violations. The CSIRT also participates in maintaining national situational awareness of cybersecurity and provides early warnings, alerts, announcements and information on cybersecurity issues.
The CSIRT is not responsible for supervising the entities governed by the Cybersecurity Act, which is why its operations are separate from the supervisory duties related to the Act. CSIRT activities are based on trust between the team and various actors of society and on the voluntary reporting of information security violations to the CSIRT. This is reflected in the Cybersecurity Act according to which information voluntarily disclosed to the CSIRT may not be used without the notifier’s consent in criminal investigations or in administrative or other decision-making processes concerning the notifier.
