The EU Cybersecurity Directive (‘NIS 2 Directive’) contains provisions on security obligations and incident reports in multiple sectors of society. In Finland, provisions on obligations under the NIS 2 Directive are mainly laid down in the Cybersecurity Act. The NCSC-FI at Traficom supervises the majority of digital infrastructure entities, digital service providers, managed service providers, managed security service providers, research organisations and public administration entities.
Public administration entities
In the public administration, NIS 2 Directive is usually applied to central and regional government entities regardless of their size.
At national level, NIS 2 regulation concerning the public administration is included in the provisions of the Act on Information Management in Public Administration (906/2019). Cybersecurity regulation based on the NIS 2 Directive is included in the provisions of chapter 4a, in particular. The cybersecurity provisions in the chapter apply to a smaller number of authorities than the other provisions of the Information Management Act. Chapter 4a of the Act applies to central government administrative authorities, state agencies and bodies, unincorporated state enterprises, independent institutions governed by public law, wellbeing services counties, and the City of Helsinki in the context of services that wellbeing services counties are responsible to organise. The cybersecurity provisions in chapter 4a of the Information Management Act do not apply to the entities or activities specifically listed in section 3, subsection 3, such as the provision and use of the security network services referred to in the Act on the Operation of the Government Security Network (10/2015).
NIS 2 regulation concerning the public administration is usually not applied to municipalities, but if a municipality operates in a sector referred to in an Annex to the Cybersecurity Act (e.g. municipal authorities in water supply or waste disposal sectors), it is governed by the provisions of the Act.
Wellbeing services counties and joint county authorities for wellbeing services are subject to the provisions of chapter 4a of the Information Management Act and the provisions of the Cybersecurity Act if they operate in the health sector as defined by the Cybersecurity Act. The cybersecurity obligations included in the two acts are mainly aligned.
The NCSC-FI at Traficom supervises wellbeing services counties as part of the public administration sector. When wellbeing services counties act as healthcare entities, they are supervised by the National Supervisory Authority for Welfare and Health (Valvira). In practice, wellbeing services counties must register in the lists of entities maintained by both Valvira and Traficom and report significant incidents to both authorities. Valvira’s web pages on the supervision carried out under the Cybersecurity Act. (External link)
Research organisations
According to Article 6, point (41) of NIS 2 Directive, a research organisation means an entity which has as its primary goal to conduct applied research or experimental development with a view to exploiting the results of that research for commercial purposes, but which does not include educational institutions.
Research organisations include entities which focus the essential part of their activities on applied research or experimental development, as defined in the Frascati Manual 2015: Guidelines for Collecting and Reporting Data on Research and Experimental Development drawn up by the Organisation for Economic Cooperation and Development (OECD). These entities exploit the results of such activities for commercial purposes, such as the manufacture or development of a product or process, the provision of a service, or the marketing thereof.
Contacts
If needed, you may contact: nis.valvonta.ktk@traficom.fi