The NIS2 Directive is being transposed into Finnish law – What do you need to know?
by Kalle Hynönen
The European Union's NIS2 Directive is a significant update to the original NIS Directive which was implemented in 2018 and which the NIS2 Directive is set to repeal this autumn. The original NIS Directive was the first EU-wide legislation focusing on network and information system security. The deadline for member states to transpose NIS2 Directive into national law is just around the corner (17 October 2024), and the implementing provisions will be applicable from 18 October 2024 onwards. This article showcases the main changes brought by the NIS2 Directive and implementing legislation in Finland, as well as their implications for the affected companies.
The objectives of the original NIS Directive (Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union) were to improve member states' abilities to prevent and manage cyber threats and ensure the resilience of their critical services. Broadening the scope of application, the primary goal of the NIS2 Directive (Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union) is to enhance cybersecurity across EU member states, to address new challenges posed by technological advancements, as well as to ensure the continuity of critical services. The new rules also bring about shorter notification times in case of cybersecurity incidents and the possibility of personal liability for the company's management.
Key changes in the NIS2 Directive
Key change 1: Expanded Scope
One of the most significant changes is the expanded scope of the directive, as the NIS2 Directive now covers more sectors and organisations than before. This expanded scope means that many companies previously not covered by the NIS Directive, such as ICT service providers, will now have to comply with the new cybersecurity requirements. This increases the obligations for companies but also enhances the overall capability to combat and manage cyber threats across society.
Sectors covered by the NIS2 rules include:
- Essential entities (energy; air, rail, road and water transport; water suppliers and wastewater disposal providers; banking and finance infrastructure; information and communications technology (ICT); digital infrastructure; waste management; healthcare; public administration; and space).
- Important entities (postal and courier services; producers, processors and distributors of food; waste management; producers and manufacturers of chemical products; providers of digital services; research organisations; and manufacturers of medical/diagnostical devices, electronics, computers, machinery, motor vehicles and other transportation equipment).
Key change 2: Risk Management and Reporting Requirements
Essential and important entities will face new obligations related to risk management, security measures, and incident reporting. These obligations must be integrated into business operations and regularly monitored for compliance. This requires active measures and resources from companies to meet the directive's requirements and will also affect companies' relations with their suppliers. Companies must adhere to new standards and practices that include:
- Risk Analysis: Companies must conduct comprehensive risk analyses to identify and assess all potential cybersecurity threats.
- Security Measures: Companies must implement appropriate security measures to protect data and systems, including risk analysis, incident handling, business continuity, supply chain security, system security, cyber hygiene, training, cryptography and access control.
- Incident Reporting: Companies must report significant cybersecurity incidents, causing or likely to cause serious disruption or damage, to authorities more quickly and with greater detail. The directive sets strict deadlines for reporting, requiring companies to be prepared to respond promptly. The notification obligation for significant incidents is a three-step process:
- a) The operator must submit a notification to the supervisory authority within 24 hours of the detection of the deviation (initial notification).
- b) Within 72 hours the operator must submit a follow-up notification to the supervisory authority.
- c) After the end of the occurrence, a final report must be submitted to the supervisory authority one month after the submission of the occurrence report.
In Finland, the notification is submitted to the Finnish Transport and Communications Agency (Traficom). The National Cyber Security Centre (NCSC-FI) is currently developing the NIS2 notification application in this respect. In addition, if a significant incident is likely to hamper the provision of the service, the operator must notify the recipients of its service without delay.
Key change 3: Administrative Penalties and personal liability
The NIS2 Directive includes stricter enforcement and oversight mechanisms. Violations of the directive can result in significant administrative penalties, including larger fines.
As a new "feature", the management of a company can also be personally subjected to fines and administrative actions, including the dismissal of their role for a fixed period. This emphasises the need for companies to comply meticulously with the new requirements and to invest adequately in cybersecurity measures.
The penalty mechanics resemble those of the GDPR, essentially stating that member states must ensure that where the said entities infringe the directive:
- essential entities are subject to administrative fines of a maximum of at least EUR 10 million or of a maximum of at least 2% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher;
- important entities are subject to administrative fines of a maximum of at least EUR 7 million or of a maximum of at least 1.4% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the important entity belongs, whichever is higher.
Key change 4: National implementation in Finland
The NIS2 Directive is set to be transposed into national legislation by the Cyber Security Act ("kyberturvallisuuslaki"), of which the governmental proposal was given to the Parliament of Finland in the spring for review. The proposal proposes to enact the Cyber Security Act and to amend several other laws currently in force. The proposal, utilising the national discretion permitted by the directive, excludes from its scope the activities and services provided for the purposes of national defence, national security, public order and safety, or the prevention, investigation, and prosecution of criminal offences, but in general, the national regulation in Finland is in line with the minimum level required by the directive.
In addition to Traficom, the Cyber Security Act defines the Energy Authority, the Finnish Safety and Chemicals Agency (Tukes), the National Supervisory Authority for Welfare and Health (Valvira), the South Savo Centre for Economic Development, Transport, and the Environment (ELY Centre), the Finnish Food Safety Authority and the Finnish Medicines Agency (Fimea) as the supervisory authorities for certain obligations.
Summary
The changes brought by the NIS2 Directive will significantly affect Finnish companies, particularly those operating in the aforementioned critical sectors. Below are some key considerations for companies in scope of the directive for preparing for the directive's implementation: