Final report of the working group: A well-functioning digital society will require investments in information security

The working group's final report finds that the level of information security and data protection in sectors critical to society should be increased by means of additional resources and more effective cooperation. The working group would steer the level of information security by means of more detailed and targeted statutory requirements and obligations, the implementation of which would be actively monitored. The working group's report was published on 1 February 2021.

A digital society consists of many interdependent actors whose activities require reliable and secure connections and information systems. This is particularly important to the functioning of society's critical services. In these sectors, individual information security and data protection violations and disruptions can have a direct impact on citizens' lives and the functioning of the national economy.

Although general and sector-specific information security and data protection-related obligations have been imposed on critical services, the work of the working group has demonstrated that there are major differences between sectors in their ability to respond to growing information security and data protection challenges.

The working group made proposals for policy guidelines to improve the information security and data protection of critical sectors, and specified the parties responsible for the measures and schedules for their implementation.

The policy proposals are based on seven requirements that should be implemented to ensure that the information security and data protection of operations are adequate:

1. Legislation must include adequate information security and data protection requirements and obligations for critical sectors and precise regulations for their implementation.

2. Actors must have sufficient knowledge and competence to comply with the obligations.

3. Authorities must have sufficient powers to monitor the implementation of information security and data protection

and to engage in cross-sector cooperation.

4. Authorities must have sufficient competence and courage to exercise their powers and guide their sector.

5. Authorities must have sufficient resources to exercise their powers.

6. Each actor bears responsibility for the information security and data protection of their operations.

7. Authorities have an up-to-date situational picture of the level and situation of information security and data protection throughout the operating environment.

The report also provides an assessment of needed additional resources, with a focus on developing the operational capacity of supervisory authorities.

Investments in cyber security

The newly completed report by the working group is part of a larger cyber security-related entity.

"To ensure cyber security, society must be alert, prepared, and ready to partake in cooperation. Leadership is required from the Government, legislation must be reformed and the efficiency of the activities of the authorities must be improved. Resources must also be increased, but this is an investment in security that will pay for itself manifold," emphasises Timo Harakka, Minister of Transport and Communications.

In Finland, many of society's key sectors are obliged to ensure the information security and cyber security of their services. These obligations are supplemented by voluntary cooperation and exchange of information between the authorities and service providers. In addition, the Finnish Transport and Communications Agency's National Cyber Security Centre monitors and develops the reliability and security of communications networks and services and helps in investigating information security breaches.

The development programme that extends over numerous government terms currently under consultation will also improve the planning and development of cyber security. The aim of the Programme is to provide guidance for the cyber security development extending across sectoral borders and government terms.

In 2020-2023, public administration's digital security services will also be developed in accordance with the Ministry of Finance's Haukka implementation plan. The implementation plan will also support the preparation and implementation of the cyber security strategy development programme.

The significance of cyber security was also highlighted in the final report of the Working group for a digital leap forward. The working group on digital means for the after-care of the coronavirus crisis proposed that Finland should promote the development of the information and cyber security ecosystem and infrastructure with research and by supporting the Finnish cyber industry. This would also safeguard Finland's international competitiveness.

Background of the working group on information security and data protection in critical sectors

In November, the Ministry of Transport and Communications appointed a working group to identify needs to amend the legislation on data security and protection in sectors of key importance for the functioning of society and to submit a proposal to the Government for policy guidelines on them.

The working group's report concentrated on the key sectors of society, such as health care, energy supply, the financial sector, water supply, traffic and digital infrastructure and its services.

The aim is for information security to be part of society's preparedness and for the services provided by society and citizens' data to be better protected from unauthorised processing

The group will be chaired by Laura Vilkkonen, Director-General at the Ministry of Transport and Communications. The group consisted of representatives from ministries and the authorities.

The working group's final report Improving information security and data protection in the critical sectors of society can be read on the Government website (in Finnish, abstract in English).

Inquiries:

Laura Vilkkonen, Director General, tel. +358 40 500 0817, Twitter: @vilkkonen