Government supports the Commission’s proposal for updating the Directive on security of network and information systems

Press release 11.02.2021 13.32 fi sv en

Data, telekommunikation, illustration (Photo: Shutterstock)

The EU Commission has made a proposal to update the Directive on security of network and information systems (NIS Directive) to reflect the changed cyber environment. The proposed directive would impose new obligations on Member States. The Government supports the objectives of the proposal and considers it important that the proposal has effects that strengthen cybersecurity and data protection. In addition, the Government considers it important that the proposal also preserves national leeway.

The Government submitted a Government statement on the Commission’s proposal to Parliament on 11 February 2021.

The Commission’s proposal is part of the EU’s new cyber strategy and its objectives issued in December 2020. The proposal is in line with Finland’s own policies and measures on data security and data protection.

Risk management measures to ensure cybersecurity

With digitalisation, the number of cyber violations has also increased, and they have become more sophisticated. Cybersecurity disruptions cause financial losses and undermine users’ confidence in services. The aim of the Commission’s proposal is therefore to strengthen cybersecurity both at the EU common level and the Member States’ national levels for sectors and actors considered critical.

Among other things, the Commission proposes that the EU and Member States develop their national cybersecurity capabilities, preparedness and risk management. In addition, cybersecurity monitoring, reporting and information exchange, as well as cooperation, should be increased and harmonised.

Common obligations and approaches in support of national cybersecurity strategies

The Government considers it important that the EU has a clear regulatory framework for cybersecurity, as many disruptions and their effects can cross national borders. It is therefore natural that cybersecurity requirements for key and important actors in society are based on common regulation and common practices.

The Government considers that the regulatory framework for cybersecurity must be consistent with other relevant regulation. It is particularly important that the new obligations are correctly proportioned and risk-based in view of the size and activities of operators within the scope of the Directive.

As a rule, the Government considers the specified tasks presented to the supervisory authorities to be justified, but they should also be reviewed in parallel with the requirements of the Constitution. It is good that the directive proposal does not affect the powers of the Member States concerning public security, defence and the maintenance of national security.

The Government supports more efficient reporting and the exchange of information, and advocates close cooperation between Member States. It is also justified that the Directive proposes granting the law enforcement authorities the possibility to obtain information on cybersecurity breaches linked with criminal activities.


Marième Korhonen, Senior Specialist, tel. +358 50 535 0433, Twitter: @MariemeKorhonen

Elina Immonen, Director of the Safety and Security Unit, tel. +358 50 303 2686, Twitter: @ImmonenElina