NIS2 Directive strengthens cybersecurity across the EU – National implementation launched in January

The revised Directive concerning the security of network and information systems (NIS2) was published in the Official Journal of the European Union on 27 December 2022. NIS2 will replace the earlier Directive concerning measures for a high common level of security of network and information systems across the Union (NIS). The Ministry of Transport and Communications launched the national implementation on 2 January 2023 to transpose the obligations of the new Directive into national law.

NIS2 aims to strengthen cybersecurity in certain critical sectors at a national and EU level. For example, the scope of the Directive will cover more broadly energy and healthcare entities and digital infrastructure service providers. The scope of the Directive has also been extended to apply to new sectors and entities, such as public administration, the food sector and waste management.

To strengthen cybersecurity, the Directive sets out both risk management obligations and obligations to report on cyber incidents in critical sectors of society. The Directive lists the minimum measures that all entities must take to manage cybersecurity risks in their activities. Cybersecurity risk management will be based on risk and performance; when determining their level, the entity will take into account its size and exposure to risks. Entities must also inform the authorities and, where applicable, the recipients of their services of any significant incidents.

The Directive will continue the Member States' existing cooperation mechanisms and intensify cooperation between the authorities. The Directive establishes a European Cyber Crises Liaison Organisation Network (EU - CyCLONe) to support the coordinated management of large-scale cybersecurity incidents. Finland's representative in the Network is the National Cyber Security Centre of the Transport and Communications Agency.

"With the new Network, closer cooperation at the EU level will improve our national cybersecurity. The Ministry of Transport and Communications is in charge of the national management and coordination to advance cybersecurity in Finland. While Finland will benefit from closer cooperation, our partners will also benefit from our position at the forefront of cybersecurity. These decisions will strengthen cybersecurity both in Finland and in the EU," says Minister of Transport and Communications Timo Harakka.

What's next?

The Directive was published on 27 December 2022. The Member States have 21 months from the entry into force of the Directive to incorporate the provisions into their national legislation.

The Ministry of Transport and Communications launched the national implementation on 2 January 2023 to transpose the obligations of the new Directive into national law. The Ministry will carry out the national implementation in broad-based cooperation with other branches of government.

Inquiries:

Marième Korhonen, Senior Specialist, tel. +358 50 535 0433, [email protected]

Sonja Töyrylä, Senior Officer, tel. +358 50 438 4729, [email protected]

Emma Hokkanen, Senior Specialist, tel. +358 50 430 6366, [email protected]

Maija Ahokas, Director of Unit, tel. +358 40 031 6178, [email protected]