Finland adjusts its information security plans to prepare for compliance with the NIS Directive

On 19 December, the Finnish Ministry of Transport and Communication submitted a proposal to parliament laying out amendments to the nation’s current cyber security legislation that may be necessary in order to comply with the upcoming EU Directive on Security of Network and Information Systems (NIS Directive).

The NIS Directive – what is expected?

The NIS Directive will be transposed into law by EU member states by May 2018, and aims to strengthen cyber resilience in national infrastructure and essential services.

It requires operators of essential services (OESs) and digital service providers (DSPs) to implement security measures appropriate to the associated risks, as well as measures that minimise the impact of incidents and ensure business continuity.

Penalties for non-compliance will be decided by individual member states, and these penalties “shall be effective, proportionate and dissuasive”.

How Finland is preparing for the NIS Directive

The Finnish proposal recommends changes to much of the Finnish information security legislation that relates to OESs and DSPs, including:

  • Information Society Code
  • Aviation Act
  • Act on Transport Services
  • Water Services Act
  • Electricity Market Act

The proposed amendments, which are expected to be enforced on 1 May 2018 if accepted by parliament, detail the requirements that OESs and DSPs will be expected to follow in order to increase their cyber security, and to manage and report on security incidents.

Supervisory authorities are expected to monitor organisations’ compliance with the amended legislation.

Cyber resilience solutions

Although there will be a further six months for organisations within scope to be formally identified, EU member states must transpose the NIS Directive into national law by May 2018.

It is therefore imperative for organisations related to critical national infrastructure to begin compliance plans now and avoid penalties.

IT Governance offers a comprehensive range of cyber resilience solutions to meet your organisation’s various obligations, and to ensure continued compliance once the NIS Directive has been transposed into law:


Cyber resilience – identify, protect and detect:


Cyber resilience – respond and recover:

Contact IT Governance to get started with the NIS Directive

corporate account

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.