On 19 December, the Finnish Ministry of Transport and Communication submitted a proposal to parliament laying out amendments to the nation’s current cyber security legislation that may be necessary in order to comply with the upcoming EU Directive on Security of Network and Information Systems (NIS Directive).
The NIS Directive – what is expected?
The NIS Directive will be transposed into law by EU member states by May 2018, and aims to strengthen cyber resilience in national infrastructure and essential services.
It requires operators of essential services (OESs) and digital service providers (DSPs) to implement security measures appropriate to the associated risks, as well as measures that minimise the impact of incidents and ensure business continuity.
Penalties for non-compliance will be decided by individual member states, and these penalties “shall be effective, proportionate and dissuasive”.
How Finland is preparing for the NIS Directive
The Finnish proposal recommends changes to much of the Finnish information security legislation that relates to OESs and DSPs, including:
- Information Society Code
- Aviation Act
- Act on Transport Services
- Water Services Act
- Electricity Market Act
The proposed amendments, which are expected to be enforced on 1 May 2018 if accepted by parliament, detail the requirements that OESs and DSPs will be expected to follow in order to increase their cyber security, and to manage and report on security incidents.
Supervisory authorities are expected to monitor organisations’ compliance with the amended legislation.
Cyber resilience solutions
Although there will be a further six months for organisations within scope to be formally identified, EU member states must transpose the NIS Directive into national law by May 2018.
It is therefore imperative for organisations related to critical national infrastructure to begin compliance plans now and avoid penalties.
IT Governance offers a comprehensive range of cyber resilience solutions to meet your organisation’s various obligations, and to ensure continued compliance once the NIS Directive has been transposed into law:
Cyber resilience – identify, protect and detect:
- Information security management, supported by the international information security management standard, ISO 27001.
- Penetration testing.
Cyber resilience – respond and recover:
- Business continuity and cyber incident response management, supported by the international standard for business continuity, ISO 22301.