Current status of implementation

In April 2017, a working group of the Ministry of Transport and Communications of Finland published a closing report (9/2017) regarding their proposals for guidelines on how to implement the NIS Directive. The official government proposal on the implementation of the NIS Directive was given to the parliament on 19 December 2017 and was accepted in the parliament on 10 April 2018. The laws modificating the existing laws (no new law was proposed) came into force on 9 May 2018.

Implementation Act

The necessary changes were made to existing sector specific acts. Altogether twelve Finnish acts were modified: the Information Society Code, the Aviation Act, the Railway Act, the Vessel Traffic Service Act, the Act on the Safety and the Supervision of Security Operations of Certain Vessels and Ports Servicing them, the Act on Transport Services, the Electricity Market Act, the Natural Gas Market Act, the Act on the Supervision of Electricity and Gas Markets, the Water Services Act, the Act on the Financial Supervision and the Act on the National Supervisory Authority for Welfare and Health.

Determination of operators of essential services (Art. 5 NIS)

According to the working group, the most functional way to determine the operators of essential services would be to regulate / specify the criteria in legislation. In the government proposal it is said that network and information security obligations should be applied to a) online marketplaces, search engines and cloud providers and other digital infrastructure, b) air navigation service providers and essential airports, c) state rail network and train traffic control service, d) vessel traffic service providers and essential ports, e) smart transport service providers, f) electricity and gas transmission grid operators, g) certain water management facilities, h) credit institutions and stock exchange operators and i) electronic processing of healthcare customer data. Further specifications can be found in the sector specific laws where each entity is regulated.
Reporting obligations

Operators of essential services must notify the competent authority of any significant security breach without delay. The competent authority may require the service operator to also notify the public about such disruption.
Sanctions regime

No proposed new sanctions; existing sanction regimes provided in the sector specific laws may apply.
Competent authorities

Sector specific authorities will have competence for the supervision: The Energy Authority, the Finnish Transport Safety Agency, the Financial Supervisory Authority, the National Supervisory Authority for Welfare and Health, the Centre for Economic Development, Transport and the Environment and the Finnish Communications Regulatory Authority.
Jurisdictional applications

Not specified in the proposed modifications. The existing provisions on jurisdiction in the sector specific laws apply.
Remarks (if any)


Last reviewed 15.06.2018