NIS directive in the Nordics: Finnkampen in the air?
Did you know that the European Union has introduced the first cyber security law in Europe, the NIS directive? For many organizations, its practical implementation and compliance requirements are unclear yet. In the Nordics, the situation is further complicated by the fact that countries are free to choose how they implement the directive as local law.
The GDPR triggered a large response in the EU for personal data rights and motivated a series of compliance activities across industries not only within the EU but also in the rest of the world. We’ve entered into a new era. But this was only one (loud) leg of a larger effort by the EU in digitalization.
A quieter yet equally significant effort is embodied in the Network Information Security Directive (NISD). NISD is the first cyber security law in Europe. NISD’s core message is that essential service operators and digital service providers must take proportionate measures to ensure their information infrastructure is ‘secure’; manage incidents in a way that their business continuity is immune to debilitating information security disruptions; and report any significant breaches to authorities.
Cyber security still feels like a novel, highly technical and abstract field of practice to many. What do even those obligations entail in practice? Can we be considered to have done our job if we have the best anti-virus protection and lots of encryption? Not by a long shot. Compliance with the NISD entails a number of information security measures and processes which are not limited to upgrading your applications and protective tools. There are simply no short-cuts to being “cyber secure”.
Cyber security law for Finland
The EU countries were required to have their national law implementing the NIS Directive already by May 2018. Each country is free to implement the NISD in the way they find appropriate. Tieto’s native country Finland is diverging from its sister Sweden in this one.
Sweden has published a new law (Informationssäkerhet för samhällsviktiga och digitala tjänster) as well as a substantive document on the implementation of the NIS Directive (some 300 pages).
Finland, on the other hand, has opted for the granular approach and merely amended the sector-based legislation instead of passing a new law. You can almost feel the signature of the famously minimalist and functional Finnish design in Finland’s legislative practice (In Finland, we use words economically). In total, eleven Finnish codes have changed to accommodate NIS-related obligations across the ‘essential services’ and digital service industries.
So, what awaits the Finnish industry actors?
The short answer: Finland will probably experience a bit more uncertainty around the sanctions of failure to comply with the cyber security obligations than their Swedish counterparts. Our reliable government sources have indicated that the reason for Finland in choosing to stay silent about the NIS-related penalties is that the existing sector-based legislation sufficiently regulates the matter of sanctions and penalties.
It appears that of the two major groups of sectors on which the NIS obligations apply, the OES (operators of essential services such as the energy sector, healthcare and finance) are set to be left with more uncertainty than the DSPs (digital service providers) in terms of the administrative sanctions and penalties.
The obligatory breach notifications will have to be made to the sectoral authorities. So, if you have gone through a disruption which has a significant impact on the business continuity, and you are operating in the transport sector, you need to notify the Finnish Transport Safety Agency (Liikenteen turvallisuusvirasto).
What should you be doing before the year begins?
When you are operating in the ‘business of trust’ such as finance or healthcare, it is the value set by that trust that drives your business. When you are operating in energy, transport or digital services infrastructures, it is the reliability of your operations that maintain the value of your business. Thus, the primary driver of your success will always be to maintain the trust of your customers that you protect their data, their operability and their business continuity.
On the cyber security front, you need to ensure that you have committed the internal resources to become compliant for the NIS. For that, prepare yourself to take action in three major cyber-security fields:
- Risk management,
- Implementation of state-of-the-art security measures, and
- Incident management procedures.
Equipped with Tieto’s long-standing customer experience and excellent capabilities in cyber-security service, we are here to offer you our comprehensive NIS Consultancy customized for the industry you are operating in.
Stay secure, stay compliant, stay digital.
Please feel free to get in touch with me or Maria Nordgren to save your seats with our expert consultants.