Monitoring the implementation of the Directive on Security of Network and Information Systems (NIS)

Valvira is responsible for monitoring the implementation of the NIS Directive in the healthcare sector in Finland. The law obliges operators of essential services and key digital service providers to report computer security breaches. In Finland, Traficom (Traficom.fi) collects reports from the monitoring authorities and acts as Finland's point of contact for engagement with the EU Member States.

The obligations of the Directive apply to sectors that are essential for the maintenance of critical societal and economic activities, and they are monitored by sector-specific authorities:

• Transport – Traficom
• Energy supply – The Energy Authority
• Healthcare – Valvira
• Financial sector – The Financial Supervisory Authority
• Financial market infrastructure – The Financial Supervisory Authority
• Water supply - ELY Centres
• Digital infrastructure – Traficom
• Digital services – Traficom

Computer security threats and breaches regarding the social and healthcare sector must be reported to Valvira

The law obliges designated industry-specific organisations to report any computer security threats and breaches that they detect. This obligation is mandatory.

Computer security threats and breaches regarding the social and healthcare sector must be reported to Valvira. The report can be submitted by sending an informal email to kirjaamo(at)valvira.fi. Valvira collects reports from the healthcare sector and submits them to Traficom.

It is also advisable to report computer security threats and breaches to Traficom's National Cyber Security Centre. Notifying the National Cyber Security Centre does not remove the obligation to notify the monitoring authority.

The Directive on Security of Network and Information Systems is the basis for the promotion of cyber security

The Directive on Security of Network and Information Systems and the national legislation form the framework for guiding and monitoring cyber security in key sectors in society. They allow the authorities to form an overall picture of incidents, and they are the platform for cooperation between sectors and authorities that promotes cyber security at national and international levels.

Reporting computer security threats and breaches helps the affected organisation as well as other organisations to prepare for ongoing threats. It is important to prepare for cyber security threats in advance: the Ministry of Social Affairs and Health has published cyber security guidelines (in Finnish) to help the social and healthcare sector to prepare for threats.

National legislation and obligations under the Directive on Security of Network and Information Systems (NIS) entered into force on 9 May 2018.