Governing legislative framework

Finland does not have a general cybersecurity law or framework. The detailed security requirements are in sector-specific laws. However, after the final implementation of the General Data Protection Regulation (GDPR) in EU Member States, the overarching principle of security can currently be found in the GDPR. The national laws were changed accordingly to refer also to GDPR security requirements, including the principles of accountability and Privacy by Design and Privacy by Default, quoting these also in connection to Security by Design and by Default.

Even prior to the GDPR, the traditionally heavily regulated industries such as finance, health, and telecommunications had their own respective rules regarding data security. The very concept of data security has its roots in the Constitution of Finland (as amended) and its provisions on the principle of privacy and secrecy, as those principles will be breached if there are no adequate measures in place to safeguard against unauthorized access to protected information, or if such information ends 'in the unlawful possession' by those who have no legal rights to the information.

In summary, even though Finland does not have general security legislation, the obligation to provide adequate security measures is everywhere, for both public and private bodies and service providers.

For any commercially operating entity, there are general security obligations included even in the Companies Act and other laws such as:

• the Limited Liability Companies Act;
• the Trade Register Act;
• the Accounting Act;
• the Accounting Decree;
• the Auditing Act;
• the Act on the Prevention of Money Laundering and Terrorism;
• the International Financial Reporting Standards;
• the Tax Procedure Act;
• the Securities Markets Act; and
• the EU Market Abuse Regulation.

In addition, the Criminal Code has its own provisions after adding a new chapter (Chapter 38) that includes the criminalization of acts that violate secrecy or secrecy of communications, and which also covers unlawful access to an information system. Section 12 especially regulates that the provisions on corporate criminal liability apply to a violation of the secrecy of communications, an aggravated violation of the secrecy of communications, interference with communications, aggravated interference with communications, unlawful access to an information system, interference with an information system, and aggravated interference with an information system.

Scope of applicable laws

Any service that collects or processes personal data, as very broadly defined under GDPR, must have sufficient organizational and technical measures to protect that personal data against breaches, leaks, or any event that may risk the availability, integrity, or safety of that material.

A cornerstone for security requirements is sufficient access control - only those persons will have access to personal, classified, or sensitive information, who have been granted clear permission to access defined datasets for predetermined purposes.

The EU Network and Information Security Directive (NIS Directive) contains provisions on security obligations and incident reports in certain operations. In Finland, such obligations are laid down in legislation within each sector, and the supervisory authorities in these sectors monitor their compliance. These specific security provisions apply to telecommunications operators, communications providers, corporate or association subscribers, domain name registrars, and digital services referred to in the NIS Directive, which include cloud services, online marketplaces, and search engines.

As a special mention, Finland has traditionally had very strict laws on protecting employee data, including any personal data collected from potential candidates during the recruitment phase to the vast amounts of personal data collected during the term of employment. An employee may be in the scope of mandatory Finnish employment laws even for short-term employment if the employee lives in Finland, the work is performed in Finland, or the salary is paid in Finland. If the jurisdiction is indeed Finland, the following laws and regulations must be accounted for by employers when planning sufficient security measures:

• the Employment Contracts Act;
• the Act on Co-Operation within Undertakings;
• the Collective Bargaining Agreement, Information Service Sector;
• the Working Hours Act;
• the Annual Vacation Act;
• the Unemployment Benefits Act;
• the Occupational Health Care Act;
• the Employees Pension Act;
• the Health Insurance Act; and
• the Worker's Compensation Act.

Authorities

For general cybersecurity legislation and requirements, the authority is the Finnish Transport and Communications Agency (Traficom) and its National Cyber Security Centre.

Traficom's responsibility is to ensure the availability of well-functioning, safe, secure, and reasonably priced transport and communications connections and services in Finland. Traficom is also an authority serving people and businesses in license, registration, and supervisory matters. It should be noted that Traficom has the mandate to supervise the e-Privacy Directive and some other areas that in other countries belong under the remit of a data protection authority.

For health and social services, the Ministry of Social Affairs and Health is the most important authority and the Finnish Institute for Health and Welfare (THL)  is responsible for electronic health and social services development including planning and supervision. The THL has five departments, one of which is health security.

The National Supervisory Authority on Welfare and Health (Valvira) has the mandate to inspect and audit health and social service providers' technical environments and security.

For telecommunications, the national authority is Ministry of Transport and Communications whose responsibility is 'to ensure that people and businesses have access to well-functioning, safe and secure transport and communications networks' and 'to safeguard the efficient operation of transport and communications networks also in extreme situations.'

Since telecommunications are in the scope of NIS Directive, the operative authority is the National Cyber Security Centre (NCSC-FI).

In the finance services sector, the national authority is the Finnish Financial Supervisory Authority of the Finnish Government (FIN-FSA), which is responsible for the regulation of financial markets in Finland. Their scope is wide, covering inter alia banks, insurance companies, pension insurance, stock exchange, issues and investors, crowdfunding, mortgage credit, and even virtual currency providers.

The legal nature of regulations and guidelines from FIN-FSA are as follows.

Regulations are presented under the heading 'Regulation' in FIN-FSA's regulations and guidelines. FIN-FSA regulations are binding legal requirements that must be complied with.

Guidelines are FIN-FSA interpretations of the contents of laws and other binding provisions with the heading 'Guideline'.

Mere recommendations and other operating guidelines that are not binding are presented under the 'Guideline' heading, including recommendations on compliance with international guidelines and recommendations.

There are very detailed guidelines, for example on the development of recovery plans and early intervention.

Implementation of framework

The Act on Electronic Communications Services is the national law implementing the NIS Directive. Traficom has given detailed level instructions to implement these provisions. As described above, each sector may have its own respective authorities supervising implementation.

For example, for health and social services, Valvira is responsible for monitoring the implementation of the NIS Directive in the healthcare sector in Finland.

Notification obligations

Notification obligations are also mostly sector-specific, meaning that any entity falling under the scope of Finnish requirements must check the applicable sector and governing authorities, including notification timelines that vary.

The overall general authority under the GDPR responsible for data breach notifications is the Office of the Data Protection Ombudsman, led by the Data Protection Ombudsman.

Incident reports in telecommunications services

Under the Act on Electronic Communications Services, the telecommunications operator must notify Traficom, or in practice the NCSC-FI, immediately of any significant information security violations or threats to information security in its services. The telecommunications operator then has the obligation to notify its clients and end-users of such incidents. This notification obligation is laid down in Commission Regulation (EU) No 611/2013.

There is a technical regulation on disturbances in services, which lists the telecommunications operators' or other applicable service operators' obligations to notify information security violations or related threats to users and Traficom.

Such notifications can be submitted to the NCSC-FI via their e-services.

The NCSC-FI also invites reports from private persons, businesses, and organizations 'who suspect that they have fallen victim to an actual or attempted information security incident, such as malware infection, phishing or DoS attack.'

Based on those reports, there is assistance available in resolving and investigating the incidents and coordinating the required actions. Their resources are limited, but the NCSC-FI can, for example, share information, contact collaborators and collaborative networks, perform technical analysis, and provide some legal guidance.

In addition, there is the 'Autoreporter' function, which enables NCSC-FI and telecommunications operators to join forces in the fight against malware. Autoreporter receives information on malware traffic originating in Finland from nearly all over the world. NCSC-FI then forwards the information to telecommunications operators, who can inform their own customers and end-users.

For any deviations or irregularities, while monitoring healthcare systems, there is a notification obligation to Valvira. For so-called category A services, a substantial non-conformity must be reported by the service provider, not only to Valvira, but in addition to all service providers that are using that information system. The service provider of the relevant information system must also report any substantial nonconformities to the Kela Kanta Services in accordance with the Action in case of disruption guideline.

Financial institutions must report any disturbances without delay to FIN-FSA. There was a dedicated email address, but since February 1, 2023, reports and notifications of disruptions and faults in operations must be submitted to the Financial Supervisory Authority via their e-services log-in page.

A list of all notification obligations can be accessed here.

Registration to authorities

There is no direct registration obligation solely due to security compliance, but it follows from operating in a certain business or activity, which requires notification or even permission (finance, health, telecommunications, etc.).

In order to secure permission or a license, a party will be bound by the respective security obligations, not forgetting the automated requirements under mandatory applicable laws such as the GDPR and the national law on data protection.

Appointment of security officer

There is no general obligation to appoint a security officer, such as appointing a data protection officer under the GDPR, but from a practical point of view, it becomes very difficult to comply with the vast amount of planning, reporting, monitoring, and training obligations, if there is no dedicated person to execute and act as a contact point.

Penalties

In summary, there are possible penalties for a security breach under the GDPR, where in addition to general penalties for a data protection breach, there is a cumulative penalty in case the data breach notification is for example delayed beyond 72 hours.

Since some sector-specific regulations carry shorter times, they may also lead to additional or parallel penalties under respective legislation, not to overlook the Criminal Code or sector-specific additional and/or specific legislation.

For example, FSA-FI has the power to issue sanctions. These include fines, public warnings, and further reporting to police, asking them to investigate a matter to find out if a crime was committed. FIN-FSA can impose an administrative fine for a failure to comply with or for a violation of the provisions in Section 38 of the Act on the Financial Supervisory.

FIN-FSA's requests for police investigation and administrative sanctions 2012–2022 can be found at here.

Other

The Finnish Cybersecurity Label is a label that may be granted to connected smart devices or services if they meet the information security requirements set by the NCSC-FI. The Cybersecurity Label is mainly intended for consumer smart devices, such as smart TVs, smart bracelets, and home routers.

There are several unofficial interest groups providing information to citizens in case they have become the victims of a security breach such as phishing or identity theft. In general, the awareness level regarding cybersecurity is quite high among organizations due to a long tradition of sector-specific legislation and requirements, as well as continual oversight by relevant authorities. This awareness is unfortunately further strengthened due to certain high-level and widely publicized incidents illustrating the consequences of lacking appropriate cybersecurity measures.

To conclude, Finland is a highly regulated environment in general, and this is true also for cybersecurity. Therefore, it is extremely advisable to carefully analyze the applicable laws and regulations before commencing any operations.

Leena Kuusniemi Partner
[email protected]
ICT Legal Consulting, Helsinki