Aggregated News From Investment Management Regulators

EU Network and Information Systems Directive implemented nationally on 9 May 2018


Please complete the required fields.

On 6 July 2017, the European Parliament and the Council provided Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (so-called NIS Directive). National legislation under the Directive and obligations imposed by it enter into force on 9 May 2018. First and foremost, the obligations are concerned with companies critical for the supply of service and key digital service providers.

​The general objective of the Directive is to enhance the level of security against network and information security breaches, risks and threats. The purpose is to achieve a high level of network and information system security within the EU by improving preparedness at the national level, enhancing EU-level cooperation and by providing risk management and reporting obligations to essential service providers and certain digital service providers.
Member states are obliged to determine the essential providers by sector established in their jurisdiction, which are active in the sectors belonging to the scope of application of the Directive.

As regards the financial service, essential service providers comprise credit institutions1 and financial market infrastructures2. In practice, there is currently such infrastructure provider in Finland, Nasdaq Helsinki Ltd.

The new legislation obliges service providers to notify,without undue delay, the competent authority or the CSIRT of information security threats and breaches having a significant impact on the continuity of essential services they provide. Notifications shall include information enabling the competent authority to determine any cross-border impact of the incident.

Financial sector participants have been under obligations corresponding to the requirements of the Directive already before the entry into force of the new legislation to arrange operational risk management and ICT systems security and to notify network and information security breaches. The entry into force of the NIS Directive does not change or introduce new obligations, but the regulations and guidelines previously provided by the FIN-FSA on the management and reporting of operational risk remain in force. Notifications on network and information security breaches are always made to the FIN-FSA. Providers of financial sector services may additionally choose to submit a notification to the CSIRT (Finnish Communications Regulatory Agency).

Link to the regulations and guidelines:

Regulations and guidelines 8/2014 Management of operational risk in supervised entities of the financial sector

For further information please contact:

  • Anne Nisén, Senior Risk Expert, tel. +358 9 183 5211, anne.nisen(at)
  • Heli Mäkitalo, Risk Expert, tel. +358 9 183 5369, heli.makitalo(at)

Credit institutions, as defined in Article 4(4)(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council.

Operators of trading venues as defined in Article 4(24) of Directive 2014/65/EU of the European Parliament and of the Council and central counterparties as defined in Article 2(1) of Regulation No 648/2012 of the European Parliament and of the Council.

Regulator Information

Abbreviation: FIN-FSA
Jurisdiction: Finland

Recent Articles

SEC Proposes to Enhance Disclosures by Certain Investment Advisers and Investment Companies About ESG Investment Practices

The Securities and Exchange Commission today proposed amendments to rules and reporting forms to promote consistent, comparable, and reliable information for investors concerning funds’ and advisers’

SEC Proposes Rule Changes to Prevent Misleading or Deceptive Fund Names

The Securities and Exchange Commission today proposed amendments to enhance and modernize the Investment Company Act “Names Rule” to address changes in the fund industry and compliance practices that

SEC Halts Alleged Ongoing $39 Million Fraud by Hedge Fund Adviser

The Securities and Exchange Commission today announced fraud charges against Detroit-based EIA All Weather Alpha Fund I Partners LLC (EIA) and its sole owner, Andrew M.

SEC Charges RiverSource Distributors with Improper Switching of Variable Annuities

The Securities and Exchange Commission today announced settled charges against RiverSource Distributors Inc. for improper switching or replacing of variable annuities.

Federal Reserve Board issues Economic Well-Being of U.S. Households in 2021 report

Accessible Keys for Video [Space Bar] toggles play/pause; [Right/Left Arrows] seeks the video forwards and back (5 sec ); [Up/Down Arrows] increase/decrease volume; [M] toggles mute on/off; [F] to

Get the latest from Regulatory.News in your inbox!