Aggregated News From Investment Management Regulators

EU Network and Information Systems Directive implemented nationally on 9 May 2018


Please complete the required fields.

On 6 July 2017, the European Parliament and the Council provided Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (so-called NIS Directive). National legislation under the Directive and obligations imposed by it enter into force on 9 May 2018. First and foremost, the obligations are concerned with companies critical for the supply of service and key digital service providers.

​The general objective of the Directive is to enhance the level of security against network and information security breaches, risks and threats. The purpose is to achieve a high level of network and information system security within the EU by improving preparedness at the national level, enhancing EU-level cooperation and by providing risk management and reporting obligations to essential service providers and certain digital service providers.
Member states are obliged to determine the essential providers by sector established in their jurisdiction, which are active in the sectors belonging to the scope of application of the Directive.

As regards the financial service, essential service providers comprise credit institutions1 and financial market infrastructures2. In practice, there is currently such infrastructure provider in Finland, Nasdaq Helsinki Ltd.

The new legislation obliges service providers to notify,without undue delay, the competent authority or the CSIRT of information security threats and breaches having a significant impact on the continuity of essential services they provide. Notifications shall include information enabling the competent authority to determine any cross-border impact of the incident.

Financial sector participants have been under obligations corresponding to the requirements of the Directive already before the entry into force of the new legislation to arrange operational risk management and ICT systems security and to notify network and information security breaches. The entry into force of the NIS Directive does not change or introduce new obligations, but the regulations and guidelines previously provided by the FIN-FSA on the management and reporting of operational risk remain in force. Notifications on network and information security breaches are always made to the FIN-FSA. Providers of financial sector services may additionally choose to submit a notification to the CSIRT (Finnish Communications Regulatory Agency).

Link to the regulations and guidelines:

Regulations and guidelines 8/2014 Management of operational risk in supervised entities of the financial sector

For further information please contact:

  • Anne Nisén, Senior Risk Expert, tel. +358 9 183 5211, anne.nisen(at)
  • Heli Mäkitalo, Risk Expert, tel. +358 9 183 5369, heli.makitalo(at)

Credit institutions, as defined in Article 4(4)(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council.

Operators of trading venues as defined in Article 4(24) of Directive 2014/65/EU of the European Parliament and of the Council and central counterparties as defined in Article 2(1) of Regulation No 648/2012 of the European Parliament and of the Council.

Regulator Information

Abbreviation: FIN-FSA
Jurisdiction: Finland

Recent Articles

SEC Awards $20 Million to Whistleblower

Washington D.C., Nov.

Update on the Lending, Credit and Finance (Bailiwick of Guernsey) Law, 2022 — GFSC

In July 2022, the Lending, Credit and Finance (Bailiwick of Guernsey) Law, 2022 (the “Law”) was approved by the States of Guernsey, the States of Alderney and the Chief Pleas of Sark.

UK and Singapore deepen collaboration in FinTech and strengthen financial cooperation

The United Kingdom (UK) and Singapore held the 7th UK-Singapore Financial Dialogue in Singapore today. Both countries renewed their commitment to deepening the UK-Singapore...

Consultation on ‘six directorship’ exemption for directors — GFSC

The Policy & Resources Committee has today published a Consultation Paper seeking views on a proposed change to the requirements which affect some individuals acting as company directors, by way of b

The AMF is supplementing its policy on liquidity management tools

New disclosure obligations This update provides for new obligations if the regulatory documentation of the CIU does not include a mechanism to cap redemption requests (gates) and/or a mechanism to of

Get the latest from Regulatory.News in your inbox!