National Cyber Security Strategy
Role of government: represent the highest level of cyber security management. The Government is responsible for providing political guidance and strategic guidelines for cyber security as well as for taking the required decisions regarding the resources and prerequisites to be allocated to it.
Investments: cyber research and development in education, employment and product development aimed at making Finland one of the leading countries in cyber security, as well as appropriate legislation and incentives to support business activities.
Adequate definition of critical infrastructure protection: yes.
Obj. 1 - Create an efficient collaborative model between the authorities and other actors to advance national cyber security and cyber defence.
Obj 2 - Improve comprehensive cyber security situation awareness among the key actors that participate in securing the vital functions of society.
Obj 3 - Maintain and improve the ability of businesses and organisations critical to the vital functions of society as regards detecting and repelling cyber threats and risks that jeopardise any vital function and their recovery capabilities as part of the continuity management of the business community.
Obj 4 - Ensure the police have sufficient capabilities to prevent, expose and solve cybercrime.
Obj 5 - Create a comprehensive cyber defence capability for their statutory tasks.
Ojb. 6 - Strengthen national cyber security through active and efficient participation in the activities of international organisations and collaborative fora that are critical to cyber security.
Obj. 7 - Improve the cyber expertise and awareness of all societal actors.
Obj 8 - Secure the preconditions for the implementation of effective cyber security measures through national legislation.
Obj 9 - Assign cyber security related tasks, service models and common cyber security management standards to the authorities and actors in the business community.
Current status: National Cyber Security Strategy
|Year of adoption||
Finland's Cyber Security Strategy 2013 English
|Updates and revisions||Ministry of Defence Strategy 2025|
|Implementation and monitoring||
Governement ministries and agencies are responsible for implementing the Strategy within their respective administrative branches and developing the security of supply. Ministries, agencies and establishments are to include the resources for the implementation of the Cyber Security Strategy in their operating and financial plans.
The Security Committee is responsible for monitoring and coordinating the implementation of the Strategy, checking for duplication of effort and potential gaps.
The Government Information Security Management Board (VAHTI) is responsible for processing and coordinating the central government's key information security and cyber security guidelines.
|Policy requirements for an inventory of systems and classification of data. Policy requirements for security practices mapped against risk levels. Policy requirement for annual cyber-security audit. Requirement for public report on government capacity. Requirement for public and private procurement of cyber-security solutions based on international accreditation/certification schemes without additional local requirement.|
|Operational capabilities||Implementation of national computer response team (CERT) and computer incident response team (CSIRT), established in 2014. National competent authority for network and information security (NIS). Incident reporting platform for collecting cybersecurity incident data. National cyber-security exercises are conducted.|
|Public private partnerships||Partial steps have been taken to define a public private partnership (PPP) for cyber security. NOKIA is part of the European cPPP. The country has business and industry cyber security councils. NOKIA Bell Labs participates in the European 5G PPP also on security and privacy aspects and standardisation. Ericsson Finland also participates in the 5G PPP and is actively involved in 5G security standardisation.|
|Sector specific cyber security plans||Plans for a joint public private sector are partial. Sector cyber-security risk assessments are missing and should be prioritised.|
|Risk assessment plan||Identified gap. Current industry approaches focus on detection and response rather than risk assessment.|
No information currently available.
|Date of last WISER analysis||May and July 2016|
Current status: NIS Directive and national CERTs/CSIRTs
|Computer security incident response teams (CSIRTs)||
The National Cyber Security Centre Finland (NCSC-FI)* is responsible for the Government, Private and Public sectors. Its operational names are CERT-FI and NCSA-FI.
NCSC-FI - national information security authority. It develops and monitors the operational reliability and security of communications networks and services. Its CERT duties consist of preventing, detecting and resolving security breaches, as well as of informing of information security threats. The Centre's NCSA duties include the responsibility for security matters related to electronic transfer and processing of classified information.
CERT-FI - solving information security violations and threats against network, communications and value-added services. Gathering information on such incidents. Disseminating information on information security matters. Its objectives are to ensure that public communications networks and communications services function safely and properly, and to safeguard functions that are vital to society.
*Name in Finland: Kyberturvallisuuskeskus | Name in Sweden: Cybersäkerhetscentret
Finnish University and Research Network, Computer Emergency Response Team (FUNET CERT) - information security service provided through Funet membership fee.
F-Secure Rapid Detection Service - *private all-in-one intrusion detection and response service with threat intelligence and behavioral analysis, where the latter is maintained in F-Secure's cloud. No private or personal data is collected, which is important for compliance with European data protection laws. *New service launched in May 2016, previously known as F-Secure Rapid Response.
NCSC Services: alerts, information security, vulnerabilities, safe use of services, safe use of devices, electronic identification and signature, information security inspection bodies, telecom operators rights and obligations, corporate subscribers’ rights and obligations, security services of the NCSC-FI.
Funet CERT monitors and coordinates information security deviations at Funet customer organisations, while helping them to reduce information security risks.
|Report an incident|
|Languages||Suomi, Swedish, English|
|Date of last WISER analysis||May and July 2016|