Week 50: Security Legislation Changes

Welcome to the Week 50 regulatory news review. This week, the NIS2 Directive implementation gathers pace, and guidelines on sustainability reporting have been published for the public administration.

NIS2 / Cybersecurity Act

An important step forward was taken this week in the implementation of the NIS2 Directive when the Constitutional Law Committee of the Finnish Parliament issued its opinion on the government proposal. The Committee considers that the proposed acts can be processed in the ordinary legislative procedure, provided that the scope of the second legislative proposal is corrected so that it does not extend to the offices of Parliament. This restriction is necessary to safeguard the constitutional status and independence of Parliament. Furthermore, the Committee noted that the information access rights of authorities are restricted and justified from a cybersecurity perspective, and do not present issues under Section 10 of the Constitution (privacy protection).

Link to the statement (in Finnish): https://www.eduskunta.fi/FI/vaski/Lausunto/Sivut/PeVL_62+2024.aspx

CRA (Cyber Resilience Act)

On December 11, 2024, a hearing was organized for authorities. The specific focus of the session appeared to be the relationship of oversight between the AI Act and the Cyber Resilience Act (CRA), indicating a need to define division of responsibilities and practices regarding AI system safety and digital product cybersecurity. This is particularly important because both regulations can partially apply to the same products or technologies, and avoiding overlaps or gaps requires clear policy lines.

In general, hearings are meetings where various parties—such as authorities, experts, and sometimes stakeholders—gather to discuss the content and impact of a specific legislative proposal, regulation, or project. Such sessions are organized especially when preparing or implementing major regulatory packages.

CSRD (Corporate Sustainability Reporting Directive)

On December 10, 2024, the State Treasury (Valtiokonttori) published new guidelines on sustainability reporting practices in public administration. The State Treasury recommends that all government ministries, agencies, and institutions prepare an annual sustainability report utilizing this guidance.

The guidance on responsibility reporting in government recommends that ministries, agencies, and institutions prepare an annual responsibility report using the UN Sustainable Development Agenda (Agenda 2030) as a framework. Organizations are encouraged to identify 3 to 5 sustainable development goals where they can make the most significant impact through their operations. The reporting focuses on both the positive impacts of operations (handprint) and reducing negative impacts (footprint). The first reports under the guideline were prepared for the year 2021, and the State Treasury compiles a state-level summary of these, which is published by the end of September.

The State Treasury’s guidelines can serve as a useful example for other organizations in developing their own sustainability reporting.

Link to the guidelines (in Finnish): https://www.valtiokonttori.fi/maaraykset-ja-ohjeet/kestavyysraportointi-valtionhallinnossa/

Conclusion

Tekve Oy offers support in navigating and implementing regulatory requirements, so feel free to contact us. See you next week!