The road traffic sector has cybersecurity requirements for providers of traffic control and management services and operators of intelligent transportation systems, among others.
What is meant by cybersecurity?
Cybersecurity refers to a state in which the cyber operating environment can be trusted to by secure. Cybersecurity risks are dynamic in nature. This means that vulnerabilities are often exploited in various ways, and they can quickly jeopardize cybersecurity. Protection requires stakeholders to have up-to-date awareness of direct and indirect cybersecurity threats. The constantly changing threat environment encourages organizations to take a proactive approach to cybersecurity. Cybersecurity is a must in the development of the transportation system and should be promoted alongside other necessary aspects.
What are the legal requirements for cybersecurity in road transport sector?
The European Directive (EU) 2022/2555 (External link) on measures to ensure a high common level of cybersecurity across the Union (NIS2 Directive) covers a wide range of critical sectors of society and imposes the same obligations on entities falling within its scope across the Union. The objective of the Directive is to strengthen the EU's cybersecurity and ensure the continuity of critical services in exceptional circumstances. In the transport sector, the requirements of the NIS2 Directive apply, among others, to providers of road traffic control and management services as well as operators of intelligent transport systems.
The objectives of the NIS2 Directive have been implemented into our national legislation through the Cybersecurity Act (124/2025), which entered into force on April 8th 2025. Chapter 2 of the Cybersecurity Act contains the key cybersecurity requirements set for NIS2 entities:
- Section 7 – Risk Management
- Section 8 – Risk management model for cybersecurity
- Section 9 – Measures for managing cybersecurity risks
- Section 10 – Responsibility of management
- Section 11 – Incident notifications to authorities
- Section 12 – Interim report on the incident
- Section 13 – Final report on the incident
- Section 14 – Reporting an incident and cybersecurity threat to entities other than authorities
- Section 15 – Voluntary reporting
The law also includes other obligations for NIS2 entities, such as the requirement to register and maintain up-to-date information in the operator registry of the supervising authority (Section 41).
The role of Traficom
Under the Cybersecurity Act, Traficom has a general supervisory authority role and tasks related to ensuring compliance with the obligations set forth in the law and the provisions, regulations, and decisions issued based on it within the Finnish transport system. Nowadays, the role of an authority is expanding towards partnership and interaction, emphasizing continuous improvement. Traficom provides guidance and instructions on cybersecurity to organizations in the road transport sector.
In addition to its supervisory responsibilities, Traficom actively participates in EU-level and national legislative work, contributing to the development of cybersecurity regulations.