• 13.08.2025 at 06.45
• Performance audit

State of cybersecurity management in the central government

The authorities consider the state of cybersecurity management to be reasonably good. The implementation of the key measures identified in the cybersecurity strategy must be ensured.

Photo: Getty Images

The purpose of the audit carried out by the National Audit Office was to produce an up-to-date overview of the central government’s and the welfare services counties’ readiness to implement the new cybersecurity legislation and the cybersecurity strategy revised in 2024. The national legislation implementing the EU’s cybersecurity directive (NIS2) entered into force on 8 April 2025.

In the current security policy situation, the management of cybersecurity is a very topical issue. In the 2024 cybersecurity strategy, it is estimated that Finland spends almost EUR 300 million annually to ensuring cyber security in the central government.

Finland has already for a long time had national cybersecurity strategies, but their implementation has been fragmented. The new strategy is intended to be implemented through a joint implementation plan, but the plan does not include any budget or allocated resources. Although the new strategy is implemented and monitored in a more coordinated manner than before, no single entity holds overall responsibility for its implementation.

Based on a survey conducted in the audit, the authorities consider the state of their cybersecurity management processes and practices to be reasonably good. As a rule, the authorities assess that their readiness to meet the requirements is good. Diminishing appropriations underline the importance of prioritisation both at the national level and at the level of individual authorities.