Finnish Information Security Cluster – Kyberala ry
FISC
Finnish Information Security Cluster (FISC) is an advocacy association for the cybersecurity industry, whose purpose is to promote the competitiveness and operational viability of the sector, as well as information and digital security in Finland and the EU, in cooperation with public administration, businesses, and civil society.
ID: 850004435583-28
Lobbying Activity
Response to The EU Cybersecurity Act
19 Jun 2025
ENISAs mandate needs to be critically assessed, focusing its tasks on areas where it can provide the most European value added that member states cannot achieve independently. It has far too many tasks in its mandate (even approx. 80 various tasks) and there is a need to significantly reduce them. Many of ENISAs tasks overlap with other agencies or member states, hindering its ability to achieve its objectives and deliver sufficient results. ENISAs role in EUs international cooperation requires evaluation, as its contribution remains unclear. The following decisions should considered: Support for the industry (entities) in the form of best practices and technical guidance should be deprioritized, given that the cybersecurity industry itself is a central actor and ENISA is not well placed to facilitate it. The support ENISA offers in capacity building should be reduced, as this falls within the responsibilities of member states. This includes specific initiatives such as ransomware prevention, sector-specific support, and various exercises and challenges organized by ENISA. Additionally, it is not suitable for ENISA to address non-technical risks related to ICT supply chain security as there are other organizations that are better equipped for the task. ENISA needs to deprioritize its activities on education, skills and awareness, as these fall to the competence of member states that are better equipped to handle the tasks. EU funds dedicated to cybersecurity skills development should be allocated to the European Cybersecurity Competence Center (ECC) to be channeled to activities increasing the output of the cybersecurity education, especially for reskilling and upskilling, in member states. To avoid overlapping activities, ENISA should not engage in research and innovation, as these fall into the competence of ECCC. ENISAs current advisory mechanisms need to be reformed to ensure sufficient and meaningful industry participation and influence. ENISAs role should be understood to serve the needs of the industries in relevant matter, not to coordinate cybersecurity of the private sector. ENISAs tasks should be directed to activities that benefit from combined technological expertise and capabilities at the European level, being inadequate for member states to venture unilaterally. The following decisions should be considered: ENISA needs to bolster its efforts in creating a shared EU situational awareness by providing relevant technical information, as mandated in both NIS2 directive and Cyber Resilience Act. Close collaboration with other Union entities is necessary, underlining the fact that situational awareness framework needs to serve member states by complementing and enhancing their national capabilities, avoiding overlapping activities at all costs. Facilitating cooperation and information exchange between member states are tasks ENISA should pay more attention to. It is essential that the current cybersecurity certification framework is revised. Certification should aim to improve product or service security, ensure regulatory compliance, facilitate international market access, reduce legal exposure and financial liabilities, enhance customer trust and credibility, and lower administrative costs. The current European cybersecurity certification framework is not an effective tool for this purpose. Certification needs to be part of ENISAs mandate in the future, but the structure and the process need to be reformed as progress has been unacceptably slow. Elements of the European cybersecurity certification schemes need harmonization, including vulnerability handling, peer review mechanisms, marking and labeling, and scheme maintenance. Emerging needs at the industry should be addressed, particularly by pivoting European certification schemes more to Post Quantum Cryptography and physical security. The certification framework should remain industry-agnostic avoiding specifically tailored cases.
Read full responseResponse to International Digital Strategy
21 May 2025
The European Commissions 2025 Work Programme aims to boost both industrial competitiveness and European security. To manage strategic risks, Europe must reduce dependencies and limit the influence of malicious actors. However, security investments require economic growth, which in turn depends on productivity. Cybersecurity is primarily the responsibility of companies and communities, not authorities. Finnish Information Security Cluster (FISC) supports EU efforts to strengthen digital security and contribute to the safety of European societies and partners. FISC emphasizes that the EUs International Digital Strategy must reflect the true nature of cybersecurity. Cybersecurity is governed by data owners, who are responsible for preventing, investigating, and mitigating breaches. Companies and communities, as key societal actors, must manage cybersecurity risks, identify system anomalies, and ensure data confidentiality, integrity, and availability. Trustworthy and reliable information systems are essential for competitiveness and societal resilience. Cybersecurity is not just about state control but about daily practices by data holders. EU policies, including international cooperation, should support public-private collaboration and promote widely accepted digital risk management practices. Cooperation with like-minded third countries is both necessary and strategic. Partnerships with countries like Canada, the UK, Japan, South Korea, and Australia are vital for aligning values-based technological development. These partnerships should include foreign and security policy, critical technology standards, and digital trade coordination. Barriers to deeper cooperation must be addressed. The EU should also engage emerging economies seeking digitalization. The EU can offer trusted digital infrastructure and promote sustainable partnerships based on data integrity and availability. More Global Gateway funding should support cybersecurity in these regions, especially for industries and agencies, and align with EU trade policies. Internal and external digital policies must be coherent. To maintain credibility, the EU must ensure its internal digital security policies uphold human rights, the rule of law, and European values. Policies should foster a secure and sustainable digital life for all Europeans. Encryption must be protected. FISC urges the Commission not to propose measures that weaken encryption. Strong encryption safeguards fundamental rights and is essential for cybersecurity. Undermining it would expose Europeans to threats and damage the EUs credibility in global digital policy. Cyber defense must respect international law and fundamental rights. While enhancing cyber defense is important, offensive measures risk harming innocent data owners and violating international legal norms due to cycle of retaliation. The EU should focus on asymmetric, lawful responses and encourage partners to do the same. This approach supports a human-centric digital future and holds malicious actors accountable. In summary, Europes digital and security strategies must be rooted in economic strength, private-sector responsibility, international cooperation, and unwavering commitment to rights and the rule of law.
Read full responseResponse to European Internal Security Strategy
13 Mar 2025
Please see our feedback on the attachment.
Read full responseResponse to Evaluation of the Public Procurement Directives
7 Mar 2025
Finnish Information Security Cluster (FISC), representing cybersecurity industry that is operating in and from Finland, supports the outlined objectives for the revision of public procurement directives. Public procurement constitutes significant economic resources, which can be harnessed in strategic manner to foster development and deployment of critical technologies, as well as security of supply chains and digital sovereignty in Europe. It is worth underlining, that strengthening the industrial base for critical technologies is an issue of economic viability, and hence the focus should be on enhancing preparedness and reducing unpredictable dependencies via public procurement processes. Including cybersecurity as a requirement of public procurement is justified for the following reasons: 1. Increased cybersecurity maturity of tendering organizations: Adding cybersecurity to qualitative requirements to tenders is highly recommendable, not only for both boosting demand for state-of-the-art cybersecurity features but also for improving cybersecurity posture in public organizations. To achieve these objectives, the criterion for the use of cybersecurity as a qualitative requirement needs to be based on proven cybersecurity risk management methods, as well as precisely define them in in the upcoming regulation. Considering this, reference must be made to NIS2 directive and Cyber Resilience Act, underlining that for preference to be given for a product, solution or a service on cybersecurity grounds, the cybersecurity features of those need to go beyond the requirements in legislation. In addition, creating EU-wide mandatory security requirements for public sector cloud service providers and general security requirements for all procurement participants are necessary measures for ensuring the prevention of industrial espionage and the prevention of supply chain disruptions. 2. Boosting economic viability of European cybersecurity industry: To maximize the impact of the procurement requirements and to boost the demand even further, we recommend complementing the requirements with financial support to companies and organizations from EU and national budgets for uptake of innovative cybersecurity solutions. 3. Security of the supply chain: Both, by requiring higher-level cybersecurity requirement in procurement and by supporting companies in developing their own cybersecurity risk management development companies as suppliers to public organizations will add increased reliability and security to the supply chain. To fully harness the potential of public procurement in advancing technological development and economic viability in Europe, the legislative approach must be based on fostering excellence. The criterion for preferring European solutions to those developed in third countries needs to be clearly defined, including situations where they would be applied. It is essential that preference for European products, services and solutions will not be given at the cost of quality, and that more favorable treatment will be applied only when the quality level of offers can be considered equal. At the same time, it is necessary that the criterion is exclusively applied to third countries, and that European businesses are always treated equally in all procurement processes. The current legislative framework for public procurement does not provide adequate support for innovation via the procurement process. To address this challenge, we fully endorse the proposal made by Mario Draghi in his report on European competitiveness that the revised public procurement directives should prioritize innovation, set targets for innovation procurement, and avoid overly restrictive provisions that hinder start-ups and scale-ups. Reforming European Innovation Council (EIC) on the example of DARPA instrument in the United States should be viewed as a complementary action to boost and facilitate innovation procurement.
Read full responseMeeting with Henna Virkkunen (Member of the European Parliament)
15 Nov 2023 · Cyber Resilience Act
Meeting with Henna Virkkunen (Member of the European Parliament, Shadow rapporteur)
30 Mar 2023 · EU Cyber Resilience Act
Meeting with Suvi Leinonen (Cabinet of Commissioner Jutta Urpilainen) and Technology Industries of Finland (Teknologiateollisuus ry) and
8 Mar 2023 · Energy, competitiveness