Cybersecurity in road infrastructure, smart transport and road traffic
The road traffic sector has cybersecurity requirements for providers of traffic control and management services, operators of intelligent transportation systems, and vehicle manufacturers.
What is meant by cybersecurity?
Cybersecurity refers to a state in which the cyber operating environment can be trusted to by secure. Cybersecurity risks are dynamic in nature. This means that vulnerabilities are often exploited in various ways, and they can quickly jeopardize cybersecurity. Protection requires stakeholders to have up-to-date awareness of direct and indirect cybersecurity threats. The constantly changing threat environment encourages organizations to take a proactive approach to cybersecurity. Cybersecurity is a must in the development of the transportation system and should be promoted alongside other necessary aspects.
What are the legal requirements for cybersecurity in road transport sector?
The Directive (EU) 2016/1148 (External link) of the European Parliament and of the Council on measures for a high common level of security of network and information systems across the Union (referred to as the Network and Information Security Directive or NIS Directive) covers a wide range of sectors in society. The objective of the NIS Directive is to ensure the continuity of operations of entities that are essential for society and to enhance trust in digital services, thereby contributing to societal security. In the context of road transport, the requirements of the NIS Directive have been implemented in national regulations, applying obligations to providers of traffic control and management services, operators of intelligent transportation systems, and certain vehicle manufacturers.
The role of Traficom
The Finnish Transport and Communications Agency, plays a significant role in the field of cybersecurity in Finland. On a national level, Finland has established the Finnish Cyber Security Strategy Finnish Cyber Security Strategy 2019 (External link) (External link) and theCyber Security Development Program (External link) (External link) published in 2021, which address cybersecurity broadly across various sectors of society. The responsibilities for cybersecurity among government agencies in Finland are distributed across multiple authorities.
Traficom's Cyber Security Centre (External link) (External link) serves as the NCSC (National Cyber Security Center) and is responsible for activities such as CERT (Computer Emergency Response Team) operations. It works to prevent cybersecurity incidents, provides information and guidance on cybersecurity matters, and oversees the functioning of ISAC- (Information Sharing and Analysis Center, External link) (External link) information exchange groups.
Under the Act on Transport Services, Traficom has a general supervisory role and tasks related to ensuring compliance with the obligations set forth in the law and the provisions, regulations, and decisions issued based on it within the Finnish transport system. Nowadays, the role of an authority is expanding towards partnership and interaction, emphasizing continuous improvement. Traficom provides guidance and instructions on cybersecurity to organizations in the road transport sector.
In addition to its supervisory responsibilities, Traficom actively participates in EU-level and national legislative work, contributing to the development of cybersecurity regulations.