Finnish government launches information security voucher scheme

Finland has launched a voucher-based scheme to help companies embrace best practice systems to reinforce their IT network and information security defences.

The Information Security Voucher (ISV) scheme was rolled out on 12 December by the Ministry of Transport and Communications (MTC) in collaboration with the National Cyber Security Centre (NCSC).

The scheme offers fixed-term support that can be used by enterprises, in particular small to-medium-sized enterprises (SMEs), to upgrade their IT networks and information security capabilities using capital investments to boost in-house expertise. Specifically, the scheme aims to financially support efforts by SMEs to enhance both cyber security preparedness and capabilities to protect IT networks and systems against hybrid and other cyber threats.

“Ensuring that enterprises have access to a high standard of cyber security plays an important role in improving overall security in society,” said Timo Harakkaa, Finland’s transport and communications minister. “The voucher system is a new and significant tool for businesses of all sizes. We view this initiative as Finland leading by example for other European Union member states to follow.”

The ISV scheme is intended to raise the general standard of cyber security preparedness among SMEs in sectors identified as being “critical” to the functioning of Finnish society. At its core, the scheme aims to help SMEs build in-house network security capabilities to offer better protection against hybrid threats.

MTC’s fixed-term ISV support scheme offers two categories of voucher. The first offers a voucher worth €15,000, and the second category is intended for larger enterprises and carries a maximum value of €100,000.

The Category A ISV, worth €15,000, is tailored for SMEs and can be applied to a wide range of funding uses, including the auditing and evaluation of information systems, the in-house training of personnel and competence development. It is open to enterprises with up to 250 employees, an annual turnover of €50m, or a balance sheet total of up to €43m.

The Category B ISV is targeted at medium to large enterprises that have reached a more advanced stage in cyber defence. The €100,000 ISV is designed to bolster IT network and information security capabilities while also enabling companies to fund threat modelling and testing cyber attack prevention tools and methods.

Based on the MTC’s ISV operating model, Finnish companies can use a voucher to cover up to 70% of the total capital cost of information security projects. The operating model requires companies to meet the other 30% of the project’s capital cost. The total funding cost of the ISV scheme has been written into the MTC’s budget for 2022-2023.

The MTC is adopting strict criteria in its approach to issuing ISVs, especially in respect of regulating companies that can apply for the vouchers. The scheme is restricted to enterprises that are considered “critical to the functioning of society” and that operate in sectors including IT, food and energy supply, financial services, defence materials, chemicals, water and waste management, logistics, news media, forestry, the construction industry and healthcare.

Competence-based cyber defence offers the best long-term solution to protect Finnish enterprises from cyber threats, said Sauli Pahlman, the NCSC’s deputy director-general.

The NCSC, which operates under the direction of the Finnish Transport and Communications Agency (Traficom), estimates that more than 10,000 denial-of-service (DoS) attacks were made against the websites and online services of organisations in Finland in 2021.

DoS attacks, and blocking efforts, are a growing threat and a daily challenge for businesses in Finland, said Pahlman.