Recent survey: cyber security development measures are inadequate in relation to the changing security environment

The cyber survey of Finnish sectors launched in spring 2025 has been completed. The newly published report shows that there has only been minor development in the national cyber maturity level since 2022. Meanwhile, technological transformation is progressing and the security environment is changing much faster than the ability of organisations to evolve and invest in cyber security. The key difference between the companies that scored a higher average and the companies with a lower average is the management’s commitment to developing cyber security.

The business activities of companies currently rely on functional information network connections, information systems and data. Therefore, in order to ensure security of supply, it is important that companies that maintain important functions in society are adequately prepared for cyber threats. Cyber Survey of Finnish Sectors 2025 assesses the level of preparedness for cyber threats among companies critical to security of supply and proposes development measures for raising this level. The survey was previously carried out in 2022.

According to the 2025 survey, the average cyber maturity level of companies is 3.09 (on a scale of 1 to 5). Many sectors exceed the average (3), which indicates a moderate level of cyber security, but there are also sectors critical to the functioning of society that fall below it. Sectors with strict cyber security regulations, such as the financial, telecommunications and ICT sectors, rank at the top in this comparison of sectors. At the bottom end of the comparison are sectors such as food supply, ports, shipyards and operators, as well as transport and logistics, where digitalisation has traditionally progressed more slowly. There is also great variation in the responses of almost every sector.

Technological transformation and the development of cyber threats are progressing faster than preparedness

Compared to the results from 2022, the cyber maturity level of sectors has largely remained unchanged. The survey finds that the areas that should be developed in order to improve cyber security are the same as those identified in the survey carried out three years ago. Companies are also still struggling with the same subject matters, such as resources and the lack of cyber security competence.

In other words, there is no indication of any significant development having taken place, even though Finland’s security environment has been constantly changing over the last few years. Therefore, it appears that the new kinds of cyber threats brought by technological transformation and the changes in the global security environment are developing faster than the preparedness of companies for cyber threats.

“The world is changing, and the development measures in relation to the changing security environment are inadequate. If the development of cyber security does not take leaps forward, there is a clear risk that we will actually go backwards,” describes Programme Director of the NESA’s Digital Security 2030 programme Juha Ilkka.

Management’s commitment is key

According to the survey, the most significant difference between the companies with a higher maturity level and the companies with a lower maturity level is the management’s commitment to developing cyber security. For example, the top ranking companies have adopted cyber security management models and evaluated their effectiveness. In contrast, among the companies with a lower cyber maturity level, the management of cyber threats is more of a support function that is not tied to business management closely enough.

However, according to the interviews conducted as part of the survey, company executives are becoming more interested in cyber security, and the management of cyber security is becoming more systematic. Even so, this is not yet reflected in the cyber maturity levels indicated by the survey. Moreover, the survey does not yet reflect the impacts of the NIS2 Directive aimed at improving cyber security, which entered into force in April 2025.

The survey was commissioned by the Digital Pool of the National Emergency Supply Organisation and carried out by Accenture. The survey was funded by the Digital Security 2030 programme of the National Emergency Supply Agency.

Read the full report by clicking this link (in Finnish)