The recent government report on internal security describes the operating environment of internal security and defines the priorities and objectives of internal security policy for the coming years. This article examines the potential impact the policy approach to the Finnish industries, especially from the perspective of digital society. Although being key topics in the context of the internal-external security nexus, protecting civilian population in major disruptions and emergencies as well as protecting the society from hostile information influence is not discussed here.
Internal Security in a changing operating environment
The policy outline recognizes, but understates, the nation’s economic prosperity having an important and multifaceted impact on internal security. Finland depends on foreign trade and exports. Equally important is that our democratic governance and welfare-state model rely on economic prosperity. Crime, social instability, political dissatisfaction, and insecurity rise sharply when economic prosperity stumbles. Similarly narrow view is taken on technological transformation, suggesting technological solutions often arise from cooperation between authorities. Conversely, most of the technological development is borne by companies and public-private partnerships produce effective solutions to challenges identified by authorities.
Priorities and objectives: Countering espionage and organized crime
The policy outline notes that cybercrime, particularly property and fraud offenses, has grown significantly and is evolving rapidly. But the scale and societal impact of the phenomenon is underscored by recent findings: according to the 2025 Digital Security Barometer (DVV), about 60% of citizens are concerned about cyberattacks and digital fraud, and nearly 40% report declining trust in digital security. Similarly, a survey by the biggest telecommunications company Elisa corporation found that over 90% of Finnish large enterprises believe cybersecurity threats have increased in recent years. The scale of serious cybersecurity incidents processes by authorities in Finland underscores the daily impact to the society. Despite these observations, the policy outline lacks proposals to address such a clear and significant challenge.
Instead, it reiterates previously examined needs for broader criminal intelligence powers [1]. From industries’ perspective, expanding criminal intelligence powers based on “internal security threats” would again undermine the very values that internal security is created for. If “internal security purposes” were used as an independent basis for exercising intelligence powers, internal security threats would need to be defined precisely and narrowly. For example, broad definition of cybercrime covers a range of offenses from fraud to espionage, with severity varying from minor victim-based crimes to aggravated offenses. Legally, these acts differ greatly in culpability and cannot be treated as equivalent grounds for coercive powers. Moreover, a significant portion of Finns annually fall victim to some form of cybercrime (e.g., scams, malware, phishing) —phenomenon so widespread that society no longer fully recognizes its scope.
In contrast, success lies in enforcing criminal liability through enhanced pre-trial investigation and prosecution measures, including international—especially European —cooperation. Internal security and economic security are closely linked in countering industrial espionage and related economic crimes, which together erode domestic industry. Acts of vandalism, sabotage and general danger crimes harm industrial operations and profitability, causing direct damage and indirectly increasing public anxiety and reducing consumption and investment willingness. Conversely, terrorism cannot dismantle Finland’s constitutional order or significantly weaken companies’ competitiveness or delivery reliability. Yet substantial and growing resources have been allocated to responding to terrorist threats, particularly to the state intelligence service—raising questions about prioritization of societal benefits. Such policy remains inadequate regarding protection of corporate assets, economic conditions for business, and security of supply.
Protecting critical infrastructure
The policy outline suggests that in serious cybersecurity incidents, competent authorities lead case management within their mandates. In Finland, nearly all critical infrastructure is connected to digital systems. De facto, responsibility for cybersecurity lies primarily with companies and communities, as they form most of society’s infrastructure and economic structure and possess the legal, administrative, and technological capabilities to implement measures. Companies and communities identify anomalies in their ICT systems, investigate causes and impacts, and eliminate adverse effects as well as recover from incidents. Cybersecurity is thus a daily commodity maintained by data holders where information systems reside. The reliability of systems managed by these entities ensures not only their own operations but also effects to external parties thus providing collective resilience.
Finnish Information Security Cluster (FISC), Technology Industries of Finland
Finland
