Cybersecurity · Finland
Cybersecurity regulation in Finland (2026)
Finland shaded by its cybersecurity status
Finland has a comprehensive, horizontal cybersecurity regime: the Cybersecurity Act 124/2025 implementing the EU NIS2 Directive entered into force on 8 April 2025, consolidating obligations previously dispersed across sector-specific laws into a single national statute. It imposes risk-management measures and staged incident-reporting duties on 'essential' and 'important' entities across critical sectors, coordinated by NCSC-FI under Traficom. Sectoral overlays (DORA for finance, GDPR for personal-data breaches) apply in parallel.
Key points
The Cybersecurity Act (Kyberturvallisuuslaki 124/2025) transposing NIS2 was passed by Parliament and its obligations entered into force on 8 April 2025, after the EU transposition deadline of 17 October 2024. It is Finland's first horizontal national cybersecurity framework, replacing previously scattered sector-specific rules.
The Act covers a wide range of critical sectors (energy, transport, health, digital infrastructure, water, food, public administration, etc.), classifying organisations as 'essential entities' (välttämättömät toimijat) or 'important entities' (tärkeät toimijat) by size and turnover thresholds, with digital infrastructure providers covered regardless of size. Coverage expanded from roughly 1,100 entities under NIS1 to about 5,500.
Covered entities must report significant incidents in stages: an early warning within 24 hours of detection, a full incident notification within 72 hours, and a final report within one month (or, for ongoing incidents, within one month of resolution). This obligation has applied since 8 April 2025.
NCSC-FI (within Traficom) coordinates cooperation between supervisory authorities and acts as the NIS2 single point of contact. Sectoral supervision is split among Traficom, the Energy Authority, the Finnish Safety and Chemicals Agency (Tukes), the South Savo ELY Centre, the Finnish Food Authority (Ruokavirasto), Valvira and Fimea.
For financial entities, the EU Digital Operational Resilience Act (DORA) applies (in force since 17 January 2025), supervised by the Finnish Financial Supervisory Authority (FIN-FSA). DORA requires documented ICT risk-management frameworks and reporting of major ICT-related incidents; FIN-FSA has stated ICT-risk and cyber-threat management is a supervisory focus.
Separately from the Cybersecurity Act, personal-data breaches must be notified to the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) within 72 hours under the GDPR, with affected individuals informed where the breach poses a high risk. The Ombudsman is Finland's competent GDPR authority and can impose administrative fines.
Timeline - major decisions & events
Finland's first horizontal Cybersecurity Act took effect, consolidating NIS2 risk-management, incident-reporting and supervision obligations into a single statute and replacing the prior sector-by-sector model. NCSC-FI/Traficom serves as the central coordinating authority alongside sectoral supervisors.
Traficom ↗The Government adopted a long-horizon national cyber strategy reflecting the deteriorated security environment and NIS2 requirements, with an accompanying implementation plan assigning responsibilities and metrics. It sets Finland's strategic cyber direction into the 2030s.
Finnish Government (Valtioneuvosto) ↗Aleksanteri Kivimäki was convicted on roughly 9,600 counts of privacy violation and over 20,000 attempted extortions tied to the Vastaamo psychotherapy breach. The case — Finland's largest criminal investigation — drove public and political momentum for stronger data and cybersecurity protections.
Recorded Future News ↗The undersea gas pipeline and a parallel telecommunications cable linking Finland and Estonia were severed by 'external activity', later attributed to a ship's dragged anchor. The incident heightened Finnish concern over critical-infrastructure and subsea-cable security amid regional tensions.
Al Jazeera ↗The pro-Russian group NoName057(16) knocked the Finnish Parliament's website offline, citing Finland's NATO application. It underscored the wave of politically motivated DDoS targeting against Finnish public bodies.
Yle News ↗The websites of Finland's Ministry of Foreign Affairs and Ministry of Defence were knocked offline by a DDoS attack as President Zelensky addressed parliament, assessed as Russia-linked and tied to Finland's NATO trajectory. It marked a visible escalation of state-aligned cyber pressure.
CyberScoop ↗A breach at psychotherapy provider Vastaamo exposed roughly 33,000 patients' therapy records, followed by ransom demands against the company and tens of thousands of individual patients. The shock catalyzed reforms in health-data security and victim protection across Finland.
Digital Watch Observatory ↗The Government renewed the 2013 strategy with three guidelines — international cooperation, better coordination of cyber management/preparedness, and developing cyber competence. It modernized governance ahead of growing threats and EU obligations.
Security Committee (Turvallisuuskomitea) ↗Rather than enacting a standalone law, Finland implemented the EU NIS Directive by amending some twelve existing statutes (including the Act on Electronic Communications Services and transport acts), introducing security and incident-notification duties for operators of essential services and digital service providers.
NCSC-FI / Traficom ↗This consolidating statute (later the Act on Electronic Communications Services) merged ten communications laws and set core duties on information security, confidentiality of communications, and traffic/location data — a foundational pillar of Finland's electronic-communications cybersecurity regime.
Finlex (official statute database) ↗NCSC-FI was set up within the communications regulator (then FICORA, now Traficom) as the national CSIRT and situational-awareness hub for incident response and threat coordination. It remains the operational core of Finland's cyber framework.
Traficom ↗The Government adopted Finland's inaugural national Cyber Security Strategy, defining objectives for securing the cyber domain and laying the groundwork for NCSC-FI and subsequent implementation programmes. It established the structural basis of today's framework.
Finnish Ministry of Defence ↗Finland - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →