Cybersecurity · Finland
Cybersecurity law in Finland: NIS2 compliance (2026)
Finland shaded by its cybersecurity status
Cybersecurity in Finland: comprehensive law, anchored by Cybersecurity Act (Kyberturvallisuuslaki 124/2025), transposing EU NIS2 Directive; National Cyber Security Centre Finland (NCSC-FI) within the Finnish Transport and Communications Agency (Traficom) as coordinator and single point of contact.
Finland has a comprehensive, horizontal cybersecurity regime: the Cybersecurity Act 124/2025 implementing the EU NIS2 Directive entered into force on 8 April 2025, consolidating obligations previously dispersed across sector-specific laws into a single national statute. It imposes risk-management measures and staged incident-reporting duties on 'essential' and 'important' entities across critical sectors, coordinated by NCSC-FI under Traficom. Sectoral overlays (DORA for finance, GDPR for personal-data breaches) apply in parallel.
NIS2 & cybersecurity law in Finland
In Finland, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.
- Framework
- the NIS2 Directive (EU) 2022/2555, transposed into national law
- Approach
- cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
- Applies to
- medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
- Incident reporting
- an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
- Maximum fine
- up to €10 million or 2% of global annual turnover for essential entities
- Oversight
- the national competent authority and CSIRT designated under NIS2
NIS2 is a directive, so Finland implements it through national law; exact scope and deadlines can vary slightly by transposition.
NIS2 in Finland: FAQ
Yes. As an EU member, Finland has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.
Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.
An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.
Up to €10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.
Key points
The Cybersecurity Act (Kyberturvallisuuslaki 124/2025) transposing NIS2 was passed by Parliament and its obligations entered into force on 8 April 2025, after the EU transposition deadline of 17 October 2024. It is Finland's first horizontal national cybersecurity framework, replacing previously scattered sector-specific rules.
The Act covers a wide range of critical sectors (energy, transport, health, digital infrastructure, water, food, public administration, etc.), classifying organisations as 'essential entities' (välttämättömät toimijat) or 'important entities' (tärkeät toimijat) by size and turnover thresholds, with digital infrastructure providers covered regardless of size. Coverage expanded from roughly 1,100 entities under NIS1 to about 5,500.
Covered entities must report significant incidents in stages: an early warning within 24 hours of detection, a full incident notification within 72 hours, and a final report within one month (or, for ongoing incidents, within one month of resolution). This obligation has applied since 8 April 2025.
NCSC-FI (within Traficom) coordinates cooperation between supervisory authorities and acts as the NIS2 single point of contact. Sectoral supervision is split among Traficom, the Energy Authority, the Finnish Safety and Chemicals Agency (Tukes), the South Savo ELY Centre, the Finnish Food Authority (Ruokavirasto), Valvira and Fimea.
For financial entities, the EU Digital Operational Resilience Act (DORA) applies (in force since 17 January 2025), supervised by the Finnish Financial Supervisory Authority (FIN-FSA). DORA requires documented ICT risk-management frameworks and reporting of major ICT-related incidents; FIN-FSA has stated ICT-risk and cyber-threat management is a supervisory focus.
Separately from the Cybersecurity Act, personal-data breaches must be notified to the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) within 72 hours under the GDPR, with affected individuals informed where the breach poses a high risk. The Ombudsman is Finland's competent GDPR authority and can impose administrative fines.
Timeline - major decisions & events
Finland's first horizontal Cybersecurity Act took effect, consolidating NIS2 risk-management, incident-reporting and supervision obligations into a single statute and replacing the prior sector-by-sector model. NCSC-FI/Traficom serves as the central coordinating authority alongside sectoral supervisors.
Traficom ↗The Government adopted a long-horizon national cyber strategy reflecting the deteriorated security environment and NIS2 requirements, with an accompanying implementation plan assigning responsibilities and metrics. It sets Finland's strategic cyber direction into the 2030s.
Finnish Government (Valtioneuvosto) ↗Aleksanteri Kivimäki was convicted on roughly 9,600 counts of privacy violation and over 20,000 attempted extortions tied to the Vastaamo psychotherapy breach. The case, Finland's largest criminal investigation, drove public and political momentum for stronger data and cybersecurity protections.
Recorded Future News ↗The undersea gas pipeline and a parallel telecommunications cable linking Finland and Estonia were severed by 'external activity', later attributed to a ship's dragged anchor. The incident heightened Finnish concern over critical-infrastructure and subsea-cable security amid regional tensions.
Al Jazeera ↗The pro-Russian group NoName057(16) knocked the Finnish Parliament's website offline, citing Finland's NATO application. It underscored the wave of politically motivated DDoS targeting against Finnish public bodies.
Yle News ↗The websites of Finland's Ministry of Foreign Affairs and Ministry of Defence were knocked offline by a DDoS attack as President Zelensky addressed parliament, assessed as Russia-linked and tied to Finland's NATO trajectory. It marked a visible escalation of state-aligned cyber pressure.
CyberScoop ↗A breach at psychotherapy provider Vastaamo exposed roughly 33,000 patients' therapy records, followed by ransom demands against the company and tens of thousands of individual patients. The shock catalyzed reforms in health-data security and victim protection across Finland.
Digital Watch Observatory ↗The Government renewed the 2013 strategy with three guidelines, international cooperation, better coordination of cyber management/preparedness, and developing cyber competence. It modernized governance ahead of growing threats and EU obligations.
Security Committee (Turvallisuuskomitea) ↗Rather than enacting a standalone law, Finland implemented the EU NIS Directive by amending some twelve existing statutes (including the Act on Electronic Communications Services and transport acts), introducing security and incident-notification duties for operators of essential services and digital service providers.
NCSC-FI / Traficom ↗This consolidating statute (later the Act on Electronic Communications Services) merged ten communications laws and set core duties on information security, confidentiality of communications, and traffic/location data, a foundational pillar of Finland's electronic-communications cybersecurity regime.
Finlex (official statute database) ↗NCSC-FI was set up within the communications regulator (then FICORA, now Traficom) as the national CSIRT and situational-awareness hub for incident response and threat coordination. It remains the operational core of Finland's cyber framework.
Traficom ↗The Government adopted Finland's inaugural national Cyber Security Strategy, defining objectives for securing the cyber domain and laying the groundwork for NCSC-FI and subsequent implementation programmes. It established the structural basis of today's framework.
Finnish Ministry of Defence ↗Finland - other topics
Cybersecurity in other countries
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →