Cybersecurity · Finland
Cybersecurity - Finland
Finland has a comprehensive, horizontal cybersecurity regime: the Cybersecurity Act 124/2025 implementing the EU NIS2 Directive entered into force on 8 April 2025, consolidating obligations previously dispersed across sector-specific laws into a single national statute. It imposes risk-management measures and staged incident-reporting duties on 'essential' and 'important' entities across critical sectors, coordinated by NCSC-FI under Traficom. Sectoral overlays (DORA for finance, GDPR for personal-data breaches) apply in parallel.
The Cybersecurity Act (Kyberturvallisuuslaki 124/2025) transposing NIS2 was passed by Parliament and its obligations entered into force on 8 April 2025, after the EU transposition deadline of 17 October 2024. It is Finland's first horizontal national cybersecurity framework, replacing previously scattered sector-specific rules.
The Act covers a wide range of critical sectors (energy, transport, health, digital infrastructure, water, food, public administration, etc.), classifying organisations as 'essential entities' (välttämättömät toimijat) or 'important entities' (tärkeät toimijat) by size and turnover thresholds, with digital infrastructure providers covered regardless of size. Coverage expanded from roughly 1,100 entities under NIS1 to about 5,500.
Covered entities must report significant incidents in stages: an early warning within 24 hours of detection, a full incident notification within 72 hours, and a final report within one month (or, for ongoing incidents, within one month of resolution). This obligation has applied since 8 April 2025.
NCSC-FI (within Traficom) coordinates cooperation between supervisory authorities and acts as the NIS2 single point of contact. Sectoral supervision is split among Traficom, the Energy Authority, the Finnish Safety and Chemicals Agency (Tukes), the South Savo ELY Centre, the Finnish Food Authority (Ruokavirasto), Valvira and Fimea.
For financial entities, the EU Digital Operational Resilience Act (DORA) applies (in force since 17 January 2025), supervised by the Finnish Financial Supervisory Authority (FIN-FSA). DORA requires documented ICT risk-management frameworks and reporting of major ICT-related incidents; FIN-FSA has stated ICT-risk and cyber-threat management is a supervisory focus.
Separately from the Cybersecurity Act, personal-data breaches must be notified to the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) within 72 hours under the GDPR, with affected individuals informed where the breach poses a high risk. The Ombudsman is Finland's competent GDPR authority and can impose administrative fines.
Machine-assisted translation · verified 5/23/2026 · orientation, not legal advice. English version →