Finnish Cybersecurity Regulation Compliance Analysis And 2026 Changes

In this article, Jan Lindberg and Diana Esser (Lexing Finland) examine the legal framework governing cybersecurity in Finland.

1. Legal framework

Finland’s cybersecurity regulatory framework has been significantly updated following the implementation of the EU NIS2 Directive (Directive (EU) 2022/2555). The main national instrument is the Cybersecurity Act (Fin. Kyberturvallisuuslaki 124/2025), which entered into force on 8 April 2025. The Act establishes harmonised requirements for cybersecurity risk management, incident reporting and supervisory oversight for entities operating in sectors considered essential or important to society.

The Cybersecurity Act replaces earlier, more fragmented provisions adopted under the first NIS Directive (Directive 2016/1148, or NIS 1) and aligns Finland’s approach with the strengthened governance model introduced by NIS2. The legislation introduces clearer compliance duties for organisations and a coordinated supervisory structure while maintaining sector-specific regulatory oversight.

Finland’s cybersecurity regime operates alongside several other legal instruments that address information security and operational resilience in specific sectors.

Cybersecurity obligations affecting public authorities are largely implemented through the Act on Information Management in Public Administration (906/2019). This framework establishes governance requirements for information management and security within government bodies and was amended in connection with the NIS2 implementation process to align its provisions more closely with the obligations under the Cybersecurity Act. For the NIS2 “public administration” sector, however, the Act on Information Management in Public Administration functions as the primary national implementation instrument. However, the relationship between this Act and the Cybersecurity Act is not entirely clear-cut in practice. While the Information Management Act generally governs cybersecurity and information management obligations within public administration, certain public-sector entities may still fall within the scope of the Cybersecurity Act where they carry out activities within sectors covered by NIS2 or where specific provisions of the Cybersecurity Act extend to them. As a result, the boundary between the two regimes is not always straightforward, and public organisations should assess carefully whether obligations under the Cybersecurity Act may apply in addition to those under the Information Management Act.

The Act on Electronic Communications Services (917/2014) contains sector-specific security requirements for telecommunications networks and electronic communications services. These provisions address network resilience, service continuity and the protection of communications infrastructure. The Act has been subject to amendment as part of Finland’s NIS2 implementation package, including changes linked to Cybersecurity Act processes such as notifications and central contact point mechanics for certain domain-related actors.

Where cybersecurity incidents involve personal data, organisations must also comply with the General Data Protection Regulation (‘GDPR’, Regulation (EU) 2016/679) and Finland’s Data Protection Act (Fin. Tietosuojalaki, 1050/2018). These frameworks introduce additional obligations concerning security of processing and data breach notification. In particular, GDPR Article 33 requires notification by the controllers to the data protection supervisory authority within 72 hours of becoming aware of a personal data breach, a deadline that runs in parallel with the Cybersecurity Act’s own structured incident reporting obligations. In practice, a single cybersecurity incident may therefore trigger simultaneous reporting obligations under both cybersecurity and data protection regimes, requiring organisations to coordinate their notification processes carefully. In addition, Cybersecurity Act requires the sectoral supervisory authority, rather than the entity itself, to notify the Data Protection Ombudsman where the authority becomes aware that a failure to comply with Cybersecurity Act obligations may have led, or may lead, to a GDPR Article 33-notifiable personal data breach.

Finally, many financial sector entities fall primarily under the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554), which became applicable across the EU on 17 January 2025. DORA establishes detailed requirements concerning ICT risk management, operational resilience testing and incident reporting for a wide range of financial entities listed in Article 2 of the Regulation, including credit institutions, investment firms, insurance undertakings, crypto-asset service providers and payment institutions,. For these entities, DORA typically constitutes the primary regulatory framework governing ICT resilience in the financial sector. f However, overlap may arise in certain cases, particularly for ICT service providers that are designated as critical ICT third-party providers under DORA or that simultaneously fall within sectors covered by NIS2.  Organisations operating in these areas should therefore assess carefully whether obligations under both frameworks may apply concurrently.

Together, these instruments create a layered cybersecurity framework combining EU regulations, national implementing legislation and sector-specific rules.

2. Scope and Supervisory Structure

Finland applies a sector-based supervisory model for cybersecurity regulation. Multiple competent authorities supervise compliance depending on the sector in which an organisation operates, reflecting the structure permitted by the NIS2 Directive.

National coordination is provided by the National Cyber Security Centre Finland (NCSC-FI), which operates within the Finnish Transport and Communications Agency (Traficom). NCSC-FI plays a central role in Finland’s cybersecurity governance architecture in two legally distinct capacities. Under § 18-19 of the Cybersecurity Act, the Cyber Security Centre of Traficom serves as the national single point of contact (SPOC) under article 8(3) of the NIS2 Directive. In addition, a CSIRT unit responsible for responding to and investigating cybersecurity incidents operates within Traficom, with its activities organized separately from supervisory functions.

First, it functions as the national Computer Security Incident Response Team (CSIRT) within the meaning of Article 10 of the NIS2 Directive. In this capacity, incident notifications are not submitted directly and simultaneously by entities to both the CSIRT and the competent authority; rather, in Finland notifications are made to the relevant sectoral supervisory authority, which forwards them to the CSIRT immediately upon receipt, while the CSIRT provides incident-handling support and technical guidance.

Second, NCSC-FI serves as Finland’s designated single point of contact (SPOC) within the meaning of Article 8 of the NIS2 Directive, responsible for coordinating communication between Finnish supervisory authorities and European cybersecurity networks, including the NIS Cooperation Group and the CSIRT Network. These are legally distinct functions under the NIS2 framework, even though both are performed by NCSC-FI.

Sector-specific supervisory authorities exercise primary supervisory responsibility for entities within their respective sectors. The principal competent authorities under Article 26 of the Finnish Cybersecurity Act include:

• Finnish Transport and Communications Agency (Traficom): digital infrastructure, DNS services, TLD registries, telecommunications operators, postal services and space sector entities;
• The Finnish Safety and Chemicals Agency (Tukes): entities operating in sectors falling within the agency’s regulatory remit, including certain industrial and technical sectors subject to safety and chemicals regulation;
• The Centre for Economic Development, Transport and the Environment of South Savo (Etelä-Savon ELY-keskus): entities within sectors assigned to the ELY Centres under the Cybersecurity Act, including certain transport and regional infrastructure-related activities
• Finnish Energy Authority (Energiavirasto): energy sector entities, including electricity and gas operators;
• Finnish Medicines Agency (Fimea): pharmaceutical sector entities;
• National Supervisory Authority for Welfare and Health (Valvira): health and social care entities;
• The Finnish Food Authority (Ruokavirasto): food production and distribution entities;
• Financial Supervisory Authority (Finanssivalvonta FIN-FSA): financial market participants and other entities supervised under Finnish financial services legislation and relevant cybersecurity obligations.

Each authority supervises entities operating within its sector as defined in the annexes to the Cybersecurity Act.

In practice, organisations interact primarily with their sector-specific supervisory authority for ongoing compliance oversight, while incident reporting and operational assistance are centralised through the national CSIRT framework. Where organisations operate across multiple regulated sectors, they may be subject to oversight by more than one authority.

3. Core Compliance Obligations

The Cybersecurity Act establishes several key obligations for organisations falling within the scope of the NIS2 framework. These obligations focus on governance, cybersecurity risk management and structured incident reporting.

Entity Identification and Registration

A first compliance step for organisations is determining whether they qualify as an essential entity or an important entity under the NIS2 classification system set out in Article 3 of the Directive. The classification depends on a combination of factors, including the sector in which the entity operates, its size (with large enterprises generally qualifying as essential entities and medium-sized enterprises as important entities) and, in some cases, specific criticality criteria regardless of size. Entities falling within scope are expected to register with their relevant supervisory authority.

Where organisations operate across multiple regulated sectors, oversight and registration may involve engagement with more than one authority.

Cybersecurity Risk Management

Covered entities must implement appropriate technical and organisational measures to manage cybersecurity risks affecting their network and information systems. The legislation adopts a risk-based approach but expects organisations to implement comprehensive governance and operational safeguards consistent with Article 21(2) of the NIS2 Directive. Required measures include:

• cybersecurity governance and management accountability;
• risk assessment and internal security policies;
• incident detection and response capabilities;
• business continuity, backup management and crisis management measures;
• vulnerability management and patching processes;
• supply-chain and third-party risk management;
• human resources security, access control policies and security training;
• the use of cryptography and encryption where appropriate;
• multi-factor authentication (MFA) and secure communications practices; and
• measures ensuring resilience and continuity of critical services.

A central feature of the NIS2 framework is the emphasis on management responsibility. Senior management must actively oversee cybersecurity risk management and bear accountability for ensuring that appropriate organisational controls are implemented. This governance responsibility is primarily established in Article 20 of the NIS2 Directive, which requires management bodies to approve and oversee cybersecurity risk-management measures and allows them to be held accountable for non-compliance.

In addition, Article 32(6) of the NIS2 Directive provides that Member States must ensure that national persons responsible for or acting as legal representatives of an essential entity can be held liable for breaches of their duties to ensure compliance with the Directive. By virtue of Article 33(5) of NIS, this provision applies mutatis mutandis to important entities as well. For instance, Cybersecurity Act makes the operator’s “management” responsible for implementing and overseeing cybersecurity risk management (including approval of the risk-management operating model) and defines “management” broadly to include board, supervisory board, CEO or equivalent. In addition, it implements the NIS2-style “management function restriction” mechanism by empowering the supervisory authority to prohibit (temporarily) a person from performing key management roles at a key entity where the person has repeatedly and seriously breached the management responsibilities imposed by the Act.

Incident Reporting Obligations

A key operational requirement under the Cybersecurity Act is the structured incident reporting regime applicable to significant cybersecurity incidents. Whether an incident is significant is determined by reference to criteria including the degree of service disruption caused, the number of users affected, the financial impact, and the duration and geographic spread of the incident, as set out in Article 23(3) of the NIS2 Directive. More precisely, NIS2 Article 23(3) defines a significant incident by reference to severe operational disruption or financial loss for the entity and/or considerable material or non-material damage to other persons, and Cybersecurity Act mirrors that approach while also anticipating further specification through Commission implementing acts.

Organisations must report significant cybersecurity incidents through a three-stage notification process:

1. Early warning within 24 hours after becoming aware of a significant incident, indicating whether the incident is suspected to be caused by unlawful or malicious acts and whether it may have cross-border impact.
2. Incident notification within 72 hours, providing further details regarding the incident, its nature, severity and impact, as well as indicators of compromise where available.
3. Final report within one month of the 72-hour notification or, for ongoing incidents, a final report within one month after handling of the incident has concluded, outlining a detailed description of the incident, its severity and impacts, an assessment of the type of threat or root cause most likely causing the incident, a description of measures implemented and ongoing to mitigate the effects, and an assessment of any cross-border impacts.

Under Cybersecurity Act, these notifications are submitted to the relevant sectoral supervisory authority, which then forwards them to the CSIRT. Organisations that are also subject to GDPR must bear in mind that a personal data breach arising from the same incident will separately trigger the 72-hour notification deadline under GDPR Article 33, and both sets of obligations must be managed in parallel.

Voluntary Reporting

Finland also encourages voluntary reporting of cybersecurity incidents to the sectoral supervisory authority, as part of its broader approach to strengthening national cyber situational awareness. Under Cybersecurity Act, this voluntary reporting mechanism expressly covers not only cybersecurity incidents but also cyber threats and near-miss situations, enabling authorities to build a more comprehensive understanding of the evolving cyber threat landscape.

The voluntary reporting framework is designed to promote cooperation between organisations and authorities and includes safeguards intended to encourage good-faith reporting. In particular, Cybersecurity Act limits the onward use of voluntary provided information and unless the reporting organization consents, information disclosed voluntarily may not be forwarded for criminal investigation or used as a basis for administrative decision-making against the reporting entity.

4. Enforcement and Sanctions

The Cybersecurity Act provides supervisory authorities with a range of investigative and enforcement powers.

Supervisory Powers

The nature of supervisory oversight differs depending on entity classification. Essential entities are subject to ex ante supervision, meaning proactive oversight including regular audits, inspections and targeted security reviews without the need for a prior indication of non-compliance. Important entities are subject primarily to ex post supervision, meaning that supervisory intervention is generally triggered by evidence of non-compliance or following an incident.

Authorities may conduct supervisory reviews, request information and documentation, and require organisations to remedy identified compliance deficiencies. Where necessary, authorities may also impose administrative sanctions.

Administrative Fines

Administrative fines are available for serious violations of cybersecurity obligations and are calibrated to the entity’s classification:

• For essential entities: a maximum administrative fine of at least €10,000,000, or 2% of the entity’s total worldwide annual turnover in the preceding financial year, whichever is higher.
• For important entities: a maximum administrative fine of at least €7,000,000, or 1.4% of the entity’s total worldwide annual turnover in the preceding financial year, whichever is higher.

These thresholds reflect the mandatory minimum fine maxima established by Articles 34 and 35 of the NIS2 Directive. In Finland, administrative fines are imposed by a specialised administrative body, namely the Seuraamusmaksulautakunta operating at Traficom, which decides on a proposal made by the supervisory authority.

Management Liability

In addition to fines imposed on entities, NIS2 Article 32(5) and (6) require Member States to ensure that competent authorities have the power to request temporary prohibitions on natural persons from exercising management functions at essential entities where earlier enforcement measures have proven ineffective and serious or persistent non-compliance continues, and to hold management personally liable for breaches of their duties to ensure compliance with the Directive. Pursuant to Article 33(5), the liability rule in Article 32(6) also applies mutatis mutandis to important entities. Cybersecurity Act implements this through a management-function restriction applicable to key entities for up to five years, subject to prior warning and an opportunity to remedy the deficiencies. Organisations should ensure that senior management is aware of the potential for individual exposure.

Sector-Specific Enforcement

Because the Finnish system relies on sector-specific supervision, enforcement practice and regulatory guidance may develop differently across industries. Organisations should therefore monitor instructions issued by their competent authority and maintain active regulatory engagement.

5. Upcoming EU Developments

Several EU cybersecurity initiatives adopted in recent years will further expand the regulatory landscape for organisations operating in Finland.

Cyber Resilience Act

The Cyber Resilience Act (CRA) (Regulation (EU) 2024/2847) introduces mandatory cybersecurity requirements for products with digital elements placed on the EU market. The Regulation entered into force on 10 December 2024.

Under the CRA framework:

• Vulnerability reporting obligations apply from 11 September 2026; and
• The main cybersecurity compliance obligations apply from 11 December 2027.

The Regulation will require manufacturers, importers and distributors of connected products to implement secure development practices, maintain vulnerability management procedures and ensure security updates throughout product lifecycles.

Cyber Solidarity Act

The Cyber Solidarity Act (Regulation (EU) 2025/38) strengthens the EU’s collective capacity to detect and respond to large-scale cyber incidents. The Regulation introduces three principal mechanisms: (i) a European Cybersecurity Alert System composed on National and Cross-Border Cyber Hubs, (ii) a Cybersecurity Emergency Mechanism providing operational support to Member States facing significant or large-scale incidents; and a Cyber Incident Review Mechanism for evaluating incident response.

While much of the operational infrastructure functions at EU level, the Regulation will influence national preparedness frameworks and cross-border incident coordination involving Finnish authorities. Finnish organisations should be aware that, in the event of a large-scale incident, the Regulation may facilitate coordinated EU-level response actions affecting their operations.

EU Cybersecurity Certification Developments

The EU Cybersecurity Act (Regulation (EU) 2019/881) established the EU cybersecurity certification framework. Proposals have been advanced to extend this framework to cover managed security services, which would impose harmonised assurance and certification requirements on providers of services such as penetration testing, security monitoring and incident response. As of early 2026, the relevant implementing measures extending the framework to managed security services have not yet been formally adopted. Organisations and service providers should monitor the legislative process closely, as adoption of such schemes may over time influence procurement requirements and assurance expectations within the EU market.

Digital Omnibus Proposal

On 19 November 2025, the European Commission presented the Digital Omnibus package and expressly described a “single-entry point” for cybersecurity incident reporting across multiple legal acts. Among other measures, the proposal seeks to streamline cybersecurity incident reporting obligations across regimes such as NIS2, DORA and GDPR, potentially through the introduction of a single EU reporting entry point that would enable organisations to discharge multiple reporting obligations through a single notification. According to the European Commission, this concept would not change the existing substantive reporting obligations or the authorities designated as recipients of such reports, but rather it is intended as a procedural routing or interface mechanism. The initiative is particularly relevant for financial sector entities currently subject to incident reporting obligations under both DORA and NIS2.

The initiative focuses primarily on procedural simplification and does not modify the substantive cybersecurity obligations under the NIS2 Directive or Finland’s Cybersecurity Act (124/2025). As of early 2026, the proposal remains under legislative consideration at EU level, and its final form and timeline for adoption remain subject to the ordinary legislative procedure.

This snapshot reflects the regulatory position as of March 2026 and is intended for general informational purposes. It does not constitute legal advice. Organisations should seek specific legal counsel regarding their individual compliance obligations.