Implementing the NIS 2 Directive in Finland: The New Cybersecurity Act
This article continues the series of articles on the NIS2 directive and its implementation in the Nordic countries. Previous article from Sweden:
Agne Lindberg, Petri Dahlström, Klara Thyrén: Ny cybersäkerhetslag – den svenska regeringens förslag till införlivande av NIS2-direktivet Lov & Data nr. 163 3/2025
On April 8th 2025, Finland’s new Cybersecurity Act (124/2025) entered into force, implementing the NIS 2 Directive in Finland. This marks a milestone, as it is the first act in Finland to impose horizontal cybersecurity-related obligations for essential and important entities.
Illustrasjon: Colourbox.com
At the same time, several implementing provisions of NIS 2 Directive’s predecessor, the NIS Directive, were revoked in relevant sectoral acts as those became unnecessary and duplicator after adoption of the new Cybersecurity Act. The new Act has been in force for roughly six months and both entities and supervisory authorities are gathering experiences on applying it.
The Cybersecurity Act concentrates the provisions regarding NIS 2 obligations in Finland. It covers essential and important entities in all sectors within the scope of the Directive except Banking, Financial market infrastructure and Public administration. For the Banking and Financial market infrastructure the DORA-regulation (EU) 2022/2554 applies instead of the Cybersecurity Act. For public administration entities the NIS 2 obligations are incorporated into the Act on Information Management in Public Administration (906/2019). The act regulates cybersecurity related aspects of public administration information management in Finland. NIS 2 obligations were included into new Chapter 4 a of the Act and are similar to the Cybersecurity Act.
The Cybersecurity Act concentrates the provisions regarding NIS 2 obligations in Finland.
The Finnish implementation follows mainly the NIS 2 Directive’s level of minimum harmonization. This has been justified particularly from the perspective of operators engaged in cross-border activities. For those entities, following the level of minimum harmonization makes it easier to align obligations or requirements with those in other Member States – and vice versa should it become necessary.
Scope and definition of an “entity”
Obligations of the Cybersecurity Act apply to an “entity”. In accordance with the NIS 2 Directive, an entity may be any legal or natural person who engages in an activity referred to in the annex of the Act. In addition, it requires that the entity is larger than a medium-sized enterprise, or that an exception applies which brings the operator within the scope of the Act regardless of its size. Such an exception applies, for example, to certain digital infrastructure entities. However, small and micro-sized operators are generally excluded from the scope of the Act.
Furthermore, the Cybersecurity Act will apply to all “critical entities” defined as such in the future in accordance with the CER Directive. The Cybersecurity Act will apply to all critical entities regardless of the sector of their activities or their size. The CER Directive requires critical entities to be defined for the first time by July 2026.
Due to its broad scope, the Cybersecurity Act affects a great number of Finnish companies both directly and indirectly. A significant proportion of medium-sized and larger companies fall directly within the scope of the Cybersecurity Act. For companies that the Act does not directly cover, it may still have indirect effects where company is part of the supply chain of an essential or important entity. In those cases, it’s likely that the risk management measures of a NIS 2 entity may have indirect effects for companies that are suppliers for NIS 2 entities (or even customers in some situations).
Obligations for entities
Risk management
The Cybersecurity Act requires entities to identify, assess, and manage risks posed to the security of networks and information systems used for their operations or for the provision of their services. Generally the provisions on risk management stay loyal to Article 21 of the NIS 2 Directive. The Cybersecurity Act obliges entities to prepare and maintain an up-to-date cybersecurity risk management model. Through the cybersecurity risk management model, entities must identify and evaluate the risks affecting networks and information systems, and their physical environment, applying an all-hazards approach. Entities must also define, describe and implement appropriate and proportionate risk management measures. The risk management model must be prepared within three months from the date on which the Act becomes applicable to an entity.
The Cybersecurity Act requires entities to implement proportionate technical, operational, or organizational safeguards in accordance with the cybersecurity risk management model, in order to manage risks to the security of communications networks and information systems and to prevent or minimize adverse effects. In regard to risk management measures, entities must take into account at least the list of items mentioned in Article 21(2) in the NIS 2 Directive. The Cyber Security Act also sets the purpose of the risk management: to protect networks and information systems, as well as their physical environment, from incidents and their impacts. In addition to that, sectoral competent authorities may require that sector-specific items are included as well.
Incident notifications
Entities are obliged to report any significant incidents in accordance with article 23 of the NIS 2 Directive. In practice, incident reports are submitted via an online portal maintained by NCSC-FI. The incident reports are made to the competent authority, which forwards them to the CSIRT unit. The CSIRT unit may provide technical guidance or support for the entity upon request.
Incident reporting consists of three stages. Early warning must be submitted within 24 hours of becoming aware of the significant incident. Incident notification must be submitted within 72 hours of becoming aware of the significant incident. Both notifications may be submitted at once if it’s possible within 24 hours. Final report must be submitted within one month after the submission of the incident notification. Where that is not possible or upon the competent authority’s request, the entity must also submit an intermediate report.
The threshold for “significant incident” follows the threshold set in the NIS 2 Directive. There is no obligation for entities to report other events than significant incidents. On a voluntary basis entities may also report other incidents or events and competent authorities will process all notifications. If an early-warned-incident turns out to not to be a significant incident, entities are not obliged to submit an incident report or a final report.
Registry of entities
Entities must also submit and update their contact information to the competent authorities. Competent authorities keep a list of NIS 2 entities within their respective sectors – “registries of entities”. Entities must provide their information for the competent authority and the register for the first time within one month after the Act becomes applicable to them.
The Cybersecurity Act and other legislation
The Cybersecurity Act is a general act with respect to the obligations it imposes. It sets a minimum level for risk management measures and incident notification obligations. Following a similar logic as the NIS 2 Directive, the Cybersecurity Act does not impede applying sector-specific obligations concerning cybersecurity risk-management or incident notifications to the entities. Where those sectoral obligations exist and are at least equivalent in effect to the obligations laid down in the Cybersecurity Act, those will apply instead of the Cybersecurity Act.
The Cybersecurity Act also recognizes the Commission’s power to adopt implementing acts on cybersecurity risk management measures or significant incident’s threshold as per articles 21 and 23 of the NIS 2 Directive. Where the Commission has adopted such implementing acts, they apply as such to entities that are within its scope, together with and complementing the provisions of the Cybersecurity Act. Therefore, the Commission Implementing Regulation (EU) 2024/2690 concerning certain digital infrastructure entities applies as such to entities within its scope prior to the Cybersecurity Act.
Jurisdiction and territoriality
The Cybersecurity Act applies to entities that are established in Finland. Therefore, as regards to jurisdiction, the act follows the provisions of article 26 of the NIS 2 Directive. The Cybersecurity Act does not apply to entities that are established in other EU member states even if they offer goods or services in Finland. An exception to that are providers of public electronic communications networks or providers of publicly available electronic communications services. Those entities will be subject also to the Finnish Cybersecurity Act based on provision of services in Finland.
Competent authorities and supervision
The supervision of the Cybersecurity Act is decentralized to sector-specific competent authorities. The competent authorities responsible for supervision are Finnish Transport and Communications Agency (Traficom), Finnish Energy authority, Finnish Safety and Chemicals Agency (Tukes), National Supervisory Authority for Welfare and Health (Valvira, after 1.1.2026 Finnish Supervisory Agency) One regional ELY Centre (after 1.1.2026 Economic Development Centre), Finnish Food Authority and Finnish Medicines Agency (Fimea). Additionally, the Financial Supervisory Authority (FIN-FSA) oversees the NIS 2 Directive and the DORA regulation for Banking and Financial market infrastructure sector entities. Competent authorities are obliged to cooperate especially where an entity is subject to more than one supervisory power of more than one competent authority.
In accordance with the NIS 2 Directive, supervision is focused by default to essential entities. If a competent authority has a justified reason to suspect that an important entity has not complied with the Cybersecurity Act, it may enforce supervision to that entity as well.
CSIRT unit (CERT-FI) is located within the National Cyber Security Centre Finland (NCSC-FI). CSIRT and NCSC-FI are within the Finnish Transport and Communications Agency Traficom. Traficom also oversees and facilitates the cooperation between competent authorities and is the single point of contact in Finland for the NIS 2 Directive.
Based on infringement of the Cybersecurity Act an administrative fine may be imposed to an entity. The maximum level of administrative fines in Finland is the minimum allowed by the NIS 2 Directive. For an essential entity it means that administrative fines may rise to up to EUR 10 000 000 or to a maximum of at most 2 % of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher. The administrative fine is imposed by a special board that composes of members appointed by the competent authorities. An entity may appeal to an administrative court against a decision that imposes administrative fines. Such an appeal is an administrative case and subject to provisions of the Finnish Administrative Judicial Procedure Act.
Conclusions
Finland has decided to follow the minimum level harmonization of the NIS 2 Directive with the newly adopted Cybersecurity Act. The Act leaves leeway for entities on how to organize and adopt risk management measures as it is highly risk-based and does not introduce detailed risk management measures that would cover all entities in scope. It lays down objectives for risk management, minimum list of matters to be considered and criteria for evaluating acceptable level of risk management. As legislation is a slow and inefficient way to increase cybersecurity in general, the risk-based approach of the Act might seem like a self-explanatory approach. However, while the Cybersecurity Act leaves essential and important entities a lot of room to organize their risk management, it might also increase compliance costs or regulative burden, especially if the minimum level of risk management measures proves to be too unclear for entities. The practical effects of the Act remain to be seen in the near future.
