Finnish Cybersecurity Act enters into force

Insights|April 4, 2025

This article provides a brief overview of Finland’s approach to the national implementation of NIS2, as well as the scope of and key changes introduced by the Cybersecurity Act. Throughout spring, we will continue to share further insights into the new obligations under the Cybersecurity Act.

The President of Finland has ratified the government proposal for the Finnish Cybersecurity Act (the “Cybersecurity Act”), which will enter into force on 8 April 2025. The Cybersecurity Act implements the European Union’s directive 2022/2555 on measures for a high common level of cybersecurity (“NIS2“).

National implementation of NIS2 in Finland

In its proposal, the Government has implemented NIS2 into national legislation at the minimum level required, both in terms of scope and obligations. Instead of previous sector-specific legislation on cyber security requirements, NIS2 is now implemented centrally through the Cybersecurity Act. The Cybersecurity Act consolidates the obligations related to cybersecurity risk management and incident reporting for entities within its scope. Accordingly, the proposal repeals the sector-specific provisions previously issued for the implementation of the first NIS directive 2016/1148 (“NIS1“). However, it should be noted that sector-specific legislation may still apply in some instances, such as for digital infrastructure and digital service providers.

Scope of the Cybersecurity Act and key changes introduced

Scope is one of the primary aspects that sets NIS1 (NIS2’s predecessor) and NIS2 apart. While NIS1 had a more limited scope, NIS2 expanded its coverage to include additional sectors and digital service providers. As a result, a broader range of organizations across the EU are now subject to cyber security requirements stemming from NIS2. An overview of the newly covered sectors is presented in the table below. The sectors within the scope of NIS2 described in the table are regulated under the Cybersecurity Act, excluding those marked with * and **. In addition, sector-specific rules may apply in certain cases.

* Credit institutions and operators in the financial sector fall under the scope of the DORA Regulation and, therefore, financial sector operators have been excluded from Annex 1 of the Cybersecurity Act.

** Provisions are contained in the Act on Information Management in Public Administration (906/2019)), and therefore public administration has been excluded from Annex 1 of the Cybersecurity Act.

Under NIS2 (as well as under the Cybersecurity Act), sectors are classified as either highly critical or critical. This classification is essential in determining the applicable supervisory and enforcement measures. Large and medium-sized operators in the relevant sectors fall within the directive’s scope, while small and micro-sized operators are, in principle, excluded. However, smaller entities are also in scope, for example, if they provide essential services for maintaining critical societal or economic activities, where disruptions could cause significant harm to public safety, security, or health, or lead to a large-scale systemic risk. Furthermore, an operator is within the scope of NIS2 regardless of its size if it is any of the following: (i) a provider of public electronic communications networks or publicly available electronic communications services; (ii) a trust service provider; (iii) a domain name registry; or (iv) a DNS service provider.

Other key changes that will be further explored during the spring include:

  • more detailed obligations regarding cybersecurity risk management, including the detection of vulnerabilities (Section 9 of the Cybersecurity Act);
  • responsibility of an entity’s management body for implementing and monitoring cybersecurity risk management (Section 10 of the Cybersecurity Act);
  • reporting obligations for significant cybersecurity incidents (Section 11 of the Cybersecurity Act); and
  • sanctions for non-compliance with risk management obligations.

Competent authorities

Cybersecurity obligations will be monitored by several, sector-specific national supervisory authorities (such as the Finnish Transport and Communications Agency (Traficom), the Energy Authority, the Finnish Safety and Chemicals Agency (Tukes), the National Supervisory Authority for Welfare and Health (Valvira), and the Finnish Medicines Agency (Fimea). However, Traficom’s National Cyber Security Centre will coordinate the cooperation between the supervisory authorities and serve as the single point of contact referred to in Article 8(3) of NIS2.  Also, the tasks of the national computer security incident response team (CSIRT) will be assigned to Traficom’s National Cyber Security Centre.

Administrative fines will be imposed by a board consisting of members appointed by the supervisory authorities, which will be established separately.

How about Sweden?

In Sweden, the legislator is currently awaiting a governmental bill from the Ministry of Defence, but a draft to pass the national law implementing NIS2 is expected to be issued later this spring.

The current estimate of the legislator is that the law will be implemented and enforced by no earlier than the end of 2025. The national law will then be complemented by additional regulations (Sw. föreskrifter) issued by authorities.