A Changing Cybersecurity Landscape in Finland

Historically, the Finnish regulatory framework for cybersecurity has been relatively fragmented, with separate specialised regulations for different industries and sectors. Cybersecurity matters were treated as sector-specific operating requirements, and were supervised independently by the relevant sector-specific authorities.

In 2024, the Finnish Cybersecurity Strategy was updated to better address technological advancements and shifts in the geopolitical landscape that cut across sectors more than ever before. According to the Cybersecurity Strategy, the current cybersecurity situation in Finland is relatively stable; however, given that Finnish society is almost entirely digitalised, cybersecurity requires constant attention, to ensure trust in the safety and reliability of digital services. The Cybersecurity Strategy recognises cybersecurity not only as a cornerstone of modern society but also as a vital matter of national security.

The Four Pillars of Cybersecurity Development

The Cybersecurity Strategy is built on four distinct pillars, each setting out sub-objectives defining the target state for national cybersecurity and guiding future legislation and other public sector activity.

Pillar I: competence, technology, and research, development and innovation

Under the first pillar, cybersecurity competence is regarded as a fundamental civic skill. A high level of competence will require strengthening cybersecurity education in schools, universities, non-governmental organisations and workplaces. Furthermore, the objectives under the first pillar include promoting business competitiveness in the cybersecurity sector and Finland’s role as a leader in the implementation of emerging and disruptive technologies.

Pillar II: preparedness

The second pillar emphasises cyber resilience and operational reliability across society. Under this pillar, public authorities and private sector organisations are expected to define and apply cybersecurity requirements to the information systems they use, procure and maintain, and to allocate sufficient resources to meet these requirements and develop preparedness capabilities. The pillar also encourages collaboration and dialogue with the EU and NATO to promote preparedness and share best practices.

Pillar III: co-operation

The third pillar further encourages international collaboration and dialogue. In addition, the strategy emphasises well-co-ordinated and smooth co-operation between authorities based on shared situational awareness, as well as the use of centralised cybersecurity services.

Pillar IV: response and countermeasures

The final pillar aims to ensure timely responses to cyber threats and to safeguard national sovereignty. Clearly defined roles and responsibilities for different actors in both the public and private sectors are considered essential prerequisites for effective cyber resilience, and cybersecurity is recognised as a vital part of national defence.

Towards a Unified Cybersecurity Approach

Overall, the current regulatory strategy for cybersecurity in Finland emphasises the importance of a unified approach to cybersecurity, recognising that the subject matter concerns all areas of society. At the international level, Finland strives to be a strong cybersecurity ally within the EU and NATO, actively participating in discussions on future developments.

The cybersecurity legislation in Finland is largely EU-based, but many details are regulated at the national level. EU regulations are directly applicable in Finland and require very limited national implementation legislation, if any. EU directives are not directly applicable; instead, they oblige the Finnish legislature to enact national provisions that reflect the requirements of the directives.

The principal cybersecurity laws applicable in Finland are listed below. The legislation is divided into three categories:

• legislation primarily concerning cybersecurity;
• legislation regulating the protection of personal data, including cybersecurity requirements; and
• other legislation relevant to cybersecurity.

Cybersecurity

The NIS 2 Directive (Directive (EU) 2022/2555) has been implemented in national legislation as described in this section.

The Cybersecurity Act (124/2025, Kyberturvallisuuslaki) implements the NIS 2 Directive, imposing uniform cybersecurity requirements for actors operating in essential sectors, and setting out minimum cybersecurity requirements for entities within its scope. However, more specific requirements imposed by any other regulation may be applied in addition to or instead of the Cybersecurity Act – for example, see below regarding the requirements for public administration. The Act also established an institutional framework for supervision and national cyber resilience.

The Act on Information Management in Public Administration (906/2019, Laki julkisen hallinnon tiedonhallinnasta) governs, among other topics, data security, interfaces and interoperability in public administration. Chapter 4a of the Act implements the requirements for public administration set out in the NIS 2 Directive. For public administration entities, this provision applies instead of the national Cybersecurity Act.

The Digital Operational Resiliency Act (Regulation (EU) 2022/2554) (DORA) creates a uniform regulatory framework for reducing cybersecurity risks within financial entities and related ICT suppliers. DORA applies primarily to financial sector entities as lex specialis instead of the national Cybersecurity Act.

The EU Cybersecurity Act (Regulation (EU) 2019/881) (CSA) established the EU Agency for Cybersecurity (ENISA) and the EU-wide certification system to harmonise cybersecurity requirements, increase safety and reduce parallel certification requirements for ICT products, services and processes.

The Cyber Resilience Act (Regulation (EU) 2024/2847) (CRA) regulates extensively all connectible hardware and software, and introduces mandatory cybersecurity requirements for manufacturers and developers. One way to prove a product’s compliance with the CRA can be a certification under the CSA.

The Network Code On Cybersecurity (Regulation (EU) 2024/1366) (NCCS) complements Regulation (EU) 2019/943 of the European Parliament and of the Council of 5 June 2019 on the internal market for electricity, setting out rules on cybersecurity risk management, common minimum requirements, planning, monitoring, reporting and crisis management for, inter alia, certain energy sector actors and critical ICT providers in the energy sector.

The Cyber Solidarity Act (Regulation (EU) 2025/38) sets up a framework for EU-level collaboration, to allow EU member states to better defend themselves against large-scale cyber-attacks.

Cybersecurity and Data Protection

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) sets out extensive rules for the processing of personal data in organisations.

The Data Protection Act (1050/2018, Tietosuojalaki) complements the GDPR, as do special data protection provisions in many other acts. These instruments specify and ensure the effective implementation of the GDPR.

The Act on the Processing of Client Data in Healthcare and Social Welfare (703/2023, Laki sosiaali- ja terveydenhuollon asiakastietojen käsittelystä) (the “Client Data Act”) applies to data processing and information systems in the healthcare and social welfare sectors, supplementing the requirements set out in the Finnish Data Protection Act and the GDPR.

The Act on the Secondary Use of Health and Social Data (552/2019, Laki sosiaali- ja terveystietojen toissijaisesta käytöstä) facilitates the effective and safe processing of, and access to, personal social and health data for steering, supervision, research, statistics and development in the health and social sectors.

The Act on Electronic Communications Services (917/2014, Laki sähköisen viestinnän palveluista) applies to electronic communications service providers. It ensures the quality, safety and reliability of communication networks and services, as well as promoting fair competition and confidentiality and privacy in electronic communication.

Other Relevant Legislation Applicable in Finland

The Artificial Intelligence Act) (Regulation (EU) 2024/1689) (the “AI Act”) creates a unified EU framework with risk-based classifications to ensure the safety and trustworthiness of AI systems.

The CER Directive (Directive (EU) 2022/2557) has been implemented in national legislation, as described below.

The Act on the Protection of Infrastructure Critical to Society and Improvement of Resilience (310/2025, Laki yhteiskunnan kriittisen infrastruktuurin suojaamisesta ja häiriönsietokyvyn parantamisesta) implements the CER Directive. The Act strengthens societal crisis resilience and national safety by ensuring the uninterrupted functioning of the most essential services. Entities considered critical actors under this Act are automatically subject to the Cybersecurity Act. The Act extends risk management obligations beyond information and communication networks to also cover the physical environment relating to critical infrastructure.

The Criminal Code (39/1889, Rikoslaki) contains penal provisions concerning cybercrimes, including, for example, Chapter 38 on data and communications offences and Chapter 35, Sections 3a–3c on criminal damage to data.

The eIDAS Regulation (Regulation (EU) No 910/2014) establishes the regulatory framework for electronic identification and trust services within the EU. The regulation ensures secure electronic transactions across member states and sets standards for electronic signatures and other trust services.

In summary, the Cybersecurity Act sets out minimum cybersecurity requirements, but more specific requirements imposed by other regulations may be applied in addition to or instead of the Cybersecurity Act. Chapter 4a of the Act on Information Management in Public Administration implements NIS 2 directive requirements for public administration entities; for such entities, this provision applies instead of the national Cybersecurity Act. DORA applies primarily to financial sector entities instead of the national Cybersecurity Act, creating a sector-specific regulatory framework. The GDPR, Data Protection Act and cybersecurity legislation overlap particularly regarding data security breaches. Criminal law provisions, particularly in the Criminal Code, complement cybersecurity regulation by establishing criminal liability for cybercrimes such as data breaches, unauthorised access to information systems, and disruption of information systems.

The competent authorities enforcing cybersecurity legislation are quite fragmented. The authorities are outlined below, grouped by the statutes or topics they enforce; certain authorities with unique mandates are presented separately.

• Cybersecurity Act: the Transport and Communications Agency (Traficom), the Energy Authority, the Finnish Safety and Chemicals Agency (Tukes), the Finnish Supervisory Agency, the Economic Development Centres, the Finnish Food Authority and the Finnish Medicines Agency (Fimea) supervise compliance with the Cybersecurity Act within their respective sectors. These authorities have the right to obtain information, conduct inspections and require actors to conduct a safety audit. Their enforcement powers include imposing penalty payments, enforcing compliance and suspending non-compliant activities, restricting persons from acting in the management of essential entities, and proposing an administrative fine. The final decision on an administrative fine is made by the Administrative Fine Board operating under the Ministry of Transport and Communications. The same authorities also supervise compliance with the Act on the Protection of Infrastructure Critical to Society and Improvement of Resilience, but their enforcement powers under that Act are limited to penalty payments, enforced compliance and non-compliance fees.
• The Computer Security Incident Response Team (CSIRT), operating under the National Cyber Security Centre Finland (NCSC-FI) of Traficom, monitors and analyses cyber threats and vulnerabilities, and provides cybersecurity information and support. The CSIRT does not supervise entities subject to the Cybersecurity Act, and its activities are accordingly organised separately from the supervisory functions described above. Its activities are based on trust and voluntary security breach notifications. The CSIRT may use non-intrusive methods to conduct vulnerability assessments on networks and IT systems connected to the general communications network, and its responsibilities include responding to incident notifications, assisting notifying entities and, where necessary, conducting technical investigations of serious security breaches. It also participates in maintaining national cybersecurity situational awareness and issues early warnings, alerts and notifications. The supportive role of the CSIRT is also recognised in the Cybersecurity Act, which provides that information voluntarily disclosed to the CSIRT may not, without consent from the disclosing party, be used in criminal investigations or administrative or other decision-making directed at the disclosing party.
• Traficom is the competent authority for public authorities under Chapter 4a of the Act on Information Management in Public Administration. Its supervisory powers are similar to those of the competent authorities under the Cybersecurity Act. Enforcement powers include issuing a formal notice, requiring the publication of details of non-compliance and imposing penalty fines.
• DORA: the Financial Supervisory Authority is the competent authority under DORA. It has information and investigation powers and can impose penalties and administrative fines, as well as give public warnings for non-compliance.
• GDPR and data protection: the Data Protection Ombudsman is the competent authority under the GDPR and national data protection legislation. It has the right to obtain information and conduct investigations, and the ability to impose penalty payments and administrative fines.
• The Finnish Supervisory Agency supervises information systems and wellbeing applications under the Client Data Act. It can conduct investigations and request information, and its enforcement powers include prohibiting the use of non-compliant systems and penalty payments.
• CRA: Traficom is the main competent authority under the Act on Electronic Communications Services and the CRA, as well as the certification authority under the EU Cybersecurity Act. The supervisory and enforcement powers under the Act on Electronic Communications Services largely correspond to the powers of competent authorities under the Cybersecurity Act, while the powers under the CRA are similar to general market surveillance powers (see 4.2 Key Obligations Under Legislation).

The regulation on cybersecurity for critical infrastructure is primarily set out in the Cybersecurity Act (124/2025), which applies to entities considered important or essential across various sectors. Most of the obligations set out in the Act apply to both important and essential entities, with the distinction relating predominantly to the supervisory measures available to the authorities and the severity of applicable sanctions.

Most small and micro-enterprises (maximum turnover of EUR10 million and fewer than 50 employees) are excluded from the scope of the Cybersecurity Act. However, if an entity has partner enterprises or linked enterprises, as defined in Commission Recommendation 2003/361/EC, said entity may fall within the scope of the Cybersecurity Act even if its individual turnover and personnel numbers are below the applicable thresholds.

Certain entities are subject to the requirements of the Cybersecurity Act regardless of their size, including:

• providers of public electronic communications networks or publicly available electronic communications services;
• trust service providers;
• top-level domain name registry operators;
• DNS service providers; and
• entities designated as critical under the Act on the Protection of Infrastructure Critical to Society and Improvement of Resilience (310/2025).

For these so-called “CER-critical entities”, the Act on the Protection of Infrastructure Critical to Society and Improvement of Resilience is applied in parallel to the Cybersecurity Act. It applies to entities that are considered critical to society due to, for example, the crucial nature of their services for maintaining vital societal functions or their role in operating critical infrastructure in Finland, or a significant risk of adverse effects on the provision of critical services if they were to be subject to an incident. However, entities do not need to make this assessment themselves; rather, the competent authorities make this designation and are required to do so by 17 July 2026.

In addition, the Cybersecurity Act applies to an entity regardless of its size if it carries out activities referred to in Annex I or II, or if it is an entity referred to in those Annexes, and if:

• it provides a service that is essential for the maintenance of critical societal or economic functions and that is not provided by other entities;
• a disruption to the service it provides could have a significant impact on public order, public safety or public health;
• a disruption to the service it provides could cause a significant systemic risk, particularly in sectors where such a disruption could have cross-border effects; or
• it is critical due to its particular importance at national or regional level for the sector or type of service concerned, or for other interdependent sectors in any EU member state.

According to the Cybersecurity Act, more detailed guidelines on the designation of critical entities can be issued in secondary legislation (a Government Decree). At the time of writing, no such decree has been issued, and therefore the interpretation of the criteria for size-independent critical entities remains uncertain.

Activities in the areas of national or public security, defence or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences, are excluded from the scope of the Cybersecurity Act.

Instead of the Cybersecurity Act, Chapter 4a of the Act on Information Management in Public Administration (906/2019) applies to most public authorities. However, certain entities fall largely outside the scope of cybersecurity regulation, including courts, universities, organs connected to the Parliament, the Office of the President of the Republic and various authorities involved in defence or the criminal justice system.

Sectors in Scope of the Cybersecurity Act

The sectors within the scope of the Cybersecurity Act and the respective sector-specific competent authorities are listed below.

Highly critical sectors (Annex I to the Cybersecurity Act)

The following sectors are deemed to be highly critical, and are subject to the oversight of the listed authority:

• energy – supervision shared between the Energy Authority and the Finnish Safety and Chemicals Agency (Tukes);
• transport – Traficom;
• banking and financial market infrastructures – the Financial Supervisory Authority;
• health – the Finnish Supervisory Authority;
• drinking water supply and distribution – the Economic Development Centre;
• wastewater – the Economic Development Centre;
• digital infrastructure – Traficom;
• ICT service management – Traficom;
• space – Traficom; and
• public administration – Traficom (provisions are contained in Section 4a of the Act on Information Management in Public Administration).

(Other) critical sectors (Annex II to the Cybersecurity Act)

The following sectors are also deemed to be critical, subject to the oversight of the listed authority:

• postal and courier – Traficom;
• waste management – the Finnish Supervisory Authority;
• the manufacture, production and distribution of chemicals – Tukes;
• the manufacture of medical devices and in vitro diagnostic medical devices, computer, electronic and optical products (C26 of NACE Rev.2), electrical equipment (C27 of NACE Rev.2), machinery and equipment (C28 of NACE Rev. 2), motor vehicles, trailers and semi-trailers C29 of NACE Rev.2), and other transport equipment (C30 of NACE Rev.2) – supervision shared between the Finnish Medicines Agency (Fimea) and Tukes;
• digital service providers – Traficom; and
• research organisations – Traficom.

The main responsibilities set out for important and essential entities under the Cybersecurity Act and for public administration falling within the scope of Chapter 4a of the Act on Information Management in Public Administration centre on risk management to prevent or minimise the impact of incidents on operations, operational continuity, service recipients and other services. Generally, entities and authorities are required to identify, assess and manage risks to the security of the communications networks and IT systems that they use. The risk management measures must be up-to-date, appropriate and sufficient in relation to the risks and the significance of the network or system to the operations and services of the entity or authority.

The Cybersecurity Act imposes the following obligations on entities within its scope.

• Registration – entities must assess independently whether they fall within the scope of the Cybersecurity Act and, if so, register with the competent authority responsible for their sector.
• Risk management – as described below.
• Reporting – as described in 2.3 Incident Response and Notification Obligations.

Risk Management Obligations

Entities are required to implement an up-to-date cybersecurity risk management operating model to protect their communications networks and IT systems against incidents and to mitigate their potential impacts. The risk management operating model must take all relevant risk factors into account and define the objectives, procedures and responsibilities of cybersecurity risk management, as well as the risk management measures.

The Cybersecurity Act and Chapter 4a of the Act on Information Management in Public Administration include a 12-point list of factors that must, at a minimum, be addressed in the risk management operating model and the risk management measures. The risk management measures may be technical, operational or organisational, but they must be proportionate to the scope of the operations, the expected impacts of an incident, the risk susceptibility of the networks and systems, the likelihood and severity of incidents, and the costs of the measures and their technical feasibility.

Responsibility for the implementation and supervision of risk management under the Cybersecurity Act is imposed on the top management of important or essential entities (the board of directors, the supervisory board, the managing director and their respective deputies). The competent authorities may restrict individuals from acting in the top management of essential entities for up to five years if they fail to discharge this responsibility. However, this restriction does not apply to partnerships.

Complying with the requirements of the Cybersecurity Act largely also ensures compliance with the cybersecurity requirements set out for critical entities under the Act on the Protection of Infrastructure Critical to Society and Improvement of Resilience. In addition to the cybersecurity requirements, the latter Act imposes numerous other requirements to ensure resilience against other threats, such as natural disasters, large-scale accidents and public health crises.

The Cybersecurity Act and Chapter 4a of the Act on Information Management in Public Administration impose similar incident response and notification obligations. An initial notification of a significant incident must be submitted to the competent authority within 24 hours of becoming aware of the incident, and a follow-up notification within 72 hours. An incident is considered significant if it has caused or is capable of causing either severe operational disruption to services or financial loss for the entity concerned, or considerable material or non-material damage to other natural or legal persons.

The initial notification must include:

• confirmation of the detection of a significant incident;
• an indication of whether the incident is suspected of being caused by a criminal or other unlawful or malicious act; and
• information regarding any potential cross-border impacts.

The follow-up notification must include an assessment of the nature, severity and impacts of the incident, indicators of compromise, where available, and any updates to the information provided in the initial notification.

Within one month of the follow-up notification, a final report detailing the incident must be submitted to the competent authority. This must include:

• the severity and impacts of the incident;
• the type of threat or root cause that likely triggered the incident;
• applied and ongoing mitigation measures; and
• possible cross-border impacts.

If the incident is still ongoing when the final report should be submitted, or at the request of the competent authority, an interim report must be submitted with relevant status updates and progress on handling the incident.

In addition to the notification obligations vis-à-vis the competent authorities, the recipients of the service must be notified of the significant incident if it is likely to hinder delivery of the services. The affected recipients of the services must also be notified of any significant cyber threat and mitigation measures.

The competent authority forwards the incident notifications and reports it has received to the CSIRT operating under Traficom. The affected entity or authority may request guidance and operational advice on mitigation measures from the CSIRT.

The competent authority itself is subject to separate notification obligations arising from incident reports, depending on the nature of the incident. These obligations include, for example, an obligation to notify the Data Protection Ombudsman where the incident involves a personal data breach. Where a significant incident notification is submitted by a critical entity under the Act on the Protection of Infrastructure Critical to Society and Improvement of Resilience, the receiving authority must forward it to the competent authority under that Act, which is, however, largely the same as under the Cybersecurity Act.

The NCSC-FI serves as the single point of contact in Finland facilitating cross-border co-operation and co-ordination between competent authorities in different EU member states. It also submits regular summary reports on significant incidents, cyber threats and near misses to ENISA.

It should also be noted that, where an incident occurs but is not significant, a voluntary notification may be submitted to the competent authorities. In such cases, the deadlines prescribed by the Cybersecurity Act do not apply. Voluntary notifications may also be submitted by entities that are not subject to the Cybersecurity Act.

Traficom provides support, guidance and supervision on information security issues and the implementation of privacy protection in electronic communications. It also maintains national cybersecurity situational awareness. The overall objective of the activities of the NCSC-FI is to promote and ensure the information security of information systems and data communication arrangements.

The Finnish national CSIRT unit also operates under the NCSC-FI. The responsibilities of the CSIRT are defined in the Cybersecurity Act and include monitoring and analysing cyber threats and vulnerabilities, providing guidance and recommendations, and supporting the maintenance of national cybersecurity situational awareness.

The CSIRT may conduct proactive vulnerability scans of publicly available networks and IT systems to detect vulnerable and unsafely configured networks and IT systems. Furthermore, entities can request the CSIRT to conduct a targeted scan of their networks or IT systems. Methods permitted in targeted scans are subject to considerably fewer restrictions than in proactive scans.

The CSIRT can facilitate a voluntary exchange of cybersecurity information between itself and any entities. Participating entities can share relevant information considered confidential under the Act on Electronic Communications Services. The CSIRT also co-ordinates the disclosure of vulnerabilities by receiving notifications of vulnerabilities, contacting entities affected by vulnerabilities and co-ordinating the management of vulnerabilities affecting multiple entities. It also reports, and advises entities on reporting, vulnerabilities to the European vulnerability database.

DORA is a directly applicable EU regulation that also applies in Finland. The financial sector operational resilience legislation applicable in Finland is largely consolidated under DORA. The scope of DORA encompasses a comprehensive list of 21 categories of entities in the financial sector, including third-party ICT service providers designated as critical. In Finland, only pension insurance companies are excluded from the scope of DORA, and micro enterprises are exempt from many of its requirements. For the most part, DORA applies uniformly to all financial institutions providing services in the EU. DORA does not apply directly to ICT service providers other than those designated as critical. Instead, financial entities are responsible for ensuring that the ICT service providers and systems they use comply with the requirements of DORA.

The definition of an ICT service provider in DORA is broad and encompasses all entities and other undertakings providing any digital and data services to financial entities through ICT systems. It includes services like cloud storage and software development, as well as hardware services such as the provision of firmware updates.

The contractual requirements in DORA include detailed lists of mandatory contractual elements that must be included in all ICT service contracts and in contracts for ICT services supporting critical or important functions. Required elements include, for example:

• access to data in case of an ICT service provider’s insolvency;
• specifying the locations of data storage and processing; and
• terms on security measures and data protection.

Contracts must clearly allocate the rights and obligations of each party, and these must be documented in one written document. More extensive requirements on contractual provisions apply to contractual arrangements concerning ICT services supporting critical or important functions. These include, for example, precise quantitative and qualitative performance targets within the agreed service levels and exit strategies.

The obligations imposed by DORA are subject to the proportionality principle. Financial entities’ size and risk profile, as well as the nature, scale and complexity of their operations, are considered when determining how certain rules in DORA are applied.

DORA and the Commission Delegated Regulation (EU) 2024/1774 supplementing DORA include detailed rules on ICT risk management. The regulation requires financial entities to, inter alia, ensure the adequacy of ICT systems, identify ICT dependencies, implement an ICT business continuity policy and train their staff. The management bodies of financial entities are ultimately responsible for the implementation of appropriate ICT risk management frameworks.

Financial entities are required to implement an ICT-related incident management process to detect, manage and notify ICT incidents. They are also required to classify incidents and cyber threats in accordance with the criteria set out in DORA, taking into consideration the severity, extent and types of impacts.

DORA emphasises the obligation of financial entities to monitor and manage potential risks arising from ICT services provided by third parties. Among other requirements, financial entities must report to the competent authority at least annually on the number of arrangements concerning ICT services, and must submit, upon request, either the full register of information or the relevant parts thereof. In addition, financial entities must have systematic processes in place for the selection and assessment of ICT service providers. This includes a structured assessment of the content of contractual arrangements, an evaluation of whether the supervisory conditions for contracting are met, and an assessment of whether the ICT concentration risk is identified.

Incidents classified as major must be reported to the Finnish Financial Supervisory Authority within four hours of classification and within 24 hours of becoming aware of the incident. Within 72 hours of the initial report, an intermediate report must be submitted, which must be updated in the event of status changes or upon request by the authority. Within one month of the intermediate report, a final report must be submitted, including root cause analysis, resolution details and impact assessment.

A special oversight framework applies to ICT service providers designated as critical by the European Supervisory Authorities. This designation takes into account, for example, the number and systemic importance of entities relying on the services, the substitutability of the services and the potential impacts of a failure in providing said services.

One of the European Supervisory Authorities is appointed as Lead Overseer for each critical ICT service provider, to assess its risk management measures. The Lead Overseer has broad powers to access information and carry out general investigations and inspections. The Lead Overseer’s powers extend to ICT service providers established outside the EU that provide services to financial entities within the EU. However, the powers outside the EU are subject to additional restrictions.

If a critical ICT service provider does not comply with requests of the Lead Overseer within 30 calendar days, it may be subject to a periodic penalty payment that accrues daily. The penalty payment may amount to up to 1% of the average daily worldwide turnover of the critical ICT service provider in the preceding business year, and may be imposed for a maximum period of six months.

In addition to the EU-level enforcement against critical ICT service providers, all ICT service providers are subject to an obligation to provide information requested by the Financial Supervisory Authority under the Act on the Financial Supervisory Authority (878/2008, Laki Finanssivalvonnasta). If an ICT service provider does not comply with the obligation, the Financial Supervisory Authority may impose a penalty payment of between EUR1,000 and EUR100,000. The Financial Supervisory Authority has published a comprehensive guide on the basis of which the amount of penalty payments is determined. If the non-compliance is particularly reprehensible, an administrative fine of up to 10% of the annual turnover of the ICT service provider may be imposed.

DORA does not include comprehensive cross-border data transfer regulation comparable to the GDPR. However, DORA requires financial entities to include specific ICT-related provisions in their third-party ICT service contracts, including the locations of data processing and service provision, and notification obligations when planning to change these locations. Financial entities must also implement exit strategies for critical ICT services, notify competent authorities of planned contractual arrangements for critical or important functions, and assess concentration risks arising from using the same or closely related service providers. Extensive regulation on transfers of personal data is included in the GDPR.

DORA requires entities identified by the Financial Supervisory Authority to carry out threat-led penetration testing (TLPT) on live production systems at least every three years. The Financial Supervisory Authority identifies the entities based on impact-related factors, possible financial stability concerns and ICT risk profile. Entities determine the scope of TLPT independently, subject to validation by the Financial Supervisory Authority. ICT service providers may also be included in the scope of TLPT.

TLPT may be conducted by either external or internal testers; however, an external tester must be engaged at least once every three years. Testers must satisfy requirements relating to independence, competence, certification, and risk management and mitigation. Compliance with the remaining testing requirements is achieved by adhering to the TIBER-FI framework.

The main source of cyber-resilience regulation in Finland is Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (the Cyber Resilience Act, or CRA). The CRA is a horizontal, harmonised product safety regulation, and the essential cybersecurity requirements under it are indicated by a product’s CE marking. In addition, Commission Implementing Regulation (EU) 2025/2392 further specifies the technical descriptions of important and critical products with digital elements under the CRA. The requirements under the CRA do not preclude the application of other requirements that may apply to the same product pursuant to other EU product regulations. In Finland, national legislation implementing the CRA will enter into force at a later date.

The CRA entered into force in 2024, and the application of its obligations starts in three steps between 2026 and 2028. The scope of the CRA is broad; as a general rule, it includes all devices and software with digital elements and expected use involving direct or indirect connection to a network or other device. Pure SaaS solutions that are not delivered together with a product with digital elements are generally excluded from the scope of the CRA. However, remote data processing solutions necessary for a product with digital elements to perform its functions are considered part of that product and, accordingly, fall within the scope of the CRA. An example of such products is smart home devices.

The CRA imposes extensive obligations on manufacturers, importers and distributors of products with digital elements. Products must meet essential cybersecurity requirements contained in Annex I of the CRA, covering product properties (eg, security by default, access control, data protection) and vulnerability handling processes. Manufacturers must conduct cybersecurity risk assessments, prepare technical documentation and provide user instructions. Vulnerabilities must be remediated without delay through security updates distributed securely and free of charge during the support period, which must reflect the product’s expected lifetime (minimum five years unless the expected lifetime is lower). The reporting timelines under the CRA correspond to those prescribed by the Cybersecurity Act and DORA, requiring notifications within 24 hours, 72 hours and one month, respectively (see 2.3 Incident Response and Notification Obligations and 3.3 Key Operational Resilience Obligations). Before market placement, conformity assessment is required, followed by EU declaration of conformity and CE marking.

Prior to placing products on the EU market, importers are required to verify that manufacturers have fulfilled their obligations, including conformity assessment, preparation of technical documentation and affixing of the CE marking, and must provide their own contact details on the product. Distributors must verify that the CE marking has been affixed and that manufacturers and importers have met their obligations concerning identification, contact information, user instructions and support period information before making products available on the market. Both importers and distributors are required to notify manufacturers of any discovered vulnerabilities without undue delay and, where a product poses a significant cybersecurity risk, to immediately inform the relevant market surveillance authorities, providing detailed information on the non-compliance identified and any corrective measures taken.

The market surveillance authority in Finland for products within the scope of the CRA is expected to be Traficom. As an initial enforcement measure, the relevant economic operator is required to bring the non-compliance to an end by, for example, bringing the product into compliance, withdrawing or recalling the product, or arranging for its destruction. This requirement may be enforced by means of a penalty payment. If the operator fails to comply with the requirement, the authority may itself recall or restrict the availability of the product on the market. In addition, the CRA sets out administrative fines for non-compliance, ranging up to:

• EUR15 million or 2.5% of annual turnover (whichever is higher) for manufacturers;
• EUR10 million or 2% of annual turnover for authorised representatives, importers, distributors and notified bodies; and
• EUR5 million or 1% of annual turnover for the submission of incorrect, incomplete or misleading information.

Finland is part of the EU’s cybersecurity certification framework established under Regulation (EU) 2019/881 (the EU Cybersecurity Act, or CSA). The National Cybersecurity Certification Authority (NCCA) in Finland is Traficom, which is responsible for the accreditation of Conformity Assessment Bodies (CABs) that can act as certifiers delivering certificates or as evaluators auditing and testing.

The CSA establishes three assurance levels: basic, substantial and high. The basic level provides assurance against basic risks; the substantial level addresses significant risks; and the high level is intended for situations involving the highest risks, requiring the most stringent evaluation methods, such as penetration testing.

Certification under the CSA is generally voluntary; however, certificates are commonly used as requirements for certain critical products, and certification under the CSA is a recognised means of demonstrating compliance. To date, the only adopted European cybersecurity certification scheme is the EUCC (European Cybersecurity Certification Scheme on Common Criteria), which primarily targets ICT products. However, ENISA is currently developing additional certification schemes covering cloud services, 5G networks, digital identity wallets and managed security devices. Should the European Commission exercise its power to mandate the use of European cybersecurity certifications for products listed in Annex IV of the Cyber Resilience Act, and if such certifications become more widely available, the CSA certification framework would constitute the primary means of demonstrating the conformity of those products with the applicable cybersecurity requirements and of ensuring their access to the EU internal market.

In the context of public procurement, contracting authorities and entities may require certified ICT products, services or processes as part of their procurement procedures. The NIS 2 Directive further permits (but does not oblige) member states and the Commission to impose such requirements on entities falling within its scope.

Regulatory Framework for Data Protection

The main source of personal data protection legislation in Finland is the GDPR. This is supplemented by the Finnish Data Protection Act (1050/2018, Tietosuojalaki), the Act on Electronic Communications Services (917/2014, Laki sähköisen viestinnän palveluista) and the Act on the Protection of Privacy in Working Life (759/2004, Laki yksityisyyden suojasta työelämässä).

Cybersecurity Obligations

The GDPR includes three types of cybersecurity-related obligations:

• obligations on ensuring the security of personal data processing;
• notification obligations in cases of personal data breaches; and
• principles of information security-based processing of personal data.

Security of personal data processing

The GDPR includes multiple requirements for ensuring the security of personal data processing. The central obligation is ensuring the integrity and confidentiality of processing. Further specific obligations include risk management, data protection by design and default, and requirements for security of processing – namely, Articles 5(1)(f), 25, 28 32, 33, 34 and 35. In particular, the GDPR requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, where appropriate:

• the pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability of and access to personal data in a timely manner in the event of an incident; and
• a process for regularly testing, assessing and evaluating the effectiveness of such measures.

Notification obligations

The GDPR requires controllers to notify the competent authority (the Data Protection Ombudsman in Finland) and data subjects of personal data breaches. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data.

The notification to the Data Protection Ombudsman must be made within 72 hours after becoming aware of the breach, unless the controller is able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification must include at least:

• a description of the nature of the breach including, where possible, the categories and approximate number of data subjects and personal data records concerned;
• the name and contact details of the data protection officer or other contact point;
• a description of the likely consequences of the breach; and
• a description of the measures taken or proposed to address the breach and mitigate its possible adverse effects.

A breach must also be communicated to data subjects without undue delay if it is likely to result in a high risk to the rights and freedoms of natural persons, and if none of the exceptions under Article 34(3) of the GDPR apply. The communication to data subjects must describe the nature of the breach in clear and plain language, and contain at least the contact details of the data protection officer, a description of the likely consequences and the measures taken or proposed to address the breach.

Principles of information security-based processing of personal data

Certain GDPR obligations and requirements can affect how cybersecurity risk management can be implemented. Under the GDPR, processing personal data is allowed only where a legal basis for such processing exists. The most relevant of these for cybersecurity risk management are compliance with legal obligations, public interest and legitimate interest. Furthermore, the GDPR includes requirements, for example, to use personal data only for the purpose for which it was collected, to minimise the amount of personal data collected and the time it is retained, and to ensure the integrity and confidentiality of personal data processed.

Legislative Framework

AI systems and solutions are regulated in Finland by Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (the Artificial Intelligence Act, or AI Act). The AI Act entered into force in 2024, and its application starts gradually, with final obligations applicable from August 2027.

Risk Management Framework

In line with the approach adopted in cybersecurity legislation, the AI Act applies a risk-based regulatory framework under which the obligations imposed increase in proportion to the level of risk associated with the AI system, as determined by reference to its intended purpose and functionalities. The AI Act requires high-risk AI systems to achieve an appropriate level of accuracy, robustness and cybersecurity, and to be designed and developed in a manner that ensures resilience against attempts by unauthorised third parties to exploit system vulnerabilities. In addition to the cybersecurity threats applicable to most ICT systems, the AI Act requires AI-specific vulnerabilities to be taken into account, including data and model poisoning, model evasion, confidentiality attacks and model flaws.

Incident Reporting

The AI Act includes an incident reporting scheme that requires providers of high-risk AI systems to report serious incidents to the market surveillance authority. The competent market surveillance authority is determined based on the sector of the product into which the AI system is incorporated. The report must be submitted no later than 15 days after the provider has become aware of the incident. However, the more serious the incident, the shorter the expected reporting timeframe.

Supervision and Enforcement

Compliance with the AI Act is enforced through the EU market surveillance framework established under Regulation (EU) 2019/1020, as supplemented by the enforcement provisions of the AI Act. In addition, administrative fines of up to EUR15 million or up to 3% of total worldwide annual turnover may be imposed, or, in the case of prohibited AI practices, up to EUR35 million or up to 7% of total worldwide annual turnover, whichever is higher. Furthermore, the supply of incorrect, incomplete or misleading information is subject to administrative fines of up to EUR7.5 million or up to 1% of total worldwide annual turnover, whichever is higher.

Interaction With General Cybersecurity and Data Protection Obligations

The AI Act operates alongside and complements other applicable EU regulations. Where an AI system is embedded in a product with digital elements, the cybersecurity requirements of the CRA apply in parallel, and compliance with the essential cybersecurity requirements of the CRA is deemed to satisfy the cybersecurity requirements for high-risk AI systems under the AI Act. Similarly, to the extent that an AI system processes personal data, the obligations under the GDPR, including requirements for data protection by design, apply concurrently with the obligations under the AI Act.

Legislative Framework

In addition to the general cybersecurity regulatory framework (such as the Cybersecurity Act), the healthcare sector is subject to sector-specific cybersecurity obligations and requirements. The Client Data Act applies to data processing and information systems in healthcare and social welfare sectors, supplementing requirements under the Finnish Data Protection Act and the GDPR. The Act on the Secondary Use of Health and Social Data (552/2019, Laki sosiaali- ja terveystietojen toissijaisesta käytöstä) facilitates effective and safe processing and access to personal social and health data for steering, supervision, research, statistics and development in health and social sectors, whilst safeguarding individuals’ rights and freedoms in personal data processing. The Act on Information Management in Public Administration (906/2019, Laki julkisen hallinnon tiedonhallinnasta) implements cybersecurity requirements of the NIS 2 Directive for public administration entities, including public healthcare entities.

Cybersecurity Obligations Under Sector-Specific Legislation

The sector-specific legislative instruments described above impose cybersecurity obligations on healthcare and social welfare entities. Under the Client Data Act, the integrity, immutability and indisputability of client and patient data must be secured when processing, transferring or storing data. Any information security breaches or disruptions affecting national information system services must be reported to the NCSC-FI of Traficom. Public agencies, pharmacies and ICT service providers subject to the Client Data Act are required to have an information security policy. The Act on the Secondary Use of Health and Social Data imposes obligations to ensure the security and integrity of health and social data processed for secondary purposes, including risk management, access control and active monitoring.

Applicability of the Cybersecurity Act

The Cybersecurity Act applies to any healthcare organisation that meets the criteria for entities set out in the Act (see 2. Critical Infrastructure Cybersecurity Regulation regarding the obligations and requirements under the Cybersecurity Act). Regulation (EU) 2017/745 on medical devices (MDR) and Regulation (EU) 2017/746 on in vitro diagnostic medical devices (IVDR) impose cybersecurity requirements on the manufacturers of medical devices. Pursuant to Article 2(2) of the CRA, products falling within the scope of the MDR and the IVDR are excluded from the scope of the CRA and are accordingly not subject to the cybersecurity requirements set out therein.

Incident Reporting in the Healthcare Sector

Healthcare entities within the scope of the Cybersecurity Act are subject to the incident reporting obligations outlined in 2.3 Incident Response and Notification Obligations. In addition, under the Client Data Act, information security breaches and disruptions affecting national information system services must be reported to the NCSC-FI. Where a significant incident also constitutes a personal data breach within the meaning of the GDPR, parallel notification obligations to the Data Protection Ombudsman apply.