Finland Among First EU States to Enforce NIS2: Kyberturvallisuuslaki in Force Since April 2025 — What Traficom Now Requires
Finland’s Kyberturvallisuuslaki — Cybersecurity Act 124/2025 — entered force on 8 April 2025, making Finland one of the first EU member states to move from transposition to active enforcement of Directive (EU) 2022/2555 (NIS2). For Finnish organisations, this is not a planning exercise: Traficom’s supervisory powers are live, registration deadlines have closed, and the obligation to have a cybersecurity risk management model in place fell on 8 July 2025.
The Act expanded Finland’s cybersecurity perimeter from roughly 1,100 entities under the predecessor NIS1 framework to approximately 5,500 organisations across both the private and public sectors. It created — for the first time in Finnish legal history — a single horizontal cybersecurity law replacing a patchwork of sector-specific provisions.
This guide covers everything compliance officers, IT security managers, and board members need to understand: who is in scope, the Section 9 twelve-point risk management framework, Traficom’s supervisory architecture, incident reporting obligations, management body accountability, and penalty exposure under the Act.
How Finland Transposed NIS2 — and Why April 2025 Is a Watershed Date
The EU deadline for transposing Directive (EU) 2022/2555 was 17 October 2024. Finland did not meet it. The European Commission formally acknowledged this on 7 May 2025 by issuing a reasoned opinion for failure to notify full transposition. Despite this, the Kyberturvallisuuslaki had already reached the Finnish Parliament and entered force on 8 April 2025 — completing implementation ahead of the majority of EU member states, with only 14 of 27 having transposed by July 2025.
The resulting Act 124/2025 represented the first time Finland introduced horizontal cybersecurity obligations through a single statute. Before it, NIS1 compliance had been distributed across multiple sector-specific laws, creating inconsistencies in scope definitions, reporting timelines, and supervisory responsibility. The Kyberturvallisuuslaki consolidated all of that into one framework with a single set of rules for essential and important entities across all covered sectors.
One design decision defined the Finnish approach: minimum harmonization. Rather than imposing obligations stricter than the Directive, Finland set requirements at the minimum level the Directive requires. The explicit rationale was reducing compliance friction for cross-border operators managing NIS2 across multiple EU jurisdictions. In practice, this means Finnish entities face a less prescriptive documentation burden than those in Germany, where mandatory regular audits apply to all covered companies. Finland’s model requires a “functioning and verifiable risk management system tailored to specific circumstances” — demonstrable on demand, rather than validated by annual external certification.
The Act also amended the Act on Information Management in Public Administration (906/2019) by inserting a new Chapter 4a, bringing public sector entities under equivalent cybersecurity obligations through a parallel legislative track.
Key dates from Traficom’s official announcement:
| Obligation | Deadline |
|---|---|
| Act enters into force | 8 April 2025 |
| Entity registration with supervisory authority | 8 May 2025 |
| Cybersecurity risk management model in place | 8 July 2025 |
| Public administration (Chapter 4a) obligations | 8 April 2025 (no transitional period) |
Who Must Comply — Scope, Entity Classification, and the “Does This Apply?” Test
The Kyberturvallisuuslaki draws its scope from NIS2’s two-tier classification system. Every organisation in scope is designated as either an essential entity or an important entity, with different supervision intensity and maximum penalty exposure depending on which category applies.
Essential entities are large or medium organisations operating in highly critical sectors listed in Annex I of the Directive: energy, transport, banking (covered separately under DORA), financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (managed service providers and managed security service providers), public administration, and space. Certain digital infrastructure operators — DNS service providers, top-level domain registries, cloud computing services, data centre services, content delivery networks, and trust service providers — are classified as essential regardless of company size.
Important entities are organisations in Annex II sectors that meet the medium-enterprise size threshold but fall below the essential-entity definition. Annex II covers postal and courier services, waste management, manufacture of chemicals, food production and processing, manufacturing of medical devices, computers, electronics, motor vehicles, and other products, digital providers, and research organisations.
The operative size thresholds are:
- Essential entity: ≥250 employees OR ≥€50 million annual turnover
- Important entity: ≥50 employees OR ≥€10 million annual turnover
- Below these thresholds: generally excluded unless the entity provides critical services or falls into a size-exempt digital infrastructure category
Banking and financial market infrastructure entities are explicitly excluded from the Cybersecurity Act — they comply with DORA (Regulation (EU) 2022/2554) instead. Public administration bodies follow Act 906/2019 Chapter 4a. Multi-sector entities must register with each relevant sectoral supervisory authority separately.
For a detailed breakdown of the essential versus important distinction across all sectors, see the guide to essential vs important entity classification.
| Question | If YES | If NO |
|---|---|---|
| Is the organisation established in Finland? | Continue | Not covered by Finnish Act |
| Does it operate in an Annex I or Annex II sector? | Continue | Not in scope |
| Does it have ≥50 employees or ≥€10M turnover? | Continue | Likely excluded (check DNS/TLD/trust service exception) |
| Is it a bank or financial market infrastructure? | DORA applies instead | Continue |
| Is it a central government or municipal body? | Act 906/2019 Chapter 4a applies | Cybersecurity Act 124/2025 applies |
The Dual Framework — Cybersecurity Act 124/2025 and Act 906/2019 for Public Administration
Finland deliberately separated private-sector and public-sector obligations rather than folding everything into one statute. The Kyberturvallisuuslaki covers essential and important entities operating commercially. Central government bodies, municipalities, and public administration entities operate under a parallel track: Chapter 4a inserted into Act 906/2019 (the Act on Information Management in Public Administration), which contains cybersecurity risk management and incident reporting obligations equivalent to the Cybersecurity Act.
The practical significance is twofold.
First, public administration entities faced no transitional period. Unlike private-sector organisations, which had until 8 May 2025 to register and until 8 July 2025 to establish their risk management model, public entities were bound from the moment Act 124/2025 entered force on 8 April 2025. There was no grace period, no phased implementation, and no relaxation for smaller public bodies.
Second, public administration entities are explicitly exempt from administrative fines. Non-compliance triggers corrective orders and other enforcement measures rather than monetary penalties. Finland exercised the Directive’s optional carve-out for public sector fines in full. This does not mean the obligations are optional — the corrective order mechanism is binding and supervisory authorities have the power to compel remediation.
For organisations at the boundary between public and private — publicly-owned commercial companies, state enterprises operating in competitive markets, or entities with mixed ownership structures — the question of which legal track applies requires careful analysis of the entity’s legal form and primary function. Traficom’s guidance and sector authority interpretation will govern edge cases.
Section 9’s 12-Point Risk Management Framework: What Traficom Expects
Section 9 of the Kyberturvallisuuslaki defines the content of the cybersecurity risk management model that every in-scope entity must establish, document, and maintain. The model must take an all-hazards approach — covering both deliberate cyberattacks and accidental events — with measures proportionate to the entity’s risk exposure and the sensitivity of the services it provides.
The twelve required components are:
1. Risk management policy and effectiveness assessment. A documented policy covering how risks are identified, evaluated, treated, and tracked. The policy must be reviewed at minimum after significant incidents or material changes to the organisation’s systems or services.
2. Network and information systems security policy. Baseline technical security requirements for IT and OT environments, covering configuration standards, network segmentation, and perimeter controls.
3. Secure acquisition, development, and maintenance. Security requirements applied throughout the procurement and development lifecycle: vendor due diligence, secure coding standards, change management controls, and post-deployment vulnerability management.
4. Digital supplier security and supply chain practices. Assessment of direct suppliers’ cybersecurity practices, including contractual security clauses, ongoing monitoring, and evaluation of the security quality of products and services incorporated into the entity’s operations. This directly implements Article 21(2)(d) of Directive (EU) 2022/2555. For detailed guidance, see NIS2 supply chain security requirements.
5. Asset management and critical operations identification. An inventory of information assets, systems, and data flows supporting critical service delivery, with classification of those whose disruption would constitute a significant incident.
6. Personnel security and cybersecurity training. Background checks where appropriate, cybersecurity responsibilities embedded in employment contracts, and a mandatory annual minimum of cybersecurity training for all staff — including every member of the management body. This annual training requirement is among the few prescriptive periodicity obligations in the Act.
7. Access management and authentication. Role-based access controls, the principle of least privilege, and mandatory multi-factor authentication for administrative access and remote access to systems supporting critical services. MFA is explicitly required under Section 9 and maps to Article 21(2)(j) of the Directive.
8. Cryptography and encryption policies. Documented standards covering data in transit and at rest, key management procedures, and approved cipher suites. Policies must address both internal systems and data exchanged with third parties and suppliers.
9. Incident detection and handling. Documented procedures covering detection capabilities, classification criteria, containment, recovery, and post-incident review. The handling procedure must align with the three-stage notification timeline described below. See also the full guide to Article 23 incident notification.
10. Backup, disaster recovery, and crisis management. Backup procedures with defined recovery time and recovery point objectives, tested restoration processes, and a business continuity plan covering critical service disruption scenarios. This implements Article 21(2)(c) of the Directive.
11. Baseline information security practices. General cyber hygiene: a structured patching cadence, secure default configurations, software asset management, and a formal vulnerability management programme.
12. Physical environment security for IT/OT systems. Physical access controls for server rooms, data centres, and OT equipment; environmental monitoring; and documented procedures for hardware disposal and decommissioning.
The deadline for having this model documented and operational was 8 July 2025. Finland’s design, unlike Germany’s, does not mandate regular external audits for all entities. The Act requires a system that is “functioning and verifiable” — demonstrable on demand to a supervisory authority — rather than one validated through annual external certification. Section 10 adds a management overlay: the management body must formally approve the risk management measures and must demonstrate sufficient personal understanding of cybersecurity risk to fulfil that approval meaningfully.
Incident Reporting — The Three-Stage Timeline
Any significant incident affecting a service covered by the Act must be reported to the relevant supervisory authority through Traficom’s electronic service portal. A significant incident is one that causes or could cause material operational disruption, financial loss, or substantial damage to third parties. Organisations make the initial assessment — there is no threshold defined in precise quantitative terms, requiring judgment against the entity’s critical service profile.
| Stage | Deadline | Required content |
|---|---|---|
| Early warning | 24 hours after detection | Initial notification that an incident has occurred; no detailed analysis required at this stage |
| Incident notification | 72 hours after detection | Incident classification, initial impact assessment, indication of whether malicious activity is suspected |
| Final report | One month after detection | Full technical description, root cause analysis, mitigation steps taken, cross-border impact if applicable |
For ongoing incidents, progress reports are required at regular intervals until resolution. The Act also permits voluntary reporting of non-significant incidents that the organisation considers relevant to the national threat picture. Voluntary reports do not trigger supervisory scrutiny and are intended to strengthen NCSC-FI’s visibility of the threat landscape.
Reports go to the sector-specific supervisory authority for that entity — not to Traficom directly, unless Traficom is that entity’s designated supervisor. Where incidents span multiple sectors or have cross-border impact, NCSC-FI coordinates between national authorities and acts as the single point of contact with EU counterparts.
Traficom, NCSC-FI, and the Sector Authority Network
Finland’s supervisory model is deliberately decentralised. Traficom serves as the NCSC-FI central coordinator and single point of contact, but day-to-day compliance oversight rests with the sector-specific authority for each entity’s industry. CERT-FI, the national CSIRT, also operates within Traficom but handles incident response coordination rather than supervision.
| Sector | Supervisory Authority |
|---|---|
| Postal/courier, space, MSPs, MSSPs, research, transport/vehicle manufacturing | Finnish Transport and Communications Agency (Traficom) |
| Energy (electricity, gas, district heating) | Finnish Energy Authority |
| Chemicals, consumer product safety | Finnish Safety and Chemicals Agency (Tukes) |
| Healthcare, social welfare | National Supervisory Authority for Welfare and Health (Valvira) |
| Pharmaceutical sector | Finnish Medicines Agency (Fimea) |
| Food production and processing | Finnish Food Authority |
| Banking and financial market infrastructure | Financial Supervisory Authority (DORA framework) |
The supervision intensity differs by entity classification. Essential entities face proactive, ex-ante supervision: regular conformity assessments, information requests, and audits initiated by the authority without needing a triggering incident. Important entities face reactive, ex-post enforcement: supervisory action is triggered by justified suspicion of non-compliance or following a reported incident. This distinction has a direct implication for compliance risk management — essential entities should expect supervisory contact before any problem arises, while important entities may not see their first interaction until something goes wrong.
An independent Sanctions Board handles formal enforcement decisions. Supervisory powers include information access, audit rights, mandatory corrective action orders, warnings, and — for repeated or serious violations — applications for a board-level ban on individuals.
Penalties, Supervision, and Management Accountability
Administrative fines under the Kyberturvallisuuslaki follow the NIS2 Directive’s minimum penalty floors, with Finland electing not to impose maxima higher than the Directive requires:
| Entity type | Maximum administrative fine |
|---|---|
| Essential entity | €10,000,000 or 2% of total worldwide annual turnover (whichever is higher) |
| Important entity | €7,000,000 or 1.4% of total worldwide annual turnover (whichever is higher) |
| Public administration entity | No administrative fine; corrective orders apply |
Fines attach to the entity. However, the management accountability provisions in Section 10 create significant personal exposure for individuals in leadership roles.
Under Finnish law, the “management body” is explicitly defined as the board of directors, the CEO, and any other person who effectively manages the organisation’s operations. The Act imposes three obligations on this body directly:
- The management body must formally approve the cybersecurity risk management measures established under Section 9.
- Management must possess adequate knowledge of cybersecurity risk management — satisfying this requires completing appropriate cybersecurity training, not merely delegating the topic to IT.
- The management body must ensure that annual cybersecurity training for all staff is resourced and delivered.
The most significant personal consequence for leadership: following repeated or serious violations of the Act, a supervisory authority may apply for a prohibition preventing a named individual from serving as a board member or deputy member. This board-ban provision has no equivalent in many other EU member state implementations and signals that Finland treats cybersecurity governance failure as a personal, not merely organisational, accountability matter. For more on the board’s obligations, see the guide on NIS2 board and director responsibilities.
There is no statutory requirement to appoint a Chief Information Security Officer. The Act assigns cybersecurity responsibility collectively to the management body, not to a named officer. Whether a CISO is appointed remains a governance decision rather than a regulatory one.
Your Compliance Roadmap — What Finnish Organisations Need to Do Now
The registration deadline (8 May 2025) and risk management model deadline (8 July 2025) have both passed. Organisations that missed either obligation face supervisory scrutiny. The appropriate response is not to wait for regulatory contact but to complete the outstanding obligations as rapidly as possible, document the timeline, and consider proactive engagement with the relevant supervisory authority to explain progress made.
| Step | Action | Effort | Responsible |
|---|---|---|---|
| 1 | Confirm whether the organisation falls in scope (Annex I/II sector + size threshold) | Low | Legal / Compliance |
| 2 | Identify the correct supervisory authority for your sector | Low | Legal |
| 3 | Register with the supervisory authority (if not already done) | Low | Compliance officer |
| 4 | Draft the Section 9 risk management model covering all 12 points | High | IT Security / CISO |
| 5 | Obtain formal board approval of the risk management measures (Section 10) | Medium | Management body |
| 6 | Complete management cybersecurity training to fulfil Section 10 knowledge requirements | Medium | Board / CEO |
| 7 | Establish and schedule annual cybersecurity training for all staff | Low | HR / IT Security |
| 8 | Implement incident detection and three-stage reporting procedure | Medium | IT Security |
| 9 | Document supply chain security practices and update supplier contracts | Medium | Procurement / Legal |
| 10 | Implement technical controls: MFA, access control, cryptography, patching cadence | High | IT Security |
ISO 27001 fast track. Organisations already certified to ISO/IEC 27001 through an accredited Conformity Assessment Body can present that certification as compliance evidence to competent authorities. ISO 27001 alignment substantially reduces the evidence gap for Section 9’s technical measures. It does not replace registration, incident reporting, or management body approval requirements — those obligations remain regardless of certification status.
Role responsibility mapping:
| Role | Primary obligations under Act 124/2025 |
|---|---|
| Board / CEO | Approve risk management model; demonstrate cybersecurity competency; personal liability for repeated violations |
| Compliance Officer / Legal | Determine scope; manage registration; define incident escalation path; monitor regulatory updates |
| IT Security / CISO | Build and document the 12-point Section 9 model; implement technical controls; maintain incident detection capability |
| Procurement | Supply chain security assessments; contractual security requirements for direct suppliers |
| HR | Annual training programme; cybersecurity clauses in employment contracts; personnel security checks where appropriate |
For a detailed step-by-step implementation timeline, see the 90-day NIS2 compliance roadmap for SMEs. For the full registration process across all EU member states, see the entity registration guide.
Frequently Asked Questions
Does the Kyberturvallisuuslaki apply to foreign companies operating in Finland?
Yes, if those entities are established in Finland — meaning they have a registered branch, subsidiary, or appointed EU representative — and provide services covered by Annexes I or II of the Directive. The place of establishment, not the nationality of ownership, determines which member state’s implementation applies.
How does Finland’s implementation differ from Germany’s?
Finland adopted minimum harmonization, setting obligations at the Directive’s floor without adding mandatory regular audits for all covered entities. Germany’s implementation applies more prescriptive audit requirements to its approximately 30,000 affected organisations. Finnish entities face a functioning-system standard, demonstrable on demand, rather than periodic external certification.
What sectors were added by NIS2 that were not covered under NIS1 in Finland?
The expanded scope added food production and processing, manufacturing (medical devices, computers, electronics, motor vehicles), chemicals, space operations, waste management, managed service providers, managed security service providers, and research organisations. Most of these sectors had no prior NIS1 obligations.
Is there a grace period for organisations that missed the July 2025 risk management deadline?
The Act contains no explicit grace period. Organisations that have not yet completed their risk management model should do so immediately, document the implementation timeline, and consider proactive engagement with their supervisory authority to demonstrate good-faith progress. Waiting for regulatory contact before acting increases exposure.
Does ISO 27001 certification satisfy the Kyberturvallisuuslaki requirements?
ISO 27001 certification can serve as compliance evidence for the technical and organisational measures required by Section 9. It does not replace the registration obligation, the three-stage incident reporting requirement, or the management body approval and training obligations. Certification reduces the evidence burden for audits but does not eliminate the legal obligations.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- Cybersecurity Act passed by Parliament, obligations under NIS-2 directive enter force 8 April 2025 — Traficom (Finnish Transport and Communications Agency), official announcement
- Directive (EU) 2022/2555 (NIS2 Directive) — EUR-Lex, Articles 21, 23, 34, Annexes I and II
- NIS2 Directive implementation in Finland — European Commission, Digital Strategy
- Cybersecurity Laws and Regulations Report 2026: Finland — ICLG
- Finnish Cybersecurity Act enters into force — Roschier Attorneys
- Implementing the NIS 2 Directive in Finland: The New Cybersecurity Act — Lov & Data
- Implementation of the NIS2 Directive in Finland: New Cyber Security Requirements — Dittmar & Indrenius Attorneys
- Finland’s New Cybersecurity Act: What Food Industry Leaders Must Know — Econ
- NIS2 Finland — Requirements & Certification for Compliance — NIS2Certification.eu
