Finland NIS2 Penalties Under Kyberturvallisuuslaki: How Traficom’s 3-Stage Enforcement Ladder Leads to €10M Fines

Finland entered 2025 as one of the first Nordic countries with NIS2 fully converted into national law. The Kyberturvallisuuslaki — Cybersecurity Act 124/2025 — entered into force on 8 April 2025, placing roughly 5,500 Finnish organisations under active cybersecurity supervision under a single horizontal statute for the first time.

The registration deadline passed in May 2025. The risk management model deadline passed in July 2025. The first formal audit cycles for essential entities are expected in 2026. Unlike the broader EU transposition wave — where the October 2024 deadline came and went with limited enforcement activity in many member states — Finland’s own compliance windows are now in the past.

This guide maps the exact path from supervisory notice to maximum financial penalty: which of Finland’s eight supervisory authorities monitors your sector, how the enforcement ladder escalates under Article 32, what the seuraamusmaksulautakunta (administrative fine board) does and why its two-step mechanism matters, and what personal liability management boards carry under Finnish law. The EU-wide NIS2 penalty framework sets the ceiling; Finland’s national law determines who enforces it and how.

Who Must Comply: Scope Under the Kyberturvallisuuslaki

The Finnish Cybersecurity Act applies NIS2’s two-tier classification directly. An entity’s category — essential or important — determines both the maximum fine it faces and the supervisory intensity it will experience.

Essential entities are large enterprises operating in the Annex I highly critical sectors: energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management (including managed services and managed security service providers), public administration, and space. Large means more than 250 employees, or annual turnover exceeding €50 million combined with a balance sheet exceeding €43 million. Crucially, size thresholds do not apply to DNS service providers, TLD name registries, trust service providers, and providers of public electronic communications networks — these are essential entities regardless of headcount.

Important entities are medium enterprises in the same Annex I sectors plus the expanded Annex II sectors: postal and courier services, waste management, manufacture of chemicals, medical devices, motor vehicles, computers and electronics, digital providers, and research organisations. Medium means 50–249 employees or annual turnover of €10–€50 million.

Classification	Size Threshold	Sectors
Essential entity	>250 employees OR >€50M turnover + >€43M balance sheet	Annex I (energy, transport, banking, healthcare, digital infrastructure, public administration, space)
Essential entity	Any size	DNS providers, TLD registries, trust service providers, public electronic comms networks
Important entity	50–249 employees OR €10M–€50M turnover	Annex I + Annex II (manufacturing, postal, waste, digital providers, research)
Public administration	Varies	Full Article 21 and Article 23 compliance obligations; exempt from administrative fines

Public administration entities face the same risk management and incident reporting obligations as private entities. The exemption applies only to the financial penalty, not to the compliance obligation or to other enforcement tools. The essential vs. important classification also determines supervisory intensity: essential entities are subject to proactive (ex-ante) supervision from day one; important entities to reactive (ex-post) supervision triggered by suspected non-compliance.

Finland’s Eight Supervisory Authorities — Which One Watches Your Sector

Finland chose a decentralised supervisory model. Eight sector-specific agencies share responsibility under the Kyberturvallisuuslaki, with Traficom’s National Cyber Security Centre Finland (NCSC-FI) serving as the central coordination point and single point of contact under the NIS2 Directive. The practical consequence: which authority initiates any enforcement action against your organisation depends entirely on your sector — not your company’s size or location.

A banking institution answers to the Financial Supervisory Authority (FIN-FSA). A food manufacturer answers to the Finnish Food Authority. An energy company answers to the Finnish Energy Authority. Traficom handles the broadest set of sectors — telecommunications, digital infrastructure, postal services, space, public administration, and managed service providers — but it is not the sole enforcer.

Sector	Supervisory Authority
Telecommunications, digital infrastructure, postal, space, public administration, managed services, DNS/TLD	Traficom (NCSC-FI)
Energy (electricity, gas, district heating)	Finnish Energy Authority
Chemical safety, certain manufacturing	Tukes (Safety and Chemicals Agency)
Water and wastewater	South Savo ELY Centre
Food production, processing, wholesale	Finnish Food Authority
Healthcare and social welfare (supervisory)	Valvira
Pharmaceuticals (manufacturing and medicines)	Fimea
Banking and financial market infrastructure	FIN-FSA (Financial Supervisory Authority)

Traficom’s NCSC-FI coordinates cross-border supervision, maintains the national entity register, and operates the national incident reporting portal. It does not replace the sector supervisors — it coordinates them. An organisation operating in multiple covered sectors must register separately with each relevant supervisory authority and address each authority’s sector-specific supervisory requirements.

Traficom’s 3-Stage Enforcement Ladder — From Notice to €10M Fine

The Kyberturvallisuuslaki enforcement path follows Article 32 of the NIS2 Directive, implemented through Finnish administrative law. Enforcement escalates in three stages, with each stage adding legal force and financial exposure. The full set of NIS2 supervisory measures at each stage is enumerated in Article 32 of the Directive, and Finland has implemented them in full.

Stage 1 — Warning and Compliance Notice

For essential entities, supervisors conduct proactive supervision: they may request documentation, conduct on-site inspections, or carry out security audits without waiting for a reported incident. For important entities, supervision is reactive: the authority requires a justified reason to suspect non-compliance before initiating a full investigation, typically triggered by a reported incident, a missed registration deadline, or a complaint.

At Stage 1, the supervisory authority issues a warning or a compliance notice identifying the gap and specifying a remediation deadline. No financial penalty is imposed at this stage. First-time findings with documented good-faith compliance effort — an entity that has registered, implemented partial controls, and reported incidents — are unlikely to progress directly to Stage 3 without Stage 2 escalation first.

Stage 2 — Binding Orders

If Stage 1 fails to produce compliance, the authority escalates to binding orders under Article 32(4) of the Directive. At this stage, enforcement carries real legal force. Available tools include:

• Binding instructions with a specific remediation deadline
• Order to align cybersecurity risk management measures with Article 21 — covering any of the ten minimum security domains
• Order to fulfil Article 23 incident notification obligations
• Order to cease infringing conduct
• Order to notify service users of a cyber threat
• Implementation directives based on a security audit already carried out
• Designation of a monitoring officer with access to the entity’s operations
• Periodic penalty payments (daily fines) accruing until the binding order is fulfilled
• Public notification order requiring the entity to publicly disclose the infringement

The public notification order is particularly significant for organisations with public-sector customers, listed company status, or supply chain partners. A publicly ordered disclosure can carry reputational consequences that rival the financial penalty in operational impact.

Stage 3 — Administrative Fine via the Seuraamusmaksulautakunta

Where binding orders are violated, or where the infringement is intentional or grossly negligent, the supervisory authority may refer the matter to the seuraamusmaksulautakunta — Finland’s dedicated administrative fine board. This is the structural feature that distinguishes Finland’s enforcement from several EU counterparts: the sector supervisory authority does not impose the fine itself.

Instead, it submits a formal proposal to the seuraamusmaksulautakunta, an independent multi-authority body housed at Traficom and composed of members appointed by all supervisory authorities. The board assesses the proposal, applies the statutory proportionality criteria, and issues the binding penalty decision. There is a procedural gap between a supervisory authority deciding to pursue a fine and the board actually imposing it — an entity that receives a referral notification has an opportunity to present evidence of corrective action to the board before the decision is finalised. Fine board decisions may be appealed through Finland’s administrative courts under the Administrative Judicial Procedure Act.

Beyond Stage 3: Certificate Suspension and Director Function Prohibition

For repeated or particularly serious violations, Article 32(5) of the Directive authorises competent authorities to go further: temporary suspension of the entity’s certifications or authorisations, directly affecting its legal ability to provide regulated services; and a temporary prohibition of a responsible manager from exercising managerial functions. The director-level prohibition targets named individuals at executive or board level and is separate from, and supplemental to, any financial fine imposed on the organisation.

Penalty Amounts: Essential vs. Important Entities

Under Article 34 of the NIS2 Directive, as implemented in the Kyberturvallisuuslaki, maximum administrative fines follow a two-figure calculation: a fixed euro ceiling or a percentage of global annual turnover — whichever is higher.

Entity Classification	Fixed Maximum	Turnover-Based Maximum	Rule
Essential entity	€10,000,000	2% of total worldwide annual turnover (preceding financial year)	Whichever is higher
Important entity	€7,000,000	1.4% of total worldwide annual turnover (preceding financial year)	Whichever is higher

The “whichever is higher” rule matters for large organisations. A Finnish essential entity with €600 million in global turnover faces a theoretical fine ceiling of €12 million under the 2% calculation — not €10 million. The fixed amount is a floor for significant operators, not a cap.

Fines are not applied at the ceiling by default. Article 34 requires fines to be effective, proportionate, and dissuasive, taking into account the circumstances of each individual case. Relevant factors include the severity and duration of the infringement; whether the violation was intentional or the result of gross negligence (which pushes exposure toward the maximum) versus a good-faith compliance effort that fell short; actions taken to mitigate harm; prior infringements; and cooperation with the supervisory authority during the investigation. For SMEs at the important entity threshold, an entity that registered, built a partial security framework, and reported an incident faces a materially different exposure than one that ignored all compliance obligations entirely.

Director Liability: Personal Risk Beyond the Financial Fine

The Kyberturvallisuuslaki follows NIS2’s requirement that management bodies are personally responsible for approving and overseeing their organisation’s cybersecurity risk management measures. The personal exposure extends beyond the financial penalty applied to the entity itself.

Under Article 32(5) of the NIS2 Directive, the competent authority may temporarily prohibit any natural person exercising executive responsibility at an essential entity from performing managerial functions, where the entity has been found to have committed serious violations. The prohibition applies to CEOs, CISOs, and board members — any person whose failure to exercise adequate governance responsibility contributed to the compliance failure. The board-level NIS2 accountability obligations are therefore not a governance formality: they are a direct personal risk management question for named executives.

Beyond the NIS2 framework, Finnish Companies Act provisions on director disqualification apply independently for serious, knowing violations. A director who was aware of, or reasonably should have been aware of, material compliance failures and failed to act may face disqualification from corporate governance roles under Finnish company law. The practical requirement at board level: formally approve a cybersecurity risk management program, receive and review periodic implementation reports, and document that oversight through board minutes. The absence of that paper trail is itself a risk signal for any supervisory investigation.

Public Administration Entities: No Fines, But Not Exempt

Finnish public bodies — municipalities, state agencies, public hospitals, and public utilities — are in scope for the Kyberturvallisuuslaki’s compliance obligations. They must implement Article 21 risk management measures and fulfil Article 23 incident reporting requirements. They must register with the appropriate supervisory authority. What the Finnish Act does not apply to public entities is the administrative fine.

Finland exercised the discretion available under Article 34(4) of the NIS2 Directive, which allows member states to determine whether and to what extent administrative fines may be imposed on public administration entities. Finland chose exemption from fines. The specific NIS2 obligations for public administration nonetheless remain fully applicable.

The alternative enforcement path uses the same Stage 2 binding order tools available for private entities: corrective orders with deadlines, periodic penalty payments for non-compliance with those orders, and — where a cyber threat affecting users is not disclosed — public notification orders. The State Audit Office may also review compliance as part of its broader institutional accountability mandate. For IT and security teams in Finnish public organisations, the absence of financial fines does not mean the absence of scrutiny. Proactive supervision of essential public entities proceeds on the same basis as for private essential entities.

Preparing Before the 2026 Audit Cycle

With Act 124/2025 in force since April 2025 and compliance deadlines for risk management documentation already passed, the question for in-scope organisations is what supervisory authorities will find when they look — not whether they will look. Audit preparation is the default mode for essential entities from day one of the Act’s operation.

Essential entities face ex-ante (proactive) supervision: Traficom and sector supervisors can request documentation or conduct inspections without waiting for an incident. Important entities face ex-post (reactive) supervision, but a reported incident, a missed notification deadline, or a third-party complaint triggers the full escalation path. The reactive start point does not mean a lower compliance standard — it means a different trigger.

Based on the Act’s compliance framework, early audit cycles are likely to examine the following in priority order:

• Registration status — is the entity listed in the supervisory authority’s entity register? A missing registration is itself an infringement, separate from any substantive security failure
• Risk management documentation — is there a written cybersecurity risk management procedure covering the Article 21 minimum security domains?
• Incident reporting procedures — is there a defined internal process enabling the 24-hour early warning, 72-hour full notification, and 30-day final report under Article 23?
• Board approval on record — do board or management committee minutes document formal approval of the cybersecurity risk management program?
• Governance chain — is there a named responsible manager and a documented escalation path from technical teams to board level?

Entities that can produce clear documentation for each of these points are positioned for a constructive initial supervisory interaction. Entities that cannot are at Stage 1 risk the moment a supervisory authority makes contact.

Frequently Asked Questions

Can Finnish public sector entities be fined under the Kyberturvallisuuslaki?
No. Finland exercised the discretion in Article 34(4) of the NIS2 Directive to exempt public administration entities from administrative fines. They remain subject to binding corrective orders, periodic penalty payments for non-compliance with those orders, and State Audit Office oversight. The Article 21 and 23 compliance obligations apply in full.

What triggers escalation from a warning to an administrative fine?
Intentional or grossly negligent violations, and repeated failure to comply with Stage 2 binding orders, are the primary escalation triggers. First-time findings with documented good-faith compliance effort typically remain at Stage 1 or Stage 2. The sector supervisory authority proposes the fine — it does not impose it directly. The seuraamusmaksulautakunta at Traficom makes the final binding decision.

Can a CEO or board member face personal sanctions under the Act?
Yes. Article 32(5) of the NIS2 Directive, as implemented in Finland, allows the competent authority to temporarily prohibit a person exercising executive responsibility from performing managerial functions. Finnish Companies Act director disqualification provisions provide a separate, additional mechanism for serious, knowing violations.

Which authority supervises managed service providers in Finland?
Traficom (NCSC-FI) supervises managed service providers and managed security service providers in Finland. For ICT service management companies operating in Finland, Traficom is the relevant supervisory authority for registration, compliance monitoring, and enforcement referrals.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. Finnish Transport and Communications Agency (Traficom) — “Cybersecurity Act passed by Parliament, obligations under NIS-2 Directive enter force 8 April 2025”: https://www.traficom.fi/en/news/cybersecurity-act-passed-parliament-obligations-under-nis-2-directive-enter-force-8-april-2025
2. NIS2 Directive — Article 32 Supervisory and Enforcement Measures: https://www.nis-2-directive.com/NIS_2_Directive_Article_32.html
3. NIS2 Directive — Article 34 Administrative Fines: https://nis2resources.eu/directive-2022-2555-nis2/article-34/
4. Roschier — “Finnish Cybersecurity Act Enters Into Force”
5. ICLG — Cybersecurity Laws and Regulations Report 2026: Finland
6. Lov & Data — “Implementing the NIS 2 Directive in Finland: The New Cybersecurity Act”
7. Copla — “NIS2 Directive Regulations and Implementation in Finland”
8. Econ — “Finland’s New Cybersecurity Act 124/2025: What Food Industry Leaders Must Know”