NIS2 Finland: what you need to know about compliance and certification

NIS2 Finland

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 was introduced to strengthen cybersecurity within the EU.

Due to the increasing threat of cyber attacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, which imposes stricter requirements and has a broader scope to increase the resilience of critical infrastructures against cyber attacks.

The NIS2 Directive was transposed into Finnish law through the Cybersecurity Act (Kyberturvallisuuslaki 124/2025), which entered into force on 8 April 2025. In addition to the Cybersecurity Act, there are 14 legislative amendments implementing the NIS2 Directive, including the Act amending the Act on Information Management in Public Administration.

On this page, you will find everything you need to know about the impact of NIS2 on your organisation and how you can prepare for the new regulations.

NIS2 entities

The Finnish Cybersecurity Act applies to both legal entities and natural persons (collectively referred to as “entities”) that are registered in Finland and provide products and/or services in an EU country. The Finnish Cybersecurity Act largely corresponds to the European NIS2 Directive.

The cybersecurity law explicitly defines which public and private entities are subject to cybersecurity obligations. A distinction is made between essential entities and important entities. The categorisation of entities takes into account the services provided, the size of the entity and the location of the entity.

In principle, your entity is subject to the Finnish cybersecurity law if:

  • Your organisation provides services within a sector listed in Annex I and Annex II of the NIS2 Act;
  • Your organisation exceeds the thresholds for medium-sized enterprises; and
  • Your organisation is established in Finland (with the exception of providers of public electronic communication channels and providers of public electronic communication services).

Here you will find more information to determine whether your organisation is a small, medium-sized or large enterprise.

In addition, the law applies to the following specific providers, regardless of the size of the entity. These are:

  • Providers of public electronic communications networks or services
  • Providers of trust services
  • Domain name registry operators
  • DNS providers

In addition, the law also applies to entities, regardless of their size, if their activities are crucial to society or the economy. This is the case if:

  • They provide services that are essential to critical societal or economic functions and are not provided by other providers
  • A disruption of their services would have a significant impact on public order, safety or public health
  • An incident at their premises could cause systemic risks with cross-border consequences
  • They are of strategic or vital importance at national or regional level, for example due to dependencies in other sectors

The Finnish cybersecurity law does not apply to:

  • The financial sector (which is covered by the Digital Operational Resilience Act (DORA) in Finland)
  • Companies whose activities in critical sectors are only sporadic and limited.

Entities covered by the regulatory framework are categorised as essential or important entities, depending on their size, sector and critical nature. An overview of these can be found in
the accompanying table from the NCSC-FI (in Finnish).

What does this mean for my company?

1. Registration

The supervisory authority must maintain a list of essential and important entities under its jurisdiction. If your organisation falls within the scope of the Finnish Cybersecurity Act, you must register your organisation with the relevant supervisory authority before 8 May 2025. If your organisation operates in multiple sectors, you must register with the supervisory authority for each sector. Each authority has its own registration procedure. The registration requirement applies to all entities covered by the NIS2 regulatory framework.

Entities must provide the relevant authority(ies) with the following information:

  • Name of the entity
  • Address, email address, telephone number and other contact details
  • IP address range
  • Sector and subsector
  • Classification of the entity
  • List of Member States where the entity provides services covered by NIS2
  • Information on participation in voluntary arrangements for sharing cybersecurity information

Any changes to the above information must be reported immediately and within two weeks of the change.

Entities falling within Traficom’s area of competence can register via the online platform. Each authority has its own online platform, if already available, on which the entity can register.

2. Control measures (Art. 9)

If your organisation is categorised as an essential or important entity, this means that you are responsible for implementing appropriate technical and organisational measures to ensure the security of your network and information systems. These cybersecurity management measures include at least:

  • Policies and procedures to assess the effectiveness of measures for managing cybersecurity risks
  • Policies for risk analysis and security of communication networks and information systems
  • Security when acquiring, developing and maintaining network and information systems, including response to and disclosure of vulnerabilities
  • Supply chain security
  • Security aspects of asset management
  • Security aspects relating to personnel, cyber hygiene and cyber security training
  • Security aspects relating to access policy and authentication procedures
  • Policy and procedures on cryptography and, where applicable, encryption
  • Incident management
  • Business continuity and crisis management and, where necessary, the use of secure backup systems
  • Information security measures to ensure the security of business operations, telecommunications, hardware, software and data sets
  • Measures to ensure the security of the physical environment and facilities of communication networks and information systems and the necessary resources

In Implementing Regulation 2024/2690, the European Commission has elaborated the above minimum measures for cyber security for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service providers, and trust service providers.

More information on management measures can be found here.

3. Reporting obligation for significant incidents

Important and essential entities are required to notify the supervisory authorities when a significant incident occurs. In addition, they must also notify the recipients of their services if the significant incident affects the provision of services in the (sub)sectors listed in Annexes I and II.

A significant incident is defined in the NIS2 Act as ‘any incident that has significant consequences for the provision of one of the services in the sectors or subsectors listed in Annexes I and II of the Act and that:

  • has caused or is likely to cause a serious operational disruption of one of the services in the sectors or subsectors listed in Annexes I and II or financial losses for the entity concerned; or
  • has affected or is likely to affect other natural or legal persons by causing significant material or non-material damage’.

The significant incident shall be reported by the essential and important entity via Traficom’s e-service in accordance with the following procedure:

  1. Immediately and within 24 hours of becoming aware of the significant incident, the entity shall submit an early warning, indicating the probable cause and any cross-border implications;
  2. Immediately and within 72 hours of becoming aware of the significant incident, the entity shall communicate an incident report containing an information update and an initial assessment of the incident;
  3. At the request of the competent CSIRT, the entity shall submit an interim report;
  4. No later than 1 month after the incident report, the entity shall submit a final report stating:
    1. A detailed description of the incident, as well as its severity and consequences;
    2. The type of threat or root cause that is likely to have led to the incident;
    3. Risk mitigation measures applied and ongoing;
    4. The cross-border consequences of the incident, if applicable.
  5. If the incident is still ongoing one month after the incident report, the entity shall submit a progress report and a final report shall be submitted within one month of the incident being resolved.

The European Commission has laid down the criteria for a significant incident for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service providers, and trust service providers in the Implementing Regulation 2024/2690. These special rules take precedence over national rules in the event of any conflict.

Finally, all entities, regardless of whether they fall within the scope of the NIS2 Act, can voluntarily report (significant) incidents, cyber threats and near misses via the e-service.

More information about incident reporting can be found here.

4. Obligations and responsibilities of management (Art. 10)

The management bodies of essential and important entities are responsible for compliance with the cybersecurity law and must fulfil various obligations, including:

  • Approving the cybersecurity management measures
  • Following training to acquire sufficient knowledge and skills to identify risks and assess management measures and their impact on their services
  • Continuously training the employees of the cybersecurity entity in the field of cybersecurity

The management bodies are liable for non-compliance with the NIS2 Act.

5. Cooperation with authorities

Essential and important entities must cooperate with the national authorities. This concerns the exchange of information on the security of network and information systems, reporting incidents, cooperation with the inspection service, etc.

How to demonstrate NIS2 compliance?

As indicated in the chapter “Enforcement and penalties” below, the competent authorities carry out inspections of essential and important entities to ensure compliance with the cybersecurity law.

The competent authority may require the entity to have an independent audit carried out by an accredited CAB. Based on this independent conformity assessment, the entity can obtain a certificate demonstrating compliance with the NIS2 law to stakeholders. An important international standard that can be used for this purpose is ISO/IEC 27001.

If you would like more information about certification, you can make an appointment with an expert here.

Enforcement and penalties (Art. 38)

The competent authority shall carry out inspections to verify compliance by cybersecurity entities with the requirements laid down in the Cybersecurity Act. A distinction must be made between essential and important entities:

  • Essential entities are checked both proactively (ex-ante) and reactively (ex-post) and are required to undergo regular conformity assessments.
  • Important entities are in principle only checked reactively, after an incident or in the event of suspected non-compliance with the law.

The Finnish cybersecurity law provides for specific sanctions for entities that do not comply with the legal provisions. These sanctions vary according to the nature and seriousness of the offence and are divided into administrative measures and administrative fines.

Possible administrative measures that may be imposed include issuing warnings, temporarily prohibiting the performance of managerial functions, requiring the entity to take certain measures, etc.

Administrative fines that may be imposed are also laid down by law and can amount to up to 10,000,000 euros or 2% of the total worldwide annual turnover of the essential entity and up to 7,000,000 euros or 1.4% of the total worldwide annual turnover of the important entity. These administrative fines are imposed by a sanctioning committee based on the advice of the supervisory authority. The public sector cannot be fined.

Deadlines

  • 8 April 2025: Finnish cybersecurity law enters into force
  • 8 May 2025: entity must register with the competent authority
  • 8 July 2025: entity must set up a cybersecurity risk management system

Competent authorities (Art. 18, 26)

As part of the implementation of the NIS2 Act in Finland, various competent authorities have been designated to supervise compliance with cybersecurity measures within their respective sectors.

The National Cyber Security Centre Finland (NCSC-FI) of the Finnish Transport and Communications Agency (Traficom) has been designated as the central contact point, which plays a coordinating role and promotes cooperation between the various sectoral supervisory authorities. In addition, the Cybersecurity Centre acts as the national CSIRT, providing support in the handling of serious information security incidents.

In addition to the central point of contact, Finland has a number of sector-specific supervisory authorities, each responsible for enforcing compliance with NIS2 legislation within their own sector. These authorities supervise both essential and important entities and have powers such as auditing, issuing orders, warnings and imposing sanctions. An overview of the supervisory authorities and their areas of responsibility is available on the official website of the Finnish Cybersecurity Centre. These are:

  • Finnish Transport and Communications Agency (Traficom)
  • Energy Authority
  • Finnish Safety and Chemicals Agency
  • National Supervisory Authority for Welfare and Health (Valvira)
  • Centre for Economic Development, Transport and the Environment of South Savo
  • Finnish Food Authority
  • Finnish Medicines Agency (Fimea)