Finland
(a) What is the NIS2 implementation status?
The Cybersecurity Act, which aligns national law with the NIS2 Directive, has entered into force on 8 April 2025, following a proposed ratification by the President on 4 April 2025.
(b) What is the envisaged NIS2 implementation timeline?
As the Cybersecurity Act had entered into force on 8 April 2025, the implementation of NIS2 is complete. Entities are required to notify significant incidents as from 8 April 2025.
(c) What does the NIS2 mean for other national cybersecurity legislation?
The Cybersecurity Act is accompanied by 14 legislative amendments that implement the NIS2 Directive.
(d) Who will be the supervisory authority and how are they preparing the market?
In accordance with the Cybersecurity act, the sector-specific supervisory authorities will be the Finnish Transport and Communications Agency Traficom; the Energy Authority; the Finnish Safety and Chemicals Agency; the South Savo Centre for Economic Development, Transport and the Environment; the Finnish Food Authority; the National Supervisory Authority for Welfare and Health (Valvira); and the Finnish Medicines Agency (Fimea). Traficom will coordinate cooperation between the supervisory authorities. Administrative fines will be imposed by a separately established board, which will consist of members appointed by the supervisory authorities.
(e) What should you be doing/on the lookout for?
Companies falling under the scope of the NIS 2 Directive must act swiftly to ensure compliance with new cybersecurity obligations. First, organizations should verify whether they qualify as a NIS 2 entity and should have registered with the appropriate supervisory authority by 8 May 2025. Those operating in multiple sectors must register with each relevant authority.
Secondly, firms must establish and implement a formal risk management procedure in line with the Cybersecurity Act. This process, due by 8 July 2025, includes identifying threats, assessing risks, and applying security measures. Companies should consult Traficom’s recommendations and the European Commission’s regulations for guidance tailored to digital infrastructure and services.
A critical area of focus is incident notification. From 8 April 2025, companies must follow a three-stage reporting process for significant incidents: an early warning within 24 hours, a formal incident notification within 72 hours, and a final report within one month.
Additionally, businesses are encouraged to voluntarily report other cybersecurity threats, such as phishing or denial-of-service attempts, to the National Cyber Security Centre Finland (NCSC-FI). These reports contribute to national cybersecurity awareness and may result in technical assistance from the CSIRT team.
Finally, companies should stay alert to sector-specific supervisory changes, especially if they fall under newly regulated areas like managed services or vehicle manufacturing. Find more information on Traficom’s webpage.
Contact
Anu Mattila E: anu.mattila@eversheds.fi
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page