Finland

(a) What is the NIS2 implementation status?

The Cybersecurity Act, which aligns national law with the NIS2 Directive, is set to come into force on 8 April 2025, following a proposed ratification by the President on 4 April 2025.

(b) What is the envisaged NIS2 implementation timeline?

The deadlines for entities falling under the scope of the Cybersecurity Act include:

Notification Requirement: Entities must notify the competent supervisory authority within one month of the Act’s entry into force. This deadline is set for 8 May 2025. The notification should include:

• Basic entity details (contact information, IP range).
• The relevant sector and whether the entity is considered ‘essential’.
• Information on the EU Member States where the entity provides services under the Directive’s scope.
• Information on voluntary cybersecurity information-sharing arrangements.

Cybersecurity Risk Management Model: Within three months after enforcement (i.e. 8 July 2025), entities must establish an up-to-date cybersecurity risk management model. This model should address:

• Identification of risks to networks and systems.
• Clear procedures, responsibilities, and objectives for cybersecurity.
• Administrative measures to protect systems from cyber threats and incidents.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The Cybersecurity Act is accompanied by 14 legislative amendments that implement the NIS2 Directive.

(d) Who will be the supervisory authority and how are they preparing the market?

In accordance with the Cybersecurity act, the sector-specific supervisory authorities will be the Finnish Transport and Communications Agency Traficom; the Energy Authority; the Finnish Safety and Chemicals Agency; the South Savo Centre for Economic Development, Transport and the Environment; the Finnish Food Authority; the National Supervisory Authority for Welfare and Health (Valvira); and the Finnish Medicines Agency (Fimea). Traficom will coordinate cooperation between the supervisory authorities. Administrative fines will be imposed by a separately established board, which will consist of members appointed by the supervisory authorities.

(e) What should you be doing/on the lookout for?

Clients should monitor the NIS2 implementation project and familiarise themselves with the directive, expanded sectors, increased regulatory oversight, registration obligation and more strict reporting obligations under penalty of a fine.

Clients are advised to prepare for the upcoming changes by assessing their obligations (and risks) beforehand in the form of, amongst other measures, identifying critical issues, assessing risks and implementing required risk management processes.

Especially for companies operating in the new sectors added to NIS2 it would important to understand whether and how they are affected and take required measures to be ready for the implementation.

The Ministry of Transport and Communications has recommended that the NIS2 risk management obligations should be complied with even if the company would not fall under the NIS2 sectors.

The National Cyber Security Centre and supervisory authorities provide guidance by sectors.