Finland

(a) What is the NIS2 implementation status?

The Cybersecurity Act, which aligns national law with the NIS2 Directive, has entered into force on 8 April 2025, following a proposed ratification by the President on 4 April 2025.

(b) What is the envisaged NIS2 implementation timeline?

As the Cybersecurity Act had entered into force on 8 April 2025, the implementation of NIS2 is complete. Entities are required to notify significant incidents as from 8 April 2025.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The Cybersecurity Act is accompanied by 14 legislative amendments that implement the NIS2 Directive.

(d) Who will be the supervisory authority and how are they preparing the market?

In accordance with the Cybersecurity act, the sector-specific supervisory authorities will be the Finnish Transport and Communications Agency Traficom; the Energy Authority; the Finnish Safety and Chemicals Agency; the South Savo Centre for Economic Development, Transport and the Environment; the Finnish Food Authority; the National Supervisory Authority for Welfare and Health (Valvira); and the Finnish Medicines Agency (Fimea). Traficom will coordinate cooperation between the supervisory authorities. Administrative fines will be imposed by a separately established board, which will consist of members appointed by the supervisory authorities.

(e) What should you be doing/on the lookout for?

Companies falling under the scope of the NIS 2 Directive must act swiftly to ensure compliance with new cybersecurity obligations. First, organizations should verify whether they qualify as a NIS 2 entity and should have registered with the appropriate supervisory authority by 8 May 2025. Those operating in multiple sectors must register with each relevant authority.

Secondly, firms must establish and implement a formal risk management procedure in line with the Cybersecurity Act. This process, due by 8 July 2025, includes identifying threats, assessing risks, and applying security measures. Companies should consult Traficom’s recommendations and the European Commission’s regulations for guidance tailored to digital infrastructure and services.

A critical area of focus is incident notification. From 8 April 2025, companies must follow a three-stage reporting process for significant incidents: an early warning within 24 hours, a formal incident notification within 72 hours, and a final report within one month.

Additionally, businesses are encouraged to voluntarily report other cybersecurity threats, such as phishing or denial-of-service attempts, to the National Cyber Security Centre Finland (NCSC-FI). These reports contribute to national cybersecurity awareness and may result in technical assistance from the CSIRT team.

Finally, companies should stay alert to sector-specific supervisory changes, especially if they fall under newly regulated areas like managed services or vehicle manufacturing. Find more information on Traficom’s webpage.