Finland

(a) What is the NIS2 implementation status?

Finland transposed NIS2 through the Cybersecurity Act (Act No. 124/2025), which entered into force in April 2025. A distinctive feature of the Finnish approach is the centralisation of cybersecurity obligations into a single horizontal statute: instead of maintaining the earlier model of sector‑specific provisions, the Act consolidates the core obligations relating to cybersecurity risk management, incident reporting, and regulatory supervision into a comprehensive national framework applicable to all entities within scope. Registration with the competent supervisory authority is now possible via each supervisory authority portal.

(b) What is the envisaged NIS2 implementation timeline?

Entities are required to register with their respective competent supervisory authorities via the relevant registration portals. These authorities include the Finnish Transport and Communications Agency (Traficom), the Energy Authority, the Finnish Safety and Chemicals Agency, the South Savo Centre for Economic Development, Transport and the Environment, the Finnish Food Authority, the National Supervisory Authority for Welfare and Health (Valvira), and the Finnish Medicines Agency (Fimea).

Registration is carried out via the dedicated Suomi.fi portal for the notification of cybersecurity‑related operator information, available at https://www.suomi.fi/valtuudet/valtuusasiat/kyberturvallisuuteen-liittyvien-toimijatietojen-ilmoittaminen/ebecc9b754228fda35055eebd09b89dc.

Registration was required by May 2025 or, if the applicable NIS2 criteria were met at a later stage, no later than one month after the fulfilment of those criteria.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The Cybersecurity Act is accompanied by 14 legislative amendments that implement the NIS2 Directive.

(d) Who will be the supervisory authority and how are they preparing the market?

In accordance with the Cybersecurity act, the sector-specific supervisory authorities will be the Finnish Transport and Communications Agency Traficom; the Energy Authority; the Finnish Safety and Chemicals Agency; the South Savo Centre for Economic Development, Transport and the Environment; the Finnish Food Authority; the National Supervisory Authority for Welfare and Health (Valvira); and the Finnish Medicines Agency (Fimea). Traficom will coordinate cooperation between the supervisory authorities. Administrative fines will be imposed by a separately established board, which will consist of members appointed by the supervisory authorities.

(e) What should you be doing/on the lookout for?

Companies falling under the scope of the NIS 2 Directive must act swiftly to ensure compliance with new cybersecurity obligations. First, organizations should verify whether they qualify as a NIS 2 entity and should have registered with the appropriate supervisory authority by 8 May 2025. Those operating in multiple sectors must register with each relevant authority.

Secondly, firms must establish and implement a formal risk management procedure in line with the Cybersecurity Act. This process, due by 8 July 2025, includes identifying threats, assessing risks, and applying security measures. Companies should consult Traficom’s recommendations and the European Commission’s regulations for guidance tailored to digital infrastructure and services.

A critical area of focus is incident notification. From 8 April 2025, companies must follow a three-stage reporting process for significant incidents: an early warning within 24 hours, a formal incident notification within 72 hours, and a final report within one month.

Additionally, businesses are encouraged to voluntarily report other cybersecurity threats, such as phishing or denial-of-service attempts, to the National Cyber Security Centre Finland (NCSC-FI). These reports contribute to national cybersecurity awareness and may result in technical assistance from the CSIRT team.

Finally, companies should stay alert to sector-specific supervisory changes, especially if they fall under newly regulated areas like managed services or vehicle manufacturing. Find more information on Traficom’s webpage.