NIS2 in Finland

1. Quick SME Applicability Snapshot in Finland

Does NIS2 apply to SMEs in Finland?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Finland and, in certain cases, foreign digital providers serving the Finnish market.

SMEs should assess qualification under Finland's national cybersecurity regime based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Finland

Finland transposed the Directive through the new standalone Cybersecurity Act (Kyberturvallisuuslaki 124/2025), ratified by the President on 4 April 2025 and in force 8 April 2025 — Finland's first consolidated horizontal cybersecurity statute, replacing the previous patchwork of sector-specific NIS provisions.

Public administration obligations are implemented separately through amendments to the Act on Information Management in Public Administration. The Act aligns Finland's regime with Directive (EU) 2022/2555 at the minimum transposition level (no gold-plating) and decentralises supervision to seven sector-specific authorities coordinated by Traficom.

Three national specifics apply: the financial sector is excluded from the Act's scope (covered by DORA); administrative fines cannot be imposed on public sector entities (state authorities, municipalities, welfare areas, similar bodies); and fines are imposed by a separately established sanctions board appointed by the supervisory authorities — not directly by those authorities. The European Commission issued a reasoned opinion in May 2025 (pre-enactment); notification completeness remains under review.

3. Scope of Application in Finland

Finland's sector scope mirrors Directive minimum categories without confirmed expansion beyond the baseline.

4. Size Thresholds and SME Applicability in Finland

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria in covered sectors fall automatically within scope.

Small and micro enterprises may be designated if considered critical to societal stability, public security, or essential service continuity.

Finnish authorities retain formal designation powers where systemic risk or national security considerations justify inclusion.

5. Entity Classification Framework in Finland

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including audits and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is based on sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

Finland follows the Directive's two-tier supervisory structure within its sector-based regulatory model.

6. Cybersecurity Risk Management Requirements in Finland

Finland's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Finland risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity awareness and training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and Finnish cybersecurity guidance is encouraged.

Supply chain oversight requires vendor due diligence and contractual cybersecurity safeguards.

7. Management Liability and Governance in Finland

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Finland's framework:

• Boards are accountable for compliance oversight.
• Senior management must ensure adequate cybersecurity competence.
• Administrative sanctions — imposed by a separately established sanctions board on the proposal of the relevant supervisory authority — may address governance failures.
• Managerial suspension powers have not been transposed into Finnish NIS2 law. Personal liability for management may arise under general corporate law obligations, but not under NIS2-specific provisions.

NIS2 management liability Finland expectations elevate cybersecurity governance to executive level.

8. Incident Reporting Obligations in Finland

9. Supervisory Authorities and Enforcement Model in Finland

Coordinating authority and national CSIRT: Traficom's National Cyber Security Centre (NCSC-FI). Traficom acts as national single point of contact and incident response coordinator but is not the primary enforcement authority for most sectors.

Finland operates a decentralised sector-specific supervisory model. Seven designated authorities supervise compliance within their sectors: Traficom (digital/communications), Energy Authority (energy), Finnish Safety and Chemicals Agency / Tukes (chemicals), South Savo Centre for Economic Development, Transport and the Environment (water), Finnish Food Authority / Ruokavirasto (food), National Supervisory Authority for Welfare and Health / Valvira (health), and Finnish Medicines Agency / Fimea (pharmaceuticals/medical devices). Each authority maintains its own entity register and registration platform.

Supervisory powers include:

• Information requests
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination

The enforcement structure aligns with Directive-level cooperation requirements. Administrative fines are imposed by a separately established sanctions board on the proposal of the relevant supervisory authority. The public sector cannot be fined.

10. NIS2 Fines and Sanctions in Finland

Finland applies Directive-aligned administrative penalties. Fines are imposed by a separately established sanctions board on the proposal of the relevant supervisory authority. Administrative fines cannot be imposed on public sector entities (state authorities, municipalities, welfare areas, and similar bodies).

NIS2 fines Finland enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of certification or authorization
• Managerial suspension powers have not been transposed into Finnish NIS2 law and are not available as an enforcement tool.

11. NIS2 Supply Chain and Vendor Security in Finland

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down requirements
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Finland's approach aligns with Directive baseline expectations for supplier risk management.

12. Registration and Self-Identification Duties in Finland

Entities within scope must:

• Self-identify and register with the relevant sector-specific supervisory authority — deadline was 8 May 2025 (passed; entities not yet registered should act immediately). Entities operating in multiple sectors must register with each relevant authority.
• Provide corporate identification details.
• Disclose sector classification and the services covered by NIS2.
• Maintain updated contact information; report changes within two weeks.

Key compliance milestones: registration deadline 8 May 2025 (passed); cybersecurity risk management system required by 8 July 2025 (passed). Each sector-specific authority operates its own registration platform; Traficom's NCSC-FI provides guidance and a self-assessment tool.

Self-identification is mandatory where entities meet statutory thresholds.

13. Interaction With GDPR and Other Laws in Finland

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific Finnish cybersecurity rules

A cyber incident may trigger reporting obligations under both regimes.

14. Cross-Border Applicability

Entities with their main establishment in Finland are supervised by Finnish authorities for cross-border services.

Foreign digital providers offering services in Finland may be subject to Finnish oversight depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving Finnish markets.

15. Implementation Timeline in Finland

• Directive adoption: 2022
• Cybersecurity Act (124/2025) ratified by the President on 4 April 2025; published in the Statute Book of Finland.
• Entry into force: 8 April 2025.
• Commission notification: EC reasoned opinion issued 7 May 2025 (prior to enactment); notification completeness under Commission review.
• Compliance milestones: Entity registration deadline 8 May 2025 (passed); cybersecurity risk management system required 8 July 2025 (passed); enforcement and audits ongoing.

Finland completed transposition on 8 April 2025. All initial compliance milestones — registration (8 May 2025) and risk management system implementation (8 July 2025) — have passed. Active supervision and enforcement are underway across all seven sector-specific authorities.

16. Key Takeaways for SMEs in Finland

• Medium-sized entities in covered sectors are automatically in scope.
• Small entities may be designated if operationally critical.
• Board-level governance oversight is mandatory. Note: managerial suspension powers have not been transposed in Finland — management accountability is governed by general corporate law.
• Incident reporting follows 24h / 72h / 1 month deadlines.
• Financial penalties can reach €10 million or 2% of global turnover. Fines are imposed by a sanctions board, not directly by supervisory authorities. Public sector entities cannot be fined.
• Vendor risk management is a core obligation.
• All initial deadlines have now passed — registration was due 8 May 2025 and risk management systems by 8 July 2025. Entities not yet compliant should prioritise remediation immediately.

FAQ: NIS2 Finland SME Guide