The moment I saw the scope of the Cybersecurity Act 124/2025—Finland’s legislative transposition of the NIS2 directive—I realized this was more than a simple regulatory update. It’s a reshaping of national cyber resilience, woven tightly with industry obligations, municipal readiness, and executive accountability. For professionals in ICT, compliance, and finance, this law signals a shift from ad hoc preparedness to systemic, verifiable operational resilience.
Without further ado, let me walk you through how NIS2 Finland implementation is unfolding, what’s expected of organizations, and what timelines, penalties, and sector-specific duties are already in motion.
Understanding the scope and legal structure
Finland has moved swiftly in implementing the Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, commonly known as NIS2. The Finnish transposition came in the form of the Cybersecurity Act (Kyberturvallisuuslaki), approved as Act 124/2025. It replaces earlier NIS-1 provisions and integrates aspects of the Critical Entities Resilience (CER) directive for a more holistic regulatory reach.
The Act expands the scope dramatically, increasing the number of covered entities from around 1,100 under NIS-1 to approximately 5,500. It now includes mid-sized manufacturers and all municipalities with more than 50,000 residents.
Entities are categorized as either välttämättömät toimijat (essential entities) or tärkeät toimijat (important entities), depending on employee count and turnover thresholds. Notably, digital infrastructure providers (like DNS services and cloud platforms) fall under the law regardless of size.
Classification criteria under Cybersecurity Act 124/2025
| Category | Criteria | Examples |
| Essential entities | ≥250 employees or ≥€50 million turnover | Telcos, large hospitals, LNG firms |
| Important entities | ≥50 employees or ≥€10 million turnover | Mid-sized manufacturers, MSPs |
| Mandatory coverage | Regardless of size (sector-specific) | DNS, trust services, cloud |
| Public sector (essential but exempt from fines) | Based on population ≥50,000 or role in critical infrastructure | Municipalities, ministries |
The implementation timeline and legal milestones
Finland’s legislative path to NIS2 implementation has been both transparent and rapid. After a consultation period in mid-2024, the law progressed steadily through Parliament and will formally enter into force in July 2025. However, the compliance journey for organizations spans into 2026.
Finland NIS2 implementation timeline
| Date | Milestone | Status |
| 6 Jun 2024 | Consultation draft published | Completed |
| 31 Aug 2024 | Consultation closed (87 statements received) | Completed |
| 9 Oct 2024 | Government Bill submitted to Parliament (HE 208/2024 vp) | Completed |
| 14 Feb 2025 | Parliamentary approval (169 yea / 11 nay) | Completed |
| 7 Mar 2025 | Promulgation of Act 124/2025 | Completed |
| 1 Jul 2025 | Law enters into force | Upcoming |
| 30 Sep 2025 | Deadline for entity registration | Upcoming |
| 31 Mar 2026 | Deadline for full compliance for essential entities | Upcoming |
To review the full legislative text, visit the official Finlex database.
Supervisory architecture and enforcement
The National Cyber Security Centre Finland (NCSC-FI), under Traficom, has emerged as the central authority. It issues common regulations and manages incident reporting, while sectoral supervision remains with existing regulators like Energiavirasto (Energy Authority) and the Financial Supervisory Authority (FSA).
The incident reporting ladder mirrors EU norms: an early alert within 24 hours, a detailed report within 72 hours, and a final investigation report within 30 days. This applies to both essential and important entities. However, public entities are not subject to monetary fines, although they must comply and may face corrective orders.
Fines, sanctions, and management responsibility
The stakes are high. For essential entities, failure to comply can result in fines of up to €10 million or 2% of global turnover, whichever is greater. For important entities, the ceiling is €7 million or 1.4%.
Executives are not off the hook either. Directors must approve and periodically review the organization’s cybersecurity program. Continued negligence may even trigger disqualification under the Companies Act.
Sanctions and enforcement mechanisms
| Type of entity | Max fine | Enforcement stages | Board responsibility |
| Essential | €10M / 2% turnover | Warning → corrective order → daily fine → suspension | Cyber programme approval |
| Important | €7M / 1.4% turnover | Same as above, minus license suspension | Liability applies similarly |
| Public Sector | No fines | Corrective orders; possible State Audit Office review | Still subject to requirements |
For background, see Traficom’s official cybersecurity page.
Sector-specific impacts
Each industry faces unique obligations under Finland’s NIS2 directive. For example, digital infrastructure providers are now essential entities regardless of their size, while healthcare organizations must implement ISO 27001 governance and conduct regular backup drills.
Finance sees an overlap with the Digital Operational Resilience Act (DORA), meaning banks and insurers must navigate both frameworks—potentially facing cumulative penalties for non-compliance.
Sector-specific changes under Finland NIS2 implementation
| Sector | New obligations |
| Manufacturing | Annual red-team tests, OT/IT segmentation, supply-chain audits |
| Energy & utilities | KPI reporting, continuous monitoring, SBOM exchange |
| Healthcare | ISO 27001, 24 h reporting, quarterly drills |
| Digital infrastructure | 24×7 SOC in EU, zero-trust plan, critical vendor register |
| Finance | Dual reporting with DORA, penetration testing, ICT criticality assessment |
| Public admin | Appoint CISO, comply with reporting rules, adopt Traficom baseline |
What companies should know right now
Organizations should start by using NCSC-FI’s self-assessment tool, currently in beta, to determine whether they are classified as essential or important. By the end of September 2025, all relevant entities must register their Y-tunnus (business ID), industry classification (TOL code), and a cybersecurity contact person.
Compliance preparation includes gap analysis against Article 21 controls, creating an incident response standard operating procedure, and briefing the board to formally adopt a cyber programme.
Many organizations may benefit from the certification fast-track, where possessing ISO 27001 or Finnish Katakri Level IV accreditation counts as partial compliance. However, this only reduces the burden—it does not eliminate it.
Are you prepared for the next incident?
The Finland NIS2 directive isn’t just a regulation—it’s a call to rethink how cybersecurity is embedded into business governance. With broad industry impact, firm deadlines, and board-level responsibility, the NIS2 Finland transposition demands urgent attention.
While the road to March 2026 may seem long, proactive preparation now is what separates resilience from reaction. If your organization hasn’t already started evaluating its exposure, now is the time. Because come July, compliance stops being optional—and becomes enforceable.
For official tools and templates, consult the NCSC-FI’s implementation hub.
