The moment I saw the scope of the Cybersecurity Act 124/2025—Finland’s legislative transposition of the NIS2 directive—I realized this was more than a simple regulatory update. It’s a reshaping of national cyber resilience, woven tightly with industry obligations, municipal readiness, and executive accountability. For professionals in ICT, compliance, and finance, this law signals a shift from ad hoc preparedness to systemic, verifiable operational resilience.
Without further ado, let me walk you through how NIS2 Finland implementation is unfolding, what’s expected of organizations, and what timelines, penalties, and sector-specific duties are already in motion.
Understanding the scope and legal structure
Finland has moved swiftly in implementing the Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, commonly known as NIS2. The Finnish transposition came in the form of the Cybersecurity Act (Kyberturvallisuuslaki), approved as Act 124/2025. It replaces earlier NIS-1 provisions and integrates aspects of the Critical Entities Resilience (CER) directive for a more holistic regulatory reach.
The Act expands the scope dramatically, increasing the number of covered entities from around 1,100 under NIS-1 to approximately 5,500. It now includes mid-sized manufacturers and all municipalities with more than 50,000 residents.
Entities are categorized as either välttämättömät toimijat (essential entities) or tärkeät toimijat (important entities), depending on employee count and turnover thresholds. Notably, digital infrastructure providers (like DNS services and cloud platforms) fall under the law regardless of size.
| Category | Criteria | Examples |
| Essential entities | ≥250 employees or ≥€50 million turnover | Telcos, large hospitals, LNG firms |
| Important entities | ≥50 employees or ≥€10 million turnover | Mid-sized manufacturers, MSPs |
| Mandatory coverage | Regardless of size (sector-specific) | DNS, trust services, cloud |
| Public sector (essential but exempt from fines) | Based on population ≥50,000 or role in critical infrastructure | Municipalities, ministries |
The implementation timeline and legal milestones
Finland’s legislative path to NIS2 implementation has been both transparent and rapid. After a consultation period in mid-2024, the law progressed steadily through Parliament and will formally enter into force in July 2025. However, the compliance journey for organizations spans into 2026.
| Date | Milestone | Status |
| 6 Jun 2024 | Consultation draft published | Completed |
| 31 Aug 2024 | Consultation closed (87 statements received) | Completed |
| 9 Oct 2024 | Government Bill submitted to Parliament (HE 208/2024 vp) | Completed |
| 14 Feb 2025 | Parliamentary approval (169 yea / 11 nay) | Completed |
| 7 Mar 2025 | Promulgation of Act 124/2025 | Completed |
| 1 Jul 2025 | Law enters into force | Upcoming |
| 30 Sep 2025 | Deadline for entity registration | Upcoming |
| 31 Mar 2026 | Deadline for full compliance for essential entities | Upcoming |
PRO TIP
Don’t wait for July 2025 to act. Use Q2 2025 to prepare internal registers, assign your cybersecurity contact, and initiate a board-level review. The clock for enforcement starts ticking the moment registration opens.
Supervisory architecture and enforcement
The National Cyber Security Centre Finland (NCSC-FI), under Traficom, has emerged as the central authority. It issues common regulations and manages incident reporting, while sectoral supervision remains with existing regulators like Energiavirasto (Energy Authority) and the Financial Supervisory Authority (FSA).
The incident reporting ladder mirrors EU norms: an early alert within 24 hours, a detailed report within 72 hours, and a final investigation report within 30 days. This applies to both essential and important entities. However, public entities are not subject to monetary fines, although they must comply and may face corrective orders.
Fines, sanctions, and management responsibility
The stakes are high. For essential entities, failure to comply can result in fines of up to €10 million or 2% of global turnover, whichever is greater. For important entities, the ceiling is €7 million or 1.4%.
Executives are not off the hook either. Directors must approve and periodically review the organization’s cybersecurity program. Continued negligence may even trigger disqualification under the Companies Act.
| Type of entity | Max fine | Enforcement stages | Board responsibility |
| Essential | €10M / 2% turnover | Warning → corrective order → daily fine → suspension | Cyber programme approval |
| Important | €7M / 1.4% turnover | Same as above, minus license suspension | Liability applies similarly |
| Public Sector | No fines | Corrective orders; possible State Audit Office review | Still subject to requirements |
PRO TIP
If your board hasn’t formally approved a cybersecurity strategy, put this on the agenda now. The Companies Act allows disqualification for non-compliant directors—it’s not just about fines anymore.
Sector-specific impacts
Each industry faces unique obligations under Finland’s NIS2 directive. For example, digital infrastructure providers are now essential entities regardless of their size, while healthcare organizations must implement ISO 27001 governance and conduct regular backup drills.
Finance sees an overlap with the Digital Operational Resilience Act (DORA), meaning banks and insurers must navigate both frameworks—potentially facing cumulative penalties for non-compliance.
| Sector | New obligations |
| Manufacturing | Annual red-team tests, OT/IT segmentation, supply-chain audits |
| Energy & utilities | KPI reporting, continuous monitoring, SBOM exchange |
| Healthcare | ISO 27001, 24 h reporting, quarterly drills |
| Digital infrastructure | 24×7 SOC in EU, zero-trust plan, critical vendor register |
| Finance | Dual reporting with DORA, penetration testing, ICT criticality assessment |
| Public admin | Appoint CISO, comply with reporting rules, adopt Traficom baseline |
PRO TIP
If you operate in digital infrastructure, expect zero leeway on real-time monitoring and vendor visibility. A 24/7 SOC and critical supplier registry are now mandatory—even for small providers.
What companies should know right now
Organizations should start by using NCSC-FI’s self-assessment tool, currently in beta, to determine whether they are classified as essential or important. By the end of September 2025, all relevant entities must register their Y-tunnus (business ID), industry classification (TOL code), and a cybersecurity contact person.
Compliance preparation includes gap analysis against Article 21 controls, creating an incident response standard operating procedure, and briefing the board to formally adopt a cyber programme.
Many organizations may benefit from the certification fast-track, where possessing ISO 27001 or Finnish Katakri Level IV accreditation counts as partial compliance. However, this only reduces the burden—it does not eliminate it.
Accelerate Finland’s NIS2 readiness with CyberUpgrade
Finland’s Cybersecurity Act 124/2025 pulls some 5,500 organisations into scope by 1 July 2025, with entity registration due 30 September 2025 and full compliance for essential actors by 31 March 2026. CyberUpgrade maps its turnkey workflows directly to Finland’s välttämättömät/tärkeät tiers, 24 h/72 h/30 d reporting ladders, and NCSC-FI’s Article 21 controls—so you can start closing gaps today, not tomorrow.
Our Slack and Teams chatbot walks every team member through live, ISO-aligned checks keyed to your Y-tunnus and TOL code, automatically capturing evidence in a central, regulator-ready vault. Layer in continuous vulnerability scans, penetration tests, SBOM exchanges and real-time monitoring, and you’ll detect and contain threats long before they trigger fines up to €10 million or board-level disqualifications.
Pair that with our EU-based CISO-as-a-Service for hands-on support—from gap analyses and board-approved policy sign-off to pre-built incident-response playbooks—and you’ll offload 80 % of your compliance workload, save over €60 K annually, boost your security culture, and stay focused on growth while Finland’s audits loom. Let CyberUpgrade turn Finland’s NIS2 compliance complexity into your compliance advantage.
Are you prepared for the next incident?
The Finland NIS2 directive isn’t just a regulation—it’s a call to rethink how cybersecurity is embedded into business governance. With broad industry impact, firm deadlines, and board-level responsibility, the NIS2 Finland transposition demands urgent attention.
While the road to March 2026 may seem long, proactive preparation now is what separates resilience from reaction. If your organization hasn’t already started evaluating its exposure, now is the time. Because come July, compliance stops being optional—and becomes enforceable.
For official tools and templates, consult the NCSC-FI’s implementation hub.
