NIS2 Finland: Compliance, Authorities & Key Requirements
Understand how Finland implements NIS2 via the Cybersecurity Act (124/2025), which entities must register with NCSC-FI/Traficom, who supervises compliance, and what practical steps to take now.
Introduction
Finland implemented NIS2 through the Cybersecurity Act (124/2025). The National Cyber Security Centre (NCSC-FI) at Traficom is the national authority/CSIRT and operates the registration portal.
NIS2 implementation in Finland
The Cybersecurity Act (124/2025) entered into force on 8 April 2025. NCSC-FI/Traficom provides national registration and guidance; some sectors also run their own lists (e.g., Fimea for medicines, Valvira for health/social providers).
Status
In force since 8 Apr 2025.
Official law
Registration
Register via NCSC-FI / Traficom. Sector portals may also apply (e.g., Fimea).
| Sector | Finnish note |
|---|---|
| Electronic communications & digital infrastructure | NCSC-FI (Traficom) acts as competent authority/CSIRT and SPOC, including incident channels and guidance. |
| Medicines (pharma supply) | Fimea maintains a NIS2 entity list and sector guidance (e-service active). |
| Health & social welfare | Valvira provides sector guidance and runs the list for covered operators. |
What you need to know about compliance & certification
Finland follows the NIS2 two-tier model (Essential / Important) with Article 21 risk-management measures and national reporting via NCSC-FI.
Scope criteria
- Operate in an Annex I/II sector and meet size thresholds (≥50 employees or ≥€10m), or be otherwise designated.
- Established in Finland or providing relevant services on Finnish territory.
Obligations
- Risk management & security policy (IT/OT)
- Incident handling & reporting to NCSC-FI
- Business continuity & crisis management
- Supply-chain security & vendor risk
- Access control, segmentation, encryption
- Executive accountability & training
Standards & alignment
Map controls to ISO/IEC 27001:2023, NIST CSF 2.0, and NCSC-FI guidance/notification thresholds.
National NIS2 timeline & key dates
Deadlines (Finland)
| Date | What | Who |
|---|---|---|
| 8 May 2025 | Register in the list of essential/important entities. | All in-scope entities (general national deadline). |
| 8 May 2025 | Register in sector list. | Health & social welfare operators (Valvira). |
| 8 Jul 2025 | Have a documented cybersecurity risk-management operating model in place. | All essential/important entities. |
| From Apr–Jun 2025 | Sector registration available; e-service live. | Medicines sector (Fimea). |
Missed a date? Register and implement without delay; authorities expect active progress.
Sector-specific requirements (Finland)
- Electronic communications & digital infrastructure: NCSC-FI provides guidance and supervises, with incident channels via CSIRT.
- Medicines: Fimea coordinates sector registration (e-service available; interim processes replaced).
- Health & social welfare: Valvira guidance aligns NIS2 minimum obligations for covered operators.
Penalties for non-compliance
Under the Cybersecurity Act, supervisory powers and enforcement measures aligned with NIS2, including remedial orders, administrative fines and enhanced supervisory measures. The practical applications may vary depending on the sector and the competent authority.
How to prepare for NIS2 in Finland
- Determine scope: confirm Annex I/II services and size thresholds; classify EE/IE.
- Register: complete NCSC-FI registration (and any sector list such as Fimea/Valvira).
- Governance: board-level accountability and oversight.
- Risk management: align with ISO 27001 / NIST CSF and NCSC-FI guidance.
- Supply chain: assess MSPs/MSSPs and critical suppliers; contract for security.
- Incident readiness: set 24/7 detection, escalation and CSIRT notification playbooks.
- Continuity & crisis: document BCP/DR; test and exercise.
- Train & prove: executive training, awareness, and auditable evidence.