NIS2 Finland Compliance Guide: Kyberturvallisuuslaki (Act 124/2025), Traficom Authority and Kybermittari Framework for 2026

Finland is among the earliest and most prepared NIS2 transposers in the EU. The Kyberturvallisuuslaki (Cybersecurity Act, Act 124/2025) entered into force on 8 April 2025 — ahead of most member states — and Finland was not subject to EU infringement proceedings. The law expanded scope from approximately 1,100 entities under NIS1 to 5,500 organizations, introduced a 50,000-resident municipal threshold, and provides the free Kybermittari self-assessment tool.

For Finnish organizations — and the cyber insurance professionals who underwrite them — this guide covers the Kyberturvallisuuslaki framework, the Traficom/NCSC-FI authority, the Kybermittari tool, entity classification, sector-specific requirements, the guidance-first enforcement tradition, and the compliance deadlines.

Finland’s NIS2 Legal Framework

The Kyberturvallisuuslaki (Cybersecurity Act, Act 124/2025)

Finland transposed NIS2 through the Kyberturvallisuuslaki (Cybersecurity Act), formally Act 124/2025. The law also integrates CER Directive requirements, creating a unified cybersecurity and critical entity resilience framework.

The legislative journey:

• Parliamentary approval: 14 February 2025 (169 yea / 11 nay — strong cross-party support)
• Promulgation: 7 March 2025
• Entry into force: 8 April 2025

Finland replaced scattered NIS1 provisions with this comprehensive new act, complemented by the Act on Information Management in Public Administration (906/2019) for the public sector.

Key Differences from NIS1

Aspect	NIS1 (Scattered provisions)	Kyberturvallisuuslaki (Current)
Scope	~1,100 entities	~5,500 organizations
Entity types	OES + DSPs	Essential + Important entities
Municipalities	Limited coverage	Municipalities with ≥50,000 residents
Maximum fines	Limited	€10M or 2% global turnover
Self-assessment tool	None	Kybermittari (free)
Supply chain	Minimal	Comprehensive third-party risk management

National Competent Authorities

Traficom — Finnish Transport and Communications Agency

Traficom serves as Finland’s lead NIS2 authority and Single Point of Contact:

• Primary regulatory and supervisory authority
• Manages entity registration
• Issues guidance and compliance instructions
• Coordinates with sector-specific authorities
• Also serves as telecom regulator (minimizing incremental compliance for telecom entities)

NCSC-FI — National Cyber Security Centre Finland

NCSC-FI operates within Traficom as Finland’s CSIRT:

• 24/7 incident response capability
• Threat intelligence sharing with in-scope entities
• Incident reporting portal management
• Technical guidance and vulnerability coordination

Sector-Specific Regulators

Finland operates with 7 sector-specific authorities in a cooperative enforcement model:

Sector	Competent Authority
Financial services	FIN-FSA (Financial Supervisory Authority)
Nuclear	STUK (Radiation and Nuclear Safety Authority)
Healthcare	Valvira (National Supervisory Authority for Welfare and Health)
Energy	Energy Authority
Transport	Traficom (dual role)
Public administration	Ministry of Finance
All other sectors	Traficom

Nordic-Baltic Cooperation

Finland participates actively in Nordic-Baltic cybersecurity cooperation:

• Joint exercises and simulations
• Shared threat intelligence
• Coordinated incident response for cross-border events
• This means Finnish entities may receive threat briefings informed by regional intelligence

Entity Classification

Essential Entities (Välttämättömät toimijat)

Organizations in Annex I sectors meeting size thresholds:

• ≥250 employees OR ≥€50M annual turnover
• Automatic inclusion regardless of size: DNS, TLD registries, cloud computing platforms, data center services, trust services, public electronic communications

Important Entities (Tärkeät toimijat)

Organizations in Annex II sectors meeting size thresholds:

• ≥50 employees AND (≥€10M turnover OR ≥€10M balance sheet)

Municipal Threshold (Finnish Addition)

Municipalities with ≥50,000 residents are specifically brought into scope. This targets Finland’s largest cities (Helsinki, Espoo, Tampere, Vantaa, Oulu, Turku, and several others) while excluding smaller municipalities.

Scope Expansion

Finland’s NIS2 scope expanded from ~1,100 entities to approximately 5,500 organizations — a 5x increase. Newly regulated sectors include:

• Manufacturing
• Food production
• Waste management
• Chemicals production and distribution
• Research (public and private)

The Kybermittari Tool (Finnish Addition)

What Is Kybermittari?

Kybermittari is Traficom’s free self-assessment tool that maps directly to NIS2 Article 21 risk management measures. It provides:

• Gap analysis against NIS2 requirements
• Prioritized action plan for compliance
• Maturity scoring across security domains
• Evidence documentation for supervisory reviews
• Available in Finnish, Swedish, and English

Why Kybermittari Matters

For insurers, Kybermittari provides:

• An objective, standardized measure of cybersecurity maturity
• A free tool that lowers the barrier to compliance assessment
• A common language for discussing security posture with Finnish entities
• Direct mapping to NIS2 requirements — no interpretation gap

Using Kybermittari in Underwriting

Consider asking Finnish applicants to share their Kybermittari results as part of the underwriting process. The tool’s direct NIS2 mapping makes it a credible proxy for compliance readiness.

Security Requirements

Risk Management Measures (Article 21)

All in-scope entities must implement proportionate security measures:

• Governance: Board-approved cybersecurity programs with formal management accountability
• Incident handling: Detection, classification, response, and recovery procedures
• Supply chain security: Vendor risk assessments, contractual clauses, continuous monitoring
• Access control: Multi-factor authentication, privileged access management
• Cryptography: Encryption for data at rest and in transit
• Business continuity: Backup strategies, disaster recovery, regular testing
• Training: Regular cybersecurity awareness training for all staff
• Vulnerability management: Regular patching, penetration testing, vulnerability disclosures

Telecom Mapping (Finnish Efficiency)

Traficom published a detailed mapping of existing Information Society Code obligations to NIS2 requirements. This minimizes incremental compliance burden for telecom entities by showing how current obligations already satisfy many NIS2 requirements.

Sector-Specific Requirements

Sector	Additional Requirements
Manufacturing	Annual red-team tests, OT/IT segmentation, supply-chain audits
Energy & Utilities	KPI reporting, continuous monitoring, SBOM exchange
Healthcare	ISO 27001 governance, 24h reporting, quarterly backup drills
Digital Infrastructure	24×7 EU-based SOC, zero-trust plan, critical vendor register
Finance	Dual reporting with DORA, penetration testing, ICT criticality assessment
Public Administration	CISO appointment, reporting compliance, Traficom baseline adoption

Incident Reporting

All significant incidents must be reported to NCSC-FI through the national portal:

1. 24 hours: Early alert — significant impact suspected or confirmed
2. 72 hours: Detailed report — incident severity, indicators of compromise, initial impact assessment
3. 30 days: Final investigation report — root cause analysis, remediation measures, lessons learned

Penalties

Maximum Fines

Entity Type	Maximum Fine	Turnover Cap
Essential entities	€10M	2% global turnover
Important entities	€7M	1.4% global turnover
Public sector	No monetary fines	Corrective orders only

Management Liability

Directors must:

• Formally approve cybersecurity programs
• Regularly review and update security measures
• Continued negligence may trigger disqualification under the Companies Act

Guidance-First Enforcement Tradition

Finland’s regulatory culture emphasizes:

• Guidance and support before penalties
• Corrective measures as primary enforcement tool
• Cooperative approach between Traficom and entities
• Financial penalties reserved for egregious non-compliance or repeated failures

This doesn’t mean enforcement is soft — it means entities that engage proactively with Traficom are unlikely to face financial penalties in the initial period.

Registration and Compliance Deadlines

Date	Milestone	Status
8 April 2025	Kyberturvallisuuslaki enters into force	✅ Completed
8 May 2025	Entity registration deadline	✅ Completed
8 July 2025	Full risk management compliance (essential entities)	⏳ Upcoming
Within 1 month	New entities must register after falling in scope	⏳ Active
Within 2 weeks	Report changes to entity information	⏳ Active
Within 3 months	Report other information changes	⏳ Active

If your organization missed registration: Register immediately through Traficom’s portal. Late registration may affect your compliance standing.

Implications for Cyber Insurance

Underwriting Considerations for Finnish Entities

1. Early transposer advantage — Finland’s early enactment means entities have had more time to prepare. Use this as a positive signal in risk assessment — Finnish entities should be more compliant than late-transposing countries.

2. Kybermittari as evidence — Ask for Kybermittari results as part of underwriting. A completed Kybermittari assessment with an action plan demonstrates proactive compliance.

3. Nordic-Baltic cooperation — Cross-border operations mean Finnish entities may face incidents originating in Sweden, Denmark, or the Baltics. Ensure coverage extends to multi-jurisdiction incidents.

4. Manufacturing expansion — Finland’s significant manufacturing sector (forestry, metals, electronics) is newly regulated. These entities may lack cybersecurity maturity and represent higher risk.

5. Public sector = no fines but high risk — Municipalities face no monetary fines but deliver critical services. A cyberattack on Helsinki or Tampere could have massive impact without triggering a covered loss.

6. Supply chain focus — Finland’s reliance on global ICT supply chains means heightened supply chain risk. Verify coverage for supply chain incidents.

Coverage Checklist

• Regulatory investigation and defense costs
• Incident notification and response costs (24/7 via NCSC-FI)
• D&O liability for management accountability
• Business interruption from mandatory incident reporting
• Supply chain security compliance and incident costs
• Kybermittari assessment and remediation costs
• Cross-border incident coordination (Nordic-Baltic + EU)

Related NIS2 Country Guides:

• NIS2 France (ANSSI) | NIS2 Germany (BSI) | NIS2 Italy (ACN) | NIS2 Netherlands (NCSC-NL) | NIS2 Spain (INCIBE) | NIS2 Poland (NCSA) | NIS2 Belgium (CCB) | NIS2 Austria (NISG 2026) | NIS2 Sweden (MCF) | NIS2 Denmark (CFCS) | NIS2 Czech Republic (NÚKIB) | NIS2 Portugal (CNCS) | NIS2 Ireland (NCSC) | NIS2 Finland (Traficom)

Related Resources

• NIS2 Compliance Checklist for Brokers
• NIS2 Compliance Cost Analysis
• Cyber Insurance Buying Guide 2026
• NIS2 Gap Analysis: Readiness Assessment

---

Last updated: April 2026. Finland’s NIS2 framework is the most mature among recent transposers. Check the Traficom website and NCSC-FI for the latest guidance and Kybermittari tool.