NIS 2 Status in Finland
What the directive requires, how Finland implements it, and where Traficom and NCSC-FI sit in the picture.
Overview
The NIS 2 directive is the EU layer. It binds every Member State, including Finland, to a single minimum bar for essential and important entities. Finland has to carry that bar into Finnish law and run supervision underneath it.
Finland transposes NIS 2 through the Cybersecurity Act (Kyberturvallisuuslaki, Act 124/2025). Parliament passed it on 13 March 2025 and it entered into force on 8 April 2025. That is after the EU deadline of 17 October 2024. On 7 May 2025 the European Commission sent a reasoned opinion to Finland and eighteen other Member States for not notifying full transposition in time.
Supervision is split sector by sector. The Finnish Transport and Communications Agency, Traficom, is the coordinating authority and runs the National Cyber Security Centre Finland (NCSC-FI) as the national CSIRT and as the single point of contact under Article 8(3) of the directive. Alongside Traficom, the Energy Authority (Energiavirasto), the Financial Supervisory Authority (FIN-FSA) and other sector regulators supervise their own sectors.
EU directive
Directive (EU) 2022/2555 (NIS 2)
The EU-wide cybersecurity directive. It sets the obligations every Member State has to transpose, including the size and sector test for essential and important entities.
EU implementing act
Implementing Regulation (EU) 2024/2690
Technical and methodological measures for digital infrastructure providers. Directly applicable in Finland, no national transposition needed.
Finnish transposition
Cybersecurity Act 124/2025, in force since 8 April 2025
The Finnish NIS 2 transposition. A horizontal cybersecurity act that consolidates obligations previously spread across several sector-specific laws. Regulations and Traficom guidance fill in the operational detail.
Cybersecurity Act 124/2025
Brings the NIS 2 obligations into Finnish law. Defines essential and important entities, supervisory powers, incident notification duties and penalties. Operational detail follows via regulations and Traficom guidance.
Traficom and NCSC-FI
Traficom coordinates NIS 2 supervision and runs the National Cyber Security Centre Finland (NCSC-FI) as the national CSIRT and single point of contact. Sector supervision sits with sector regulators, notably Energiavirasto for energy, the Financial Supervisory Authority for finance (with DORA as lex specialis) and Tukes for chemicals and oil.
Registration and reporting
Finnish entities had to register with their sector supervisor by 8 May 2025. Changes to the registered data have to be reported within two weeks. Significant incidents follow the directive: early warning within 24 hours, notification within 72 hours, final report within one month. All notifications are forwarded to the CSIRT at NCSC-FI.
Finnish law applies in Finland
Activity on Finnish territory follows the Finnish transposition. A German managing director with a Finnish subsidiary reads the Cybersecurity Act 124/2025 for that subsidiary, not the BSIG. The directive obligations are identical. The procedure, the supervisor and the penalties live in Finnish law.
Finland cannot drop below the EU floor
The directive is a minimum-harmonisation instrument. Finland may go stricter. Finland may not fall below the directive, neither on the duties for essential and important entities, nor on reporting deadlines, nor on management body liability.
Traficom
The Finnish Transport and Communications Agency is the coordinating NIS 2 authority and directly supervises postal and courier services, digital infrastructure, space, public administration, managed service providers, research and the manufacture of vehicles and transport equipment. It keeps the list of NIS 2 entities.
NCSC-FI (Kyberturvallisuuskeskus)
The National Cyber Security Centre inside Traficom is the national CSIRT and the single point of contact under Article 8(3) of the directive. All NIS 2 incident notifications, regardless of which sector authority is formally competent, are handled technically by NCSC-FI.
ENISA
The EU cybersecurity agency. Publishes guidance, runs the European vulnerability database and coordinates across borders. Not a supervisor for Finnish entities. That sits with Traficom and the sector authorities.
Finland implements NIS 2 the same way as Germany, so we can read the BSIG.
The directive duties are identical, the supervisory architecture is not. Finland uses a single horizontal statute, the Cybersecurity Act 124/2025, instead of layering on top of a federal BSI structure. Supervision is split across sector regulators with Traficom and NCSC-FI coordinating. Mapping the BSIG onto Finland gets the supervisor and the reporting path wrong.
There is no official list yet, so we can wait.
Registration has been mandatory since 8 April 2025. Traficom keeps the list of NIS 2 entities and the initial deadline to register was 8 May 2025. Not being registered does not mean compliant, it means invisible to the supervisor. Article 27(2) of NIS 2 also requires updates within two weeks of any change to the registered data.
My sector regulator handles everything, NCSC-FI is just advisory.
The sector regulator does supervision and audits, but NCSC-FI is the mandatory entry point for incident notifications and the single EU point of contact. An early warning lands technically at NCSC-FI even when formal supervision sits with Energiavirasto, the Financial Supervisory Authority or Tukes. Reporting only to the sector regulator and skipping NCSC-FI misses the path.
Most Finnish mid-market operators we meet still treat NIS 2 as an IT topic. That is only half right. Supervision and the reporting channel sit at the sector level, scope is wider than under the old Finnish cybersecurity regime, and the management body (toimitusjohtaja, hallitus) carries heavier responsibility. The management body is personally accountable for signing off on risk management and for completing its own training.
The practical step is the same as everywhere in the EU: run the applicability check against the directive, register with the sector supervisor and show up on the Traficom list, set up the four continuous duties (keep registration data current, incident reporting, supply-chain risk, supervision by the management body) and document the minimum. Using NCSC-FI as the technical single point of contact keeps the reporting path clean.
We build the NIS 2 obligation register on the EU layer, not on any single national transposition. The same checklist fits a Finnish subsidiary under the Cybersecurity Act 124/2025, a German parent under the BSIG and a Dutch sister under the Cyberbeveiligingswet. Article references change per country, the obligations in substance do not.
For the Finnish scope you start with the applicability check, then sector registration, the reporting cadence via NCSC-FI, supply-chain clauses and management-body sign-off. Where Traficom or the sector regulators publish sector guidance, we link it. We do not copy it.
- Directive (EU) 2022/2555 (NIS 2) — EUR-Lex
- Implementing Regulation (EU) 2024/2690
- Cybersecurity Act 124/2025 (Kyberturvallisuuslaki) — Finlex
- Traficom — Finnish Transport and Communications Agency, official NIS 2 transposition page
- Kyberturvallisuuskeskus (NCSC-FI) — national CSIRT and single point of contact
- Energiavirasto — sector supervisor for electricity, district heating and gas
- Financial Supervisory Authority (FIN-FSA) — sector supervisor for finance, DORA as lex specialis
- European Commission reasoned opinion of 7 May 2025 on NIS 2 transposition