🇫🇮NIS2 in Finland
A comprehensive guide to NIS2 compliance for organisations operating in Finland. Understand local enforcement, the national data protection authority, key focus areas, and notable enforcement actions.
About NIS2
The updated EU cybersecurity directive that expands security requirements to a broader range of sectors and imposes stricter obligations on essential and important entities.
NIS2 Enforcement in Finland
Finland's Data Protection Ombudsman has taken a measured but firm approach to GDPR enforcement, with a particular focus on healthcare, public administration, and digital services. Finland supplemented the GDPR through the Data Protection Act (1050/2018), which includes specific provisions on processing of personal identity codes, journalistic and academic expression, and research data. Finland has strong traditions of government transparency and public registers, which create unique tensions with data protection requirements. The Finnish DPA has been notably active in healthcare enforcement, reflecting Finland's advanced digital health infrastructure and the sensitivity of health data processing. Finland sets the age of digital consent at 13.
NIS2 Transposition Status in Finland
In ProgressData Protection Authority
Tietosuojavaltuutetun toimisto (Office of the Data Protection Ombudsman)
Key Enforcement Focus Areas in Finland
- Healthcare and digital health data processing
- Public register transparency vs. data protection
- Social welfare data processing
- Workplace data protection
- Digital service and app compliance
Notable Enforcement Actions in Finland
Posti Group Oyj
Changing the legal basis for processing address data from consent to legitimate interest without informing data subjects
Taksi Helsinki Oy
Excessive processing of driver location data and failure to comply with data minimisation principle
Kymen Vesi Oy
Installing GPS tracking in company vehicles without adequate transparency or legal basis
Psychotherapy Centre Vastaamo
Catastrophic security failure allowing breach of 33,000+ patient psychotherapy records, leading to patient extortion
Check Your Compliance Status
Take our free assessment to evaluate your organisation's compliance posture. Get a personalised report with actionable recommendations in minutes — no sign-up required.
Start Free AssessmentDisclaimer: The information on this page is for educational purposes and does not constitute legal advice. For specific compliance guidance, consult a qualified legal professional in your jurisdiction.
Other Regulations Affecting Finland
General Data Protection Regulation (GDPR)
The EU's landmark data protection law that governs how organisations collect, store, process, and transfer personal data of individuals in the European Economic Area.
Digital Operational Resilience Act (DORA)
The EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector, covering ICT risk management, incident reporting, testing, and third-party risk.
EU Artificial Intelligence Act (AI Act)
The world's first comprehensive AI regulation, establishing a risk-based framework for the development, deployment, and use of artificial intelligence systems within the EU.
ePrivacy Directive (2002/58/EC)
The EU directive governing privacy in electronic communications, covering cookies, direct marketing, traffic data, and the confidentiality of communications — often called the "Cookie Law".