You are here


Survey Answer:

Finnish law does not include sanctions for violations connected to the lack of adoption of cybersecurity measures, but it does include sanctions for the lack of adoption of sufficient information security measures. The Information Society Code (917/2014, as amended), requires communications providers and providers of added value services to maintain information security of their services, messages, traffic data and location data. The information security measures must be commensurate with the seriousness of threats, the level of technical development to defend against the threat, and the costs incurred by these measures. Ficora may issue further regulations on the required information security measures.
Pursuant to Section 349 of the Information Society Code, a communications provider or a provider of added value services who neglects its obligation to ensure the information security of its services or traffic and location data, shall be imposed a fine for a data protection violation in electronic communications. However, a penalty shall not be ordered if the offence is minor.
Also, once GDPR becomes applicable on 25.5.2018, if the lack of adoption of cybersecurity measures leads to the processing of personal data in a manner that violates GDPR, the administrative fines laid down in Article 83 may apply.

Provided By:
Eija Warma, Jesper Nevalainen, Castrén & Snellman and Hannes Snellman