Provisions to complement Cybersecurity Act to enter into force in the beginning of July

The President of the Republic approved the amendments to the Cybersecurity Act on 27 June 2025. They complement the national implementation of the Directive on the resilience of critical entities (CER) and the Directive on measures for a high common level of cybersecurity across the Union (NIS 2). The amendments will enter into force on 1 July 2025.

As a result of the amendments, the Cybersecurity Act will also be applied to entities that will in future be identified as critical entities under the proposed act on the protection of infrastructure critical to society and on the improvement of resilience. With regard to public administration, similar amendments will be made to the Act on Information Management in Public Administration.

With the amendments, companies to be identified as critical entities will be subject to the obligations laid down in the Cybersecurity Act even if they are not included in the scope of application of the Act before their identification as critical entities. These companies can include small or micro enterprises in all sectors as well as public transport operators and pharmaceutical wholesalers.

The amendments will enter info force at the same time as the new act on protecting the critical infrastructure and increasing its resilience. The act lays down provisions on the identification of critical entities and on the obligations imposed on them in the CER Directive. Critical entities under the CER Directive must be identified for the first time by July 2026.

What’s next?

The legislative amendments will enter into force on 1 July 2025.

Inquiries:

Marko Priiki, Senior Specialist, tel. +358 29 534 2187, [email protected]