New legislation to strengthen protection of critical infrastructure and resilience of society

The Finnish Government proposes that the President of the Republic approve the Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience on 13 June. In accordance with the Government Programme, the act will strengthen national security and the resilience of our society. The act is scheduled to enter into force on 1 July 2025.
The new act will guide the identification of critical entities that provide functions vital for society, the protection of critical infrastructure and the enhancement of resilience.
“In accordance with the Government Programme, the protection of infrastructure critical to the functioning of society will be improved. The critical infrastructure of society must be secured in all circumstances,” says Minister of the Interior Mari Rantanen.
Europe-wide dimensions of cross-border infrastructure, such as submarine communications and electricity cables, are essential. The act transposes the so-called CER Directive (Critical Entities Resilience Directive) into national law. Its objective is to improve cooperation between EU Member States and the uniformity of protection measures as well as the resilience of critical services and operational reliability.
The act applies to eleven sectors
The legislation will govern eleven sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration and space as well as food production, processing and distribution. The activities require strong coordination, and the agencies under the responsible ministries must be organised in terms of supervisory activities. In accordance with the timetable required by the directive, the responsible ministry for each sector will determine the critical entities by 17 July 2026.
The law imposes on these entities – e.g. companies providing vital services – obligations that improve resilience. The entities must assess risks, prepare a resilience plan and carry out the necessary measures. In addition, they must report significant incidents in accordance with the common European regulation.
National plan and risk assessment next year
Authorities and critical entities will be guided by a national plan and a national risk assessment which the Government is due to confirm in early 2026. The Ministry of the Interior is responsible for their preparation as well as the general coordination and steering of operations.
The Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience, which was drafted by the Ministry of the Interior, also required changes in the legislation of certain other branches of government. The amendments were made in the same context and will enter into force at the same time on 1 July 2025.
The Ministry of Justice has, among other things, prepared amendments to the Security Clearance Act to expand security clearances in ports. At the same time, the Ministry of Transport and Communications prepared a new Cybersecurity Act which implemented the EU’s Cybersecurity Directive (NIS2). Its purpose is to strengthen cybersecurity in critical industries in EU Member States.
Inquiries:
Ministerial Adviser Eero Kytömaa, Ministry of the Interior, tel. +358 295 488 280, firstname.lastname@gov.fi
Senior Ministerial Adviser Johanna Hakala, Ministry of the Interior, tel. +358 295 488 452, firstname.lastname@gov.fi
Decision in Finnish Eduskunnan vastaus hallituksen esitykseen SM/2025/42Link to an external website