The Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience is a general act that defines general provisions and principles, such as the criteria for identifying critical entities and the obligations of such entities. It also lays down provisions on general guidance and coordination.

The objective of the act is to improve the resilience of critical entities, and its measures are frontloaded, aiming to prevent or mitigate incidents.

The act transposes the EU Critical Entities Resilience Directive (CER Directive) into national law. Member States must formulate national plans, carry out risk assessments, establish an incident notification mechanism and designate a single point of contact responsible for coordinating cross-border cooperation.

The Critical Entities Resilience Directive (CER Directive) aims to improve the resilience and reliability of critical services in the EU. It harmonises the identification of critical entities and the resilience procedures in the EU and establishes clear procedures for cooperation between Member States. The directive entered into force in 2023.

The Ministry of the Interior is preparing a national plan on critical entities resilience (CER strategy), which is a central part of the implementation of the act. The plan should be ready to be submitted to the Government in January. It will describe the measures necessary to improve the overall resilience of critical entities and give an account of the current state of critical infrastructure and the national risk assessment.

Each ministry will identify the critical entities under their remit. In this process, ministries will take account of the national plan, the national risk assessment and any services entities offer that are essential for the functioning of society.

Provisions on the identification of critical entities and on the general requirements concerning them are laid down in chapter 3 of the Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience.

Ministries must finalise their first list of critical entities by 17 July 2026.

The legislation governs eleven sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space and the production, processing and distribution of food.

The obligations of the act affect those who have been identified as critical entities by the ministry responsible for the sector.

According to the act, critical entities must carry out a risk assessment, draw up a resilience plan and take any necessary measures. They must also notify the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt the provision of essential services.

Critical entities must carry out a risk assessment within nine months after being notified that they have been identified as critical entities. They must draw up a resilience plan within one year of their risk assessment.

Critical entities must notify the competent authority, without undue delay, of incidents that significantly disrupt or have the potential to significantly disrupt the provision of essential services. Guidelines will be provided to the critical entities, explaining the notification procedure. Critical entities can also inform the competent authority and other relevant parties of planned disruptions to their services, where appropriate.

Incident notifications concern actual or potential disruptions to services. Critical entities should not use incident notifications in emergency situations where there is an urgent need for immediate action by the rescue services, the police, the Border Guard or the healthcare and social welfare services. Moreover, critical entities should not use the incident notification system to report offences or suspected offences. These should be reported directly to the police, as usual.

Competent authorities will supervise that critical entities comply with their obligations under the act. The competent authorities are the following: the Energy Authority; the Centre for Economic Development, Transport and the Environment for South Savo; the Finnish Transport and Communications Agency (Traficom); the Finnish Medicines Agency (Fimea); the Finnish Food Authority; the Finnish Safety and Chemicals Agency (Tukes); the National Supervisory Authority for Welfare and Health (Valvira) and the regional state administrative agencies.

The Ministry of Justice has prepared the following amendments as part of the implementation of the directive: an act amending section 19 of the Security Clearance Act, an act amending the Act on the Storage of Information Extracted from the Criminal Records and on the Disclosure of Such Information between Finland and Other Member States of the European Union, an act amending sections 4a and 5 of the Criminal Records Act, an act amending the Act on the Security of Certain Ships and Associated Port Facilities and on Monitoring Maritime Security (Maritime Security Act), an act amending section 6 of the Act on the Application of the Provisions of the Trade and Cooperation Agreement between the European Union and the United Kingdom concerning Extradition on the Basis of an Offence and Exchange of Criminal Records, and an act amending section 1 of the Act on the Enforcement of a Fine.

Provisions on the obligations of critical entities to manage cybersecurity risks are laid down in the Cybersecurity Act, which falls within the remit of the Ministry of Transport and Communications.

The amendments to the Maritime Security Act strengthen security measures at ports. Port authorities managing ports that handle international traffic must ensure that only reliable persons of unimpeachable character have access to information and data processing systems that are critical to port security. Port authorities must apply for a security clearance vetting on such persons.