National plan and risk assessment to guide operations

The Finnish Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience (the CER Act) is being implemented in stages. The Government adopted a national CER risk assessment in January 2026. A national plan is scheduled for completion in spring 2026. The deadline for identifying critical entities is 17 July 2026.

National plan to strengthen resilience

The aim of the national plan for the resilience of critical entities is to ensure the continuity of essential services in all circumstances. The plan seeks to strengthen entities’ ability to anticipate and prevent disruptions, manage them when they occur and recover from them.

The plan draws on national strategies, decisions and plans such as the Security Strategy for Society and the Government decision on the objectives of security of supply. It sets out strategic objectives and priorities, a governance framework, measures and the processes for identifying and supporting critical entities. The plan forms the basis for identifying critical entities and guides resilience development in all sectors.

Critical infrastructure risk assessment

In January 2026, the Finnish Government adopted a risk assessment addressing critical infrastructure and the resilience of critical entities. The assessment is required by both EU’s Critical Entities Resilience (CER) Directive and the new national CER Act. Under the act, a national risk assessment of critical infrastructure and critical entities must be completed at least every four years.

The CER risk assessment covers significant risks to essential services, cross-border dependencies and interdependencies between sectors.

The CER risk assessment is not public. A broader national risk assessment will be published in autumn 2026.