National plan and risk assessment to guide operations

The Finnish Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience (the CER Act) is being implemented in stages. The Government adopted a national CER risk assessment in January 2026. A national plan is scheduled for completion in spring 2026. The deadline for identifying critical entities is 17 July 2026.

Timeline of the implementation of the CER Act from 2026 to 2028. In 2026, a national CER risk assessment is conducted and a national plan for the resilience of critical entities is prepared. In 2027, critical entities are identified and entity-specific risk assessments are carried out. In 2028, a resilience plan for each critical entity is prepared.

National plan to strengthen resilience

The aim of the national plan for the resilience of critical entities is to ensure the continuity of essential services in all circumstances. The plan seeks to strengthen entities’ ability to anticipate and prevent disruptions, manage them when they occur and recover from them.

The plan draws on national strategies, decisions and plans such as the Security Strategy for Society and the Government decision on the objectives of security of supply. It sets out strategic objectives and priorities, a governance framework, measures and the processes for identifying and supporting critical entities. The plan forms the basis for identifying critical entities and guides resilience development in all sectors.

Critical infrastructure risk assessment

In January 2026, the Finnish Government adopted a risk assessment addressing critical infrastructure and the resilience of critical entities. The assessment is required by both EU’s Critical Entities Resilience (CER) Directive and the new national CER Act. Under the act, a national risk assessment of critical infrastructure and critical entities must be completed at least every four years.

A cross-sector working group coordinated by the Ministry of the Interior prepared a national plan, the CER strategy, in spring 2026. The strategy guides the development of resilience among the identified critical entities across all eleven sectors defined in the CER Act. The plan sets out the objectives, priorities and measures for enhancing the resilience of critical entities. The Government adopted the plan on 21 May 2026.

The CER risk assessment covers significant risks to essential services, cross-border dependencies and interdependencies between sectors.

The CER risk assessment is not public. A broader national risk assessment will be published in autumn 2026.