Incident notifications
Under the CER Act, entities identified as critical must notify the authorities of incidents affecting an essential service. Incident notifications enable the authorities to respond swiftly and appropriately where necessary. They also help authorities support critical entities in managing incidents and build an overall picture of their impacts, nature, causes and consequences.
There are two stages in the incident notification process. Critical entities must always submit an initial notification if an incident has disrupted or could disrupt the provision of an essential service. The notification must be submitted within 24 hours of the entity becoming aware of the incident. The initial notification includes information such as an assessment of the cause of the incident, its possible consequences and any cross-border impact. Critical entities submit the initial notification to the competent supervisory authority and the Government Situation Centre.
Critical entities must also submit a detailed report if an incident has disrupted the provision of an essential service or has had a cross-border impact. A detailed report is not required if the entity considers that the incident has neither disrupted the provision of an essential service nor had any cross-border impact. If an incident has disrupted the provision of an essential service, the critical entity must submit the detailed report within one month of becoming aware of the incident. The report is submitted to the Ministry of the Interior, the ministry responsible for the sector and the competent supervisory authority.
Critical entities use an online form to submit both the initial notification and the detailed report. The system automatically forwards the form to the appropriate authorities based on the selections made by the person completing it. The form may be used to submit information classified up to security classification level IV.
Links to the forms for the initial notification and the detailed report are available on the right-hand side of this page.
Note: Entities identified as critical under the CER Act also fall within the scope of the Cybersecurity Act on the basis of that identification. The act requires these entities to notify the authorities of an incident that has caused or could cause severe operational disruption to services or considerable financial loss to the entity concerned. They must also notify the authorities of an incident that has affected or could affect other natural or legal persons by causing considerable material or non-material damage. Entities submit the incident reports under the Cybersecurity Act using the NIS2 form provided by the National Cyber Security Centre Finland at Traficom.