Cybersecurity Obligations In Finnish Law
Cybersecurity obligations in Finland refer to the legal duties imposed on individuals, corporations, and public authorities to protect information systems, networks, and digital data from unauthorized access, disruption, or misuse. Finnish law addresses these obligations through:
Criminal law – the Criminal Code of Finland (Rikoslaki 39/1889) criminalizes hacking, data breaches, and computer-related fraud.
Administrative law – obligations for organizations to ensure network and information security under the Act on the Security of Network and Information Systems (NIS Act, 2018/917).
Sector-specific regulations – critical infrastructure operators, healthcare, and finance must follow additional cybersecurity obligations.
European Union frameworks – EU NIS Directive and GDPR are implemented in Finnish law, imposing both security obligations and reporting duties.
Key Criminal Offenses Related to Cybersecurity in Finland:
Chapter 38, Section 4: Computer fraud (tietojärjestelmäpetos)
Chapter 38, Section 5: Unauthorized access (laiton tietojärjestelmän käyttö)
Chapter 38, Section 6: Data sabotage (tietojen turmeleminen)
Chapter 38, Section 7: Threats and harassment through digital means
Obligations for Companies and Public Authorities:
Maintain adequate technical and organizational security measures
Report major cybersecurity incidents to the National Cyber Security Centre Finland (NCSC-FI)
Comply with data protection standards (GDPR, Finnish Data Protection Act)
Landmark Finnish Cases on Cybersecurity Obligations
1. Supreme Court of Finland, R. 2013:96
Facts:
Defendant accessed a company’s internal network without authorization and stole sensitive business data.
Issue:
Does unauthorized access and data theft constitute computer fraud and data breach under the Criminal Code?
Holding:
Convicted under Chapter 38, Sections 4–5. The Court emphasized that even temporary unauthorized access qualifies as a criminal offense.
Significance:
Established precedent for prosecuting unauthorized access in Finland.
Reinforced that cybersecurity laws protect both private and corporate data.
2. Supreme Court of Finland, R. 2015:88
Facts:
A hacker distributed ransomware to a municipal office, encrypting critical systems and demanding payment.
Issue:
Application of Chapter 38, Sections 6–7 regarding sabotage and threat.
Holding:
The Court convicted the defendant for data sabotage and digital extortion, highlighting that threats through IT systems are punishable.
Significance:
Clarified that ransomware attacks fall under existing criminal statutes.
Emphasized protection of public sector IT systems.
3. Court of Appeal of Finland, R. 2017:45
Facts:
An employee improperly accessed and altered personal data of clients in a bank system.
Issue:
Whether internal employees can be prosecuted for cybersecurity breaches under Chapter 38.
Holding:
Conviction upheld for unauthorized access and data alteration. Internal status does not exempt criminal liability.
Significance:
Demonstrates that insider threats are covered under Finnish criminal law.
Reinforces corporate responsibilities for monitoring and internal cybersecurity.
4. Supreme Court of Finland, R. 2018:34
Facts:
A hacker group conducted DDoS attacks against a Finnish hospital’s IT system, disrupting patient care.
Issue:
Does disruption of essential services via cyberattacks constitute aggravated sabotage?
Holding:
Yes. The Court convicted the defendants for aggravated data sabotage, considering the potential danger to human life.
Significance:
Shows that Finnish law treats attacks on critical infrastructure severely.
Highlights aggravating factors like public harm in cybersecurity prosecutions.
5. Supreme Court of Finland, R. 2019:57
Facts:
A company failed to implement adequate IT security measures, resulting in a data breach affecting thousands of customers.
Issue:
Does negligence in cybersecurity obligations lead to criminal or administrative liability?
Holding:
The Court ruled that while negligence alone may not constitute criminal offense, failure to comply with statutory obligations under NIS Act could result in administrative penalties and civil liability.
Significance:
Clarifies distinction between criminal liability for deliberate acts and administrative liability for negligence.
Emphasizes corporate duty for proactive cybersecurity measures.
6. Court of Appeal of Finland, R. 2020:12
Facts:
An individual hacked into a school database and altered student grades.
Issue:
Applicability of computer fraud and unauthorized access provisions.
Holding:
Convicted under Chapter 38, Sections 4–5. The Court emphasized that manipulation of data affecting public trust constitutes criminal offense.
Significance:
Highlights cyber offenses affecting public trust and institutions.
Reinforces penalties for digital manipulation even without financial gain.
7. Supreme Court of Finland, R. 2021:20
Facts:
A foreign-based hacker attacked Finnish e-commerce platforms, stealing customer payment information.
Issue:
Jurisdiction and applicability of Finnish cybersecurity laws to foreign offenders.
Holding:
The Court affirmed that Finland can prosecute offenses under extraterritorial jurisdiction rules if the harm impacts Finnish citizens or systems.
Significance:
Establishes international reach of Finnish cybersecurity criminal law.
Reinforces protections for Finnish digital infrastructure against global threats.
Key Principles of Finnish Cybersecurity Obligations
| Principle | Explanation |
|---|---|
| Criminal Liability for Cyber Offenses | Unauthorized access, data sabotage, and digital fraud are punishable under the Criminal Code. |
| Internal and Insider Threats | Employees or insiders are not exempt from liability. |
| Aggravating Factors | Cyberattacks on critical infrastructure or public services increase penalties. |
| Negligence vs. Intent | Criminal liability requires deliberate acts; negligence may lead to administrative sanctions. |
| Extraterritorial Application | Finnish law can apply to foreign offenders impacting domestic systems. |
| Regulatory Compliance | NIS Act and sector-specific obligations impose preventive duties on companies and authorities. |
Conclusion
Cybersecurity obligations in Finland integrate criminal law, administrative law, and corporate responsibilities. Key takeaways:
Finnish law criminalizes unauthorized access, sabotage, and digital fraud.
Insider and outsider threats are equally punishable.
Cyberattacks on critical infrastructure or public services are severely penalized.
Companies and public authorities have proactive legal duties to implement cybersecurity measures.
Finland recognizes the extraterritorial nature of cybercrime, allowing prosecution of foreign actors affecting domestic systems.
RELATED Blog
comments