Notify the authorities

Make sure you send the required notifications to the different authorities. Many of the notifications are based on law and the authorities use them to help you investigate the matter:

• The police are responsible for investigating an offence. 
• The Office of the Data Protection Ombudsman supervises the lawfulness of the processing of personal data and advises in matters related to data protection.
• The National Cyber Security Centre helps in matters related to data security. 

Your organisation must notify the Office of the Data Protection Ombudsman of a personal data breach if the violation may cause a risk for the persons subject to the violation. 

• Conduct an assessment of the risks before submitting the notification.
• A notification of personal data breach must be submitted within 72 hours from when your organisation detected the data security violation. 
• If necessary, you can submit the notification stage by stage: first submit a preliminary notification and supplement it later.

If your organisation is an NIS 2 actor according to the Cyber Security Act (124/2025) and the appendices to the Information Management Act (125/2025), your organisation must inform the supervisory authority in your sector of any significant information security incidents affecting communication networks and information systems.

Send the notification within 24 hours of noticing the incident.

Sectors with a notification obligation are  

• energy
• transport
• banking
• financial market infrastructures
• health
• drinking water
• waste water
• digital infrastructure
• ICT service management (business-to-business)
• public administration
• space
• post and courier services
• waste management
• manufacturing, production and distribution of chemicals
• food production, processing and distribution
• manufacturing
• digital service providers
• research activities.

Submit a notification under the NIS 2 Directive on the National Cyber Security Centre Finland’s website.Opens in a new window.

For example, if you have been subjected to fraud, a data breach or blackmail,

• report an offence to the police
• attach the evidence that you have collected on the incident to the report.

You should also report the matter to the police without delay if you find out that somebody has viewed personal data or confidential information kept in your systems without justified reasons.

Report the offence in the electronic service of the police. If the situation is urgent (e.g., money has been taken from the accounts of your organisation), report an offence straight away at your nearest police station.

Notify the National Cyber Security Centre of the Finnish Transport and Communications Agency Traficom of a data security violation such as phishing, data breach or attempts of them. The notification is not obligatory, but your organisation will receive help from the National Cyber Security Centre for investigating the data security violation.