Finland AI Regulation

CoE Framework Convention signatory

Overview

• –The EU AI Act (Regulation 2024/1689) applies directly across all member states. Prohibitions on unacceptable-risk AI systems have been in force since 2 February 2025; GPAI model rules since 2 August 2025. High-risk AI obligations are due from 2 August 2026, subject to the Digital Omnibus proposal which may defer enforcement. For the full implementation timeline, governance structure, and current status, see the European Union overview.
• –The Ministry of Economic Affairs and Employment (TEM) leads coordination; Traficom has been designated for market surveillance. A public consultation on the national implementation plan was concluded in 2024.

This content is for informational and educational purposes only and does not constitute legal advice.

AI Regulation Timeline

1. 08/09/2025

   investigation

   Data Protection Ombudsman's Office issued a ruling with penalty of EUR 1.8 million against S-Banken over information security negligence in online banking

   On 8 September 2025, the Data Protection Ombudsman's Office imposed a penalty of EUR 1.8 million against S-Banken over information security negligence in online banking. The negligence stemmed from a programming error in the S-mobil login function, implemented in April 2022, which created a vulnerability allowing login with other customers' codes for over three months until August 2022. The investigation found that S-Banken did not use sufficient safeguards, failed to adequately test the new software before use, and did not react sufficiently to customer reports of login discrepancies. The Data Protection Ombudsman considered these operations a violation of the European Union's General Data Protection Regulation requirements for secure personal data processing.

   SourceDPA record