What is AI regulation in Finland?
AI regulation: countries and regions
AI regulation in Finland is mainly the EU AI Act, applied through Finnish supervisory and enforcement structures rather than a standalone Finnish AI code. Finland's first national implementation phase has been in force since 1 January 2026, assigning authorities, supervision powers and penalties. In practice, organisations in Finland need to follow the EU AI Act itself, sector-specific Finnish oversight, and, where personal data is involved, GDPR and Finnish data protection rules.
What this means
Finland does not regulate AI mainly through a separate domestic code. The main binding rules come from the EU AI Act. Finland adds the national machinery the Act needs, such as who supervises which systems, who can investigate, who can designate or act as a notified body in certain cases, and how administrative fines are imposed.
That means the practical question for most organisations is not whether Finland has "its own AI Act", but which combination of EU rules, sector supervision and data protection rules applies to a given system. A public chatbot, a hiring tool, a credit scoring model, a medical device and a police biometric system do not all follow the same supervisory route.
Finland also entered the AI Act era with a longer policy heritage than many countries. Its 2017 AI Programme and later public-service work such as AuroraAI helped shape a national emphasis on adoption, trust and skills. Those programmes matter as context, but they are policy architecture, not the main source of binding duties.
Why it matters
By June 2026, Finland has moved from policy discussion to named regulators, formal powers and a domestic sanction route. If you build, buy, import or deploy AI in Finland, you now need to know which authority sits across the table, what records you need, when transparency notices are required and when a sector regulator, not a general digital regulator, is the one that matters.
That is especially important for organisations working in employment, finance, health, education, biometrics, critical infrastructure and public administration. In those areas, AI law in Finland is rarely just an abstract EU compliance issue. It affects procurement, product design, data governance, incident handling, vendor allocation of responsibility and board-level risk decisions.
How it works
The legal model is EU first
Finland's AI regime starts with the EU AI Act, which is directly applicable EU law. Finland did not rewrite that regulation into a separate national code. Instead, it passed supplementary national legislation, most importantly the Act on the Supervision of Certain AI Systems, to assign competent authorities, market-surveillance powers, notifying roles, appeals and sanctions. The first phase of that Finnish framework came into force on 1 January 2026.
For organisations, that means the core duties still come from the EU AI Act itself. The Finnish layer tells you who supervises, how enforcement is organised and how the rules are administered inside Finland. It should also be distinguished from adjacent regimes, especially GDPR and other Finnish rules that can apply to automated decisions or sector-specific products.
Finland uses a multi-authority supervision model
Finland has not put all AI supervision into one new agency. The Data Protection Ombudsman supervises prohibited AI practices under Article 5 and is also the market-surveillance authority for many Annex III high-risk systems, including several biometric, education, employment, essential-service, law-enforcement, migration and justice use cases. Traficom supervises the AI Act's Article 50 transparency duties, except where those transparency duties concern providers or deployers of high-risk systems, in which case the competent sector authority takes over. Traficom is also Finland's single point of contact under the AI Act.
Other authorities take sector-specific roles. Finanssivalvonta covers relevant financial-sector high-risk uses. The Finnish Medicines Agency, Fimea, covers the medical-device side of product regulation. Tukes, Customs, the Energy Authority and the occupational safety and health authority also appear in the supervisory map for particular product and infrastructure categories. Separately, Finland has published its list of authorities protecting fundamental rights under Article 77, including the Data Protection Ombudsman, the Non-Discrimination Ombudsman, the Ombudsman for Equality, the National Discrimination and Equality Tribunal, the Chancellor of Justice, the Parliamentary Ombudsman, the occupational safety and health authorities and the Consumer Ombudsman.
Enforcement is organised through market surveillance and a penalty board
Finland's supplementary law plugs AI supervision into its wider market-surveillance system. Competent authorities use market-surveillance powers and, where relevant, sector legislation. Administrative fines are not set by each regulator alone. Instead, the Act created a separate AI supervision penalty board attached to Traficom. The competent market-surveillance authority proposes the fine and the board decides whether to impose it, change the amount or refuse it.
The fine ceilings track the EU AI Act structure: up to EUR 35 million or 7 percent of worldwide annual turnover for prohibited practices, up to EUR 15 million or 3 percent for many other breaches, and up to EUR 7.5 million or 1 percent for supplying incorrect or misleading information. For SMEs, the cap is the lower of the fixed amount or the percentage amount. A striking Finland-specific detail is that this administrative fine route is not used against state authorities, municipalities, wellbeing services counties and certain other public-law bodies, even though those bodies can still sit within the wider legal regime.
Data protection and transparency run in parallel
In Finland, AI compliance often starts with a simpler question: does the system process personal data, and does it directly interact with people or shape significant decisions about them? The Data Protection Ombudsman's guidance stresses that a lawful basis is needed from the development and training stage onward whenever personal data are used. It also stresses purpose limitation, data minimisation, clear notices to data subjects and, in many AI projects, a DPIA before processing starts.
This matters because many AI projects meet common high-risk indicators under data protection law, such as evaluation or scoring of people, automated decision-making with legal or similarly significant effects, extensive processing, combining datasets, or the use of special category data. At the same time, the AI Act imposes separate transparency duties. In practical terms, a Finnish organisation running a user-facing chatbot or publishing certain AI-generated media may need to give clear notices under Article 50 even if the system is not high-risk. GDPR and the AI Act therefore overlap, but they do not collapse into one checklist.
Conformity assessment follows sector routes
For some systems, the real operational issue is not only supervision after deployment but the conformity route before the system reaches the market or is put into service. Finland has assigned notifying authorities for notified bodies by sector: the Ministry of Economic Affairs and Employment, Traficom, the Finnish Medicines Agency and the Ministry of Social Affairs and Health. Accreditation is handled through Tukes' accreditation service.
Finland also made one notable special assignment. Where a law-enforcement, migration or asylum authority intends to use the Annex III point 1 type of high-risk AI system, the Data Protection Ombudsman acts as the notified body. The detailed conformity path belongs on a separate page, but the headline point for Finland is simple: the supervisory route depends heavily on the system's sector and use, not just on the word "AI".
Strategy heritage matters, but phase two is still moving
Finland entered this regulatory phase with an unusually strong AI policy heritage. The national AI Programme launched in 2017 positioned Finland as an early adopter, and the later AuroraAI programme showed how Finnish public administration was trying to combine AI, service design and ethics. That heritage helps explain why Finland's current posture is not only restrictive. It also tries to support adoption, legal certainty and public trust.
But the national framework is not finished. As of 6 June 2026, Finland's second implementation phase is still being prepared. Official project material says that this phase is meant to create at least one national AI regulatory sandbox and a national register for certain high-risk AI tied to critical infrastructure safety components. At the same time, the same project material shows an updated legislative timetable reaching into week 35 of 2026, which means the domestic schedule is still not fully settled. The direction is clear, but some implementation details remain pending. Traficom has also already begun pilot preparation work for the sandbox, which shows operational preparation is moving ahead even while the full legal framework is still being finalised.
Examples
A Finnish company adds a customer-service chatbot to its website. Under the AI Act's transparency rules, users generally need to be told they are interacting with AI. In Finland, Traficom supervises those Article 50 duties, unless the same system sits inside the provider or deployer obligations for a high-risk system. If the chatbot logs conversations containing personal data, the company also needs a lawful basis, data subject information and, depending on risk, a DPIA.
A bank, insurer or pension institution in Finland deploys a high-risk AI system in a covered financial use case, such as relevant creditworthiness or risk-assessment functions. The supervisory route is not through a generic digital regulator. Under Finland's supplementing law, the financial-sector route sits with Finanssivalvonta. That changes who receives notices, who can investigate and who would propose an administrative fine.
A police, migration or asylum authority plans to bring into service a high-risk Annex III point 1 system. In Finland, the Data Protection Ombudsman has a dual importance here: it is both a market-surveillance authority for prohibited practices and many high-risk uses, and it also acts as the notified body for this particular pre-deployment conformity route. For organisations selling into this part of the public sector, that is a material procurement and assurance issue.
Common misunderstandings
Finland has a standalone national AI Act that replaces the EU rules. No. The EU AI Act is the main rulebook, and Finland mainly adds authorities, procedures and sanctions.
Traficom is the only AI regulator in Finland. No. Finland uses a distributed model involving Traficom, the Data Protection Ombudsman, Finanssivalvonta, Fimea, Tukes, the Energy Authority, Customs and other sector bodies.
GDPR compliance means AI Act compliance. No. Data protection and AI Act duties overlap, but they cover different things.
Only the developer needs to care. No. Providers, importers, distributors and deployers can all carry duties under the AI Act and Finland's enforcement structure.
Finland's earlier AI programmes were binding law. No. They shaped policy direction and governance culture, but the binding regime comes from the EU AI Act and Finland's supplementing legislation.
Risks and boundaries
This page is about Finland's national layer. It does not try to restate the full EU AI Act, determine whether a system is high-risk in every case, or walk through every conformity assessment route. Those questions often require system-specific analysis.
The biggest practical boundary in Finland is regulatory overlap. One system can trigger AI Act duties, GDPR duties, non-discrimination concerns, consumer law, employment law, medical-device rules or sector-specific product legislation at the same time. Public bodies may also face separate administrative-law constraints when automated decision-making is involved.
The other boundary is timing. Finland's first implementation phase is in force, but the second phase, especially the sandbox and critical-infrastructure register, is still being finalised as of 6 June 2026. EU-level timing for later AI Act obligations has also been affected by the 2025-2026 simplification package, and official EU pages have not always been fully synchronised. So the institutional map is clear, but some later dates and practical arrangements can still move.
Because the framework is still new, there is less Finnish practice than many organisations would like in edge cases. You should expect more clarity from guidance, authority cooperation and later supervisory practice before every boundary question feels settled.
What to do next
First, build an inventory of AI uses and label each one by legal role, provider, deployer, importer or distributor, and by sector. In Finland, that mapping determines the likely regulator.
Second, identify whether any system touches employment, finance, health, biometrics, critical infrastructure, public administration or public-facing synthetic content. Those are the areas where Finland's authority map becomes most important.
Third, assemble the evidence pack before a regulator, customer or procurement team asks for it: system purpose, responsible owner, data map, training and testing records, human oversight design, user instructions, logging, incident escalation and vendor allocation of responsibilities.
Fourth, treat data protection and transparency as early build issues, not late legal notes. If personal data are used, test the lawful basis and DPIA question early. If people interact with the system or receive synthetic content, design the user notice early too.
Finally, watch Finland's phase II legislation and the remaining EU timetable adjustments. The compliance target in Finland is no longer abstract. It is an operational governance programme.
FAQs
Does Finland have its own AI Act?
Finland has supplementing national legislation, but the main binding rulebook is the EU AI Act.
Which Finnish authority will supervise my AI system?
It depends on the system's sector and use. Traficom, the Data Protection Ombudsman, Finanssivalvonta, Fimea, Tukes and other sector bodies all have roles.
Are chatbots and generative AI tools regulated in Finland?
Yes. If a system directly interacts with people or creates certain synthetic content, transparency duties can apply. If it also processes personal data, data protection rules apply as well.
Is GDPR enough if my system uses personal data?
No. GDPR and the AI Act overlap, but they ask different questions. You can satisfy one and still miss duties under the other.
Is Finland's AI regulatory sandbox already fully in place?
Not yet in full legal form. Finland's second implementation phase is still being prepared as of 6 June 2026, although Traficom has already started pilot preparation work.
Can a Finnish public authority be fined under the national AI penalty regime?
Finland's supplementing law excludes state authorities, municipalities, wellbeing services counties and certain other public-law bodies from that administrative fine route. That does not remove their wider legal duties.
Do I need a notified body in Finland?
Only some systems do. The answer depends on the conformity route, the sector and the use case. Product-regulated AI and certain public-sector biometrics routes are the clearest examples.
Are Finland's old AI strategy papers still legally binding?
No. They remain useful background for understanding Finland's policy direction, but the binding duties come from the EU AI Act and Finland's supplementing rules.