Finland

6TOTAL

1OFFICIAL SOURCES

6TOPIC AREAS

Law / Act2

Policy / Guidance1

National Strategy1

Standard / Framework1

International Agreement1

CybersecurityData Privacy & ProtectionGenerative AINational StrategyOnline Safety & Child ProtectionSandbox

Law / Act

New powers for Finnish data watchdog as EU’s AI Act takes effect

The Finnish data watchdog has released a statement saying that its role expanded when the national laws implementing the AI Act into Finnish law entered into force on 1 January 2026. The oversight system was set up in a decentralized way involving 15 regulators. The Finnish office of the data protection ombudsman is among the authorities responsible for market surveillance for high-risk AI systems, supervising the fundamental rights and will act as a notified body for certain high-risk systems. Traficom — the Finnish Transport and Communications Agency — is the coordinator and national contact point, the regulator said.

7 January 2026Data Privacy & Protection

↗ Link availableSecondary source

National Strategy

Nordic Council of Ministers approve funding for a Nordic-Baltic AI Center

The Nordic Council of Ministers (Denmark, Finland, Iceland, Norway, Sweden) have approved 30 million DKK over three years for starting up and establishing a Nordic Baltic AI-center. Organisations from all Nordic countries (including AI Sweden, AI Finland, Digital Dogme, IKT Norge and Almannarómur) will participate in establishing the Center, which will be formally launched in the fall of 2025. The center will accelerate AI adoption and innovation across the region by acting as a cross-sectoral hub for governments, ecosystems, companies, and organizations. It will consolidate strategic leadership and expertise, oﬀering capabilities needed by national actors. The work will be coordinated by a secretariat located in Sweden. The ambition is to also have the Baltic countries join.

18 June 2025National Strategy

↗ Link available

Policy / Guidance

Finland DPO releases guidance on privacy and AI

The Finnish Office of the Data Protection Ombudsman (DPO) has issued new guidance detailing how organisations must ensure personal data used in AI systems complies with data protection laws, including the EU's General Data Protection Regulation (GDPR) and the EU AI Act. This guidance emphasises that organisations must assess data protection risks from the data subject's perspective before processing any personal data within an AI system, determining necessary security measures, and identifying when a Data Protection Impact Assessment (DPIA) is mandatory due to high-risk processing. Furthermore, the DPO clarifies that a legal basis is always required for processing personal data in AI development, use, or training, and provides instructions on adhering to GDPR principles like data minimisation and purpose limitation, as well as guidelines for informing individuals about data processing and exceptions to this obligation.

20 May 2025Data Privacy & ProtectionCybersecurity

↗ Link available

Law / Act✓ Official

Paris Charter on AI signed

Chile, Finland, France, Germany, India, Kenya, Morocco, Nigeria, Slovenia, and Switzerland have adopted the "Paris Charter on Artificial Intelligence (AI) in the Public Interest". The charter (1) aims to ensure AI development serves the public interest, focusing on equity, transparency, accountability, and sustainability; (2) encourages openness in AI and accountability through existing frameworks; (3) calls for safeguards against AI’s potential harms, alongside an affirmative vision to maximise its public benefits, including through open public goods, democratic participation, and sustainable solutions; and (4) stresses the importance of accessible high-quality data, privacy protection, and smaller, more localised AI models that have a reduced environmental impact.

11 February 2025Data Privacy & Protection

↗ Link availableFull text

International Agreement

Nordic data protection authorities issue declaration on children's data protection in gaming, AI, and administrative fines

The data protection authorities from Denmark, Finland, the Faroe Islands, Iceland, Norway, Sweden, and Åland issued a declaration on that they will commit to co-operate on (1) the protection of children's privacy in online games, and (2) the regulation of AI in relation to the GDPR. The declaration emphasised the importance of resource allocation for effective AI oversight and responsible data processing.

31 May 2024Data Privacy & ProtectionOnline Safety & Child Protection

↗ Link availableSecondary source

Standard / Framework

Data protection authorities adopted joint statement on building trustworthy data governance frameworks to encourage development of innovative and privacy-protecting AI

Twenty (20) data protection authorities, including from Australia, Belgium, Canada, France, Germany, Hong Kong, Ireland, Italy, Korea, Netherlands, New Zealand, Luxembourg, Spain, and UK adopted the joint statement on building trustworthy data governance frameworks to encourage development of innovative and privacy-protecting AI. The statement recognises the opportunities and risks of AI, including discrimination, misinformation, and hallucination from inappropriate data use, and stresses embedding privacy by design, strong governance, and transparency. The statement commits to clarifying lawful grounds for AI training data and exchanging information on proportionate safety measures. It also focuses on monitoring technical and societal impacts with contributions from non-governmental organisations, public authorities, academia, and businesses, and reducing legal uncertainties through regulatory sandboxes and best practice sharing.

17 September 2025Data Privacy & ProtectionSandboxGenerative AI

↗ Link availableSecondary source