Macroprudential strategy aligned with changed operating environment and regulation >

Banking supervision themes originate from Europe – also new domestic supervised entities >

New significant supervised entity Keva in the insurance sector and regulatory changes >

Capital markets supervision focused on real estate funds and sustainability issues >

Supervision of anti-money laundering emphasised compliance with sanctions >

Supervision of ICT and cyber security guided by DORA regulation >

In 2025, supervision was guided by the supervisory priorities published at the beginning of the year: the soundness of supervised entities’ corporate governance, responding to uncertainty in the operating environment, IT and cyber risks, and ESG risks. The FIN-FSA conducts inspections of several individual supervised entities each year and carries out thematic reviews focusing on a given group of supervised entities in accordance with the supervisory priorities, risk-based approach and the priorities of European supervisors.

Macroprudential strategy aligned with changed operating environment and regulation

The FIN-FSA updated its macroprudential strategy to correspond to the changed operating environment and regulation. The updated strategy supports decision-making by the Board and improves stakeholders’ possibilities to understand the background to decisions. The primary objective of macroprudential policy is to prevent financial crises and mitigate their adverse effects on the economy, thereby promoting sustainable economic growth. The reform placed greater emphasis on supervised entities’ risk resilience and clarified the objectives of macroprudential policy and the conditions for the use of the instruments. The Board assesses the strategy’s effectiveness annually and updates it as necessary. The FIN-FSA Board’s new macroprudential strategy emphasises the risk resilience of the financial system more strongly than before - 2025 - www.finanssivalvonta.fi/en

The FIN-FSA issued four macroprudential decisions in the review year. In all of them, the capital buffer requirement for banks and the maximum loan-to-collateral ratio (loan cap) for housing loans remained unchanged. The Board also decided to apply Norway’s systemic risk buffer requirement in full to Finnish credit institutions and approved the risk-weight floors for real estate-secured lending set by the Norwegian and Swedish macroprudential authorities for certain Finnish credit institutions’ exposures in those countries. Moreover, the FIN-FSA decided to keep the buffer requirements for credit institutions that are systemically important at the national level (O-SIIs) unchanged. Macroprudential decisions 2025 - Macroprudential decisions and appendices - www.finanssivalvonta.fi

In the review year, the FIN-FSA assessed how credit institutions had complied with the FIN-FSA recommendation given in 2022 on a maximum debt-servicing burden for housing loan applicants’ loans and charges for financial costs of housing company loans as well as the legislative restrictions on housing loans and housing company loans that entered into force in 2023. According to the survey, the volumes and proportions of higher-risk housing and housing company loans have generally declined since the recommendation and regulatory restrictions entered into force. Overall, credit institutions have complied well with the recommendation and restrictions. The publication based on the review is available at https: //publications.bof.fi/handle/10024/54235 (in Finnish).

Banking supervision themes originate from Europe – also new domestic supervised entities

The FIN-FSA supervises the most significant banks operating in Finland under the leadership of the European Central Bank (ECB). These are Nordea Bank Plc, OP Pohjola, Municipality Finance Plc and Danske Bank A/S Finland Branch. Other banks are under the FIN-FSA’s direct supervision.

The ECB’s banking supervision priorities for 2025 highlighted banks’ resilience to immediate macro-financial threats and severe geopolitical shocks (Priority 1). Banks were also urged to remediate material long-term shortcomings effectively and without delay (Priority 2) as well as to tackle challenges stemming from digital transformation and new technologies and manage associated risks carefully (Priority 3). The supervisory priorities are based on the previous year’s priorities. The FIN-FSA observed the ECB’s priorities, as applicable, also in the supervision of smaller credit institutions under its direct supervision.

Credit purchasers and credit servicers came under the FIN-FSA's supervision in 2025 following the entry into force of a new legal act. A total of eight authorisations were granted to new supervised entities.

In 2025, the FIN-FSA focused its thematic reviews of banks on credit risk and lending-related themes. Additionally, inspections focused on reliable corporate governance and the use of internal models.

Themes related to anti-money laundering and preventing terrorist financing as well as sanctions compliance were also inspected and assessed in banks and payment service providers.

Thematic reviews and surveys of credit institutions and payment service providers 

Thematic reviews and surveys of credit institutions and payment service providers in 2025 focused on banks’ corporate governance and risk management, including credit risks and sanctions screening, and on the availability of basic banking services, the effects of de-risking, and the security of online payments.

In 2025, the ECB conducted stress tests on the banks under its direct supervision, and the FIN-FSA conducted corresponding tests on the banks under its direct supervision.

European and domestic stress tests completed: banks’ resilience good also against changes in the operating environment resulting from geopolitical tensions

The European Banking Authority (EBA) published the results of the EU-wide stress tests, and the FIN-FSA published the results for the banks under its direct supervision. According to these, the Finnish banking sector would withstand a significant deterioration in the operating environment. The adverse scenario in the stress tests was particularly topical this time, as it also took into account the tightening of trade policy owing to tariffs imposed by the United States.

Thematic review of credit institutions’ resources in the second line of defence (in Finnish).

In the year preceding the review year (2024), the FIN-FSA examined, through a thematic review, the resources (number, competence and time spent on tasks) of the second line of defence¹ in six credit institutions. The results were published at the beginning of the review year 2025. Based on the review, recommendations were issued and good practices highlighted.

Thematic review of the identification of a significant increase in credit institutions’ credit risk and expert adjustments (in Finnish)

In spring 2025, the FIN-FSA examined how banks under its direct supervision apply the IFRS 9 Financial Instruments standard to significant increases in credit risk, impairment and expert adjustments. In the thematic review, the FIN-FSA identified shortcomings in some banks. The banks were sent individual supervision letters.

Deficiencies in banks’ loan origination and monitoring practices

The FIN-FSA examined the loan origination and monitoring practices of credit institutions under its direct supervision, with particular focus on compliance with the European Banking Authority’s (EBA) Guidelines (EBA/GL/2020/06). The purpose of the thematic review was to evaluate compliance with the EBA Guidelines on internal governance for credit granting and monitoring, on loan origination procedures and on the monitoring framework. Deficiencies were identified in, among other things, the diversification of credit risk and setting of limits, credit review, the valuation of commercial real estate collateral, the comprehensiveness of data of the monitoring framework, and lending for real estate development. The FIN-FSA will target supervisory actions on the basis of the findings and requires supervised entities to remediate the deficiencies identified in the reviews.

Room for improvement in information provided on basic banking services on several banks’ websites (in Finnish)

According to an assessment conducted by the FIN-FSA in summer 2025, there are significant differences between banks in the comprehensiveness of information on basic banking services on their websites. The FIN-FSA observed that several banks provide a relatively concise description of the basic payment account and its features on their websites and that the websites contain information conflicting with the FIN-FSA’s previous interpretations. Based on the assessment, new interpretations and recommendations were issued and banks were urged to update the information on their websites where necessary.

Follow-up assessment of online payment security

Fraud and scams related to account-based payments have become significantly more common, and the methods used by criminals are constantly evolving. Typical fraud methods include, for example, phishing for online banking credentials with fraudulent messages or fake websites, scam calls and credit transfers made using remote access software. The technical solutions for secure online payments and strong customer authentication must respond to changing security threats. Secure account-based payments require continuous vigilance from both service providers and customers.

Thematic review of the de-risking phenomenon

The FIN-FSA conducted a survey of the extent of de-risking among deposit banks operating in Finland. This is a phenomenon in which a financial institution, instead of managing risks, seeks to avoid customer-related risk by terminating or restricting business relationships with customers or even entire customer groups assessed to involve high risk.

The thematic review also examined how banks consider the perspectives of financial inclusion and the availability of banking services in their operating methods and decision-making when establishing customer relationships, restricting services and terminating customer relationships, particularly owing to obligations under anti-money laundering regulation.

According to the responses received in the thematic review, banks appear to be complying, for the most part, with the recommendations from the FIN-FSA’s previous thematic reviews. On the basis of the review, new recommendations were issued, for example on the recording of rejections and terminations of customer relationships and the grounds for them.

Effectiveness of sanctions screening by credit institutions and payment service providers

The FIN-FSA examined the effectiveness of sanctions monitoring in credit institutions and payment service providers. Supervised entities must organise sanctions monitoring in such a way that they are able to detect parties subject to sanctions regulation and national freezing orders, and, where necessary, refuse to provide a service or execute a transaction or to freeze these parties’ funds. The FIN-FSA required the correction of deficiencies identified in the thematic reviews during 2026.

The following summaries were published of inspections of credit institutions and payment service providers (in Finnish): 

• Nordea Bank Plc: Prevention of evasion of sanctions regulation (summary) H2/2025
• Oma Savings Bank Plc: Anti-money laundering and preventing terrorist financing (summary) H1/2025
• Oma Savings Bank Plc: Liquidity risk management and reporting (summary) H1/2025
• S-Bank Plc: Organisation of operations, implementation of internal control and reporting related to compliance with sanctions regulation and national freezing orders (summary) H1/2025
• OP Fund Management Company Ltd: Organisation of the valuation of assets of an open-ended real estate fund (summary) H1/2025
• Holvi Payment Services Ltd: Anti-money laundering, preventing terrorist financing, and payer information (summary) H2/2025

In addition, inspections were conducted in connection with applications concerning the use of internal models by banks.

Inspections targeting significant credit institutions (OP Pohjola, Nordea, Danske Bank and Municipality Finance) as part of ECB banking supervision are not published.

New significant supervised entity Keva in the insurance sector and regulatory changes

The insurance sector consists of several sub-sectors: pension insurance, non-life and life insurance, and unemployment insurance. Supervisory methods and priorities vary across the sub-sectors. As in previous years, supervision emphasised corporate governance, issues related to digitalisation, sustainable development and climate change. Supervision continued to focus on consistent targeting through quarterly supervisory themes while developing working methods. Quarterly themes included, for example, insurance companies’ governance systems and structural conflicts of interest in the boards of employee pension insurance companies.

Insurance groups’ governance systems in supervisory focus: mapping highlighted several areas for development (in Finnish)

Quarterly theme: Structural conflicts of interest in the boards of employee pension insurance companies (in Finnish)

From the beginning of 2025, Finland’s largest employee pension insurer, Keva, came under the FIN-FSA’s supervision in its entirety. Keva’s supervision was integrated into the uniform and consistent supervision of employee pension insurance companies. The FIN-FSA also participated in the preparation of significant legislative changes. These included, among others, the employee pension reform, the review of solvency regulation for non-life and life insurance companies, the transposition of the Recovery and Resolution Directive into national legislation and the reform of the Unemployment Funds Act concerning so-called combination insurance.

Thematic reviews, analyses and surveys in the insurance sector

As in previous years, insurance supervision emphasised the conduct of surveys and thematic reviews as a supervisory method to achieve the greatest possible coverage and impact. These provide an overall picture of the market and enable more effective targeting of future supervisory measures. Publication of the results of surveys and analyses also contributes to the strategy’s objective of predictability of operations and conveys the supervisor’s expectations to the market.

In the supervision of the pension sector, surveys covered investment management expenses, website marketing, possible structural conflicts of interest in boards, the steering of board committees, as well as the handling of company-specific expense loading components in marketing. In addition, there was a mapping of how employee pension insurance companies take into account risks related to key sales partners.

In the non-life and life insurance sectors, surveys covered, among other things, the treatment of deferred taxes in solvency calculation, internal control of the valuation of assets and liabilities, insurance groups’ governance systems, as well as how companies monitor the effects of reinsurance on risk mitigation. For life insurance companies, supplementary pension institutions and insurance brokers, surveys covered the disclosure of sustainability-related information on both their own investment activities and their products. In addition, the use of automated claims processes in statutory insurances (employee pension insurance, non-life insurance, unemployment insurance) was surveyed and potential changes in the risk level of investments were analysed.

Survey of marketing by employee pension insurance companies – compliance with legislation in website advertising (in Finnish)

The FIN-FSA identified deficiencies in the marketing of the discount for new entrepreneurs. In some cases the discount was marketed as a company-specific benefit even though the statutory discount is available from every employee pension insurance company. In the FIN-FSA’s view, no benefit, discount or service arising directly from law should be marketed as a company-specific benefit in a way that can create a misleading impression for the customer.

The review also examined YEL (pension insurance for the self-employed) calculators on employee pension insurance companies’ websites. There is no uniform practice regarding the content of YEL calculators, and some employee pension insurance companies provide scant information on the parameters underlying the estimate. In the FIN-FSA’s view, customers should, in accordance with good insurance practice, be given relevant information on the basis of the estimate of future pension provided by the YEL calculator. All information that may be relevant, for example, to understanding and assessing the outcome of the calculation must be provided to the customer. 

Thematic review: Room for improvement in the coverage of internal control of the valuation of assets and liabilities in non-life and life insurance companies (in Finnish)

In spring 2025, the FIN-FSA mapped the state of internal control of the valuation of assets and liabilities in non-life and life insurance companies. The objective of the thematic review was to examine how non-life and life insurance companies have organised internal control of the valuation of assets and liabilities and to review the effectiveness of the companies’ systems and controls and the coverage of the related documentation.

Based on the responses received, there are significant differences and deficiencies in the internal control of the valuation of assets and liabilities in the companies. Non-life and life insurance companies can, where necessary, assess their own company’s situation and possible development needs with the help of the good practices and development areas highlighted in the FIN-FSA’s supervision release. By doing so, companies can proactively improve their internal control.

Thematic review: Adjustment for the loss-absorbing effect of non-life and life insurance companies’ deferred taxes is calculated as a change in deferred taxes in a stress scenario (in Finnish)

During 2025, the FIN-FSA conducted a thematic review of the valuation of deferred taxes and the calculation of the loss-absorbing effect arising from them in non-life and life insurance companies. The thematic review identified considerable differences and simplifications of the regulatory requirements in the calculation methods used by the companies. Based on the findings of the thematic review, companies must pay attention to the valuation of deferred taxes and the realistic calculation of the loss-absorbing capacity of deferred taxes in a stress situation for the solvency capital requirement.

A summary of the risk assessment of money laundering and terrorist financing for the life insurance sector has been published

According to the FIN-FSA’s estimate, the overall risk of money laundering and terrorist financing concerning life insurance companies at the sector level is moderately significant, the second lowest on a four-step scale.

The FIN-FSA urges life insurance companies to ensure that they have sufficient and proportionate controls in place to mitigate and manage identified risks of money laundering and the financing of terrorism.

The use of automated claims processing in insurance activities (in Finnish)

The FIN-FSA has examined the use of automated decision-making processes in statutory insurance. In the employee pension sector, automated claims handling is well-established and the usage rate is high; in the non-life insurance sector, usage varies by company and insurance type; while in unemployment funds, usage remains low. 

A supervised entity event for each insurance sector

Three events for supervised entities were held during the year. The annual event for non-life and life insurance companies was attended by more than 180 people listening on topical themes such as the practical application of risk-based supervision, regulatory reforms and the EU-level supervisory priorities for 2026.

Traditional supervised entity event for non-life and life insurance companies summarised supervisory findings and topical issues (in Finnish)

The pension sector’s supervised entity event was attended by 120 participants. Subjects included new regulations and guidelines on the governance of employee pension insurance companies, the EU Artificial Intelligence Act and the survey of investment expenses. Unemployment funds’ supervised entity event was attended by 21 participants, and the subjects included the funds’ claims and financial situation and findings from inspections of corporate governance.

Changes in regulations and guidelines

Regulations and guidelines concerning the fitness and propriety of the management of employee pension insurance companies were amended in connection with legislative changes that entered into force on 1 January 2026. In addition, regulations and guidelines concerning governance and reporting were issued for Keva. The governance regulations and guidelines supplement the statutory provisions on Keva’s governance and thereby promote its proper organisation.

As a result of amendments to the Unemployment Fund Act, regulations and guidelines were amended with respect to good repute and professional competence, the tasks, independence and use of assets of an unemployment fund, and the recognition as expenses of employment-supporting services.

The following summaries were published of inspections of supervised entities in the insurance sector (in Finnish): 

• YTK Unemployment Fund: Corporate governance, general governance requirements, good repute and professional competence of the fund's management (summary) H2/2025
• OP Life Assurance Company Ltd: Management of reinsurance contract taken out for mass lapse risk (summary) H2/2025
• Open Unemployment Fund A-kassa: Corporate governance inspection (summary) H1/2025
• Kaleva Mutual Insurance Company: Inspection of Solvency II technical provisions, solvency requirement and in statutory accounting technical provisions (summary) H1/2025
• Unemployment Fund for Healthcare Sector: Corporate governance (summary) H1/2025
• Veritas Pension Insurance Company Ltd: Adequate risk management (summary) H1/2025
• Elo Mutual Pension Insurance Company: Adequate risk management (summary) H1/2025

Capital markets supervision focused on real estate funds and sustainability issues

Supervision of listed companies’ sustainability reporting began in 2025. The European Commission issued a regulatory amendment proposal on sustainability reporting (the so-called Omnibus package) at the beginning of the review year, which significantly affected the content and targeting of supervision.

In market abuse supervision, emphasis was placed on the supervision of obligations to prevent, detect and report market abuse, notification obligations for managers’ transactions, and quality issues in supervisory data, such as the correctness of decision-maker information in transaction reporting.

The FIN-FSA continued to target supervision at the development of liquidity and the execution of redemptions in open-ended real estate funds. Investors were particularly warned about investment scams and market manipulation during the supervisory year. Five new authorisations for crypto-asset service providers were granted.

New guidance for real estate funds and changes in the commenting of marketing material for listing prospectuses

The FIN-FSA changed its practice of commenting on marketing material related to listing prospectuses during the prospectus review period. The change emphasises issuers’ responsibility for the appropriateness of marketing material and the need to organise smooth information flow between the preparers of the prospectus and the marketing material during the prospectus process. In addition, the change enables the allocation of prospectus review resources to the actual prospectus review and other statutory tasks.

The FIN-FSA urged managers of open-ended real estate funds to pay particular attention to the valuation of real estate owned by the funds. If the value of real estate owned by the fund has not been determined appropriately, the equal treatment of unit-holders may be jeopardised. In the FIN-FSA’s view, managers of open-ended real estate funds must pay particular attention to the consistency, independence and verification of price estimates of properties. Approximately one-third of open-ended real estate funds have restricted, deferred or suspended the execution of redemptions since autumn 2023 owing to the challenging real estate market.

Towards the end of 2025, the FIN-FSA presented its view on the methods of managing fund liquidity related to the legislative amendment entering into force in spring 2026. The liquidity management methods must be defined in the funds’ rules, and the FIN-FSA must process rule amendments no later than the beginning of March 2026.

Administrative sanctions for breaches of notification obligations

In recent years, the FIN-FSA has imposed several administrative sanctions on managers and persons closely associated with them for breaches of transaction notification obligations and on issuers for breaches of listed company obligations related to transactions. The FIN-FSA reminded issuers of their role in ensuring compliance with managers’ transaction notification obligations.

Thematic reviews conducted in the capital markets sector

Thematic reviews conducted in the capital markets sector in 2025 focused on, among other things, the consideration and reporting of sustainability information, the supervision of algorithmic trading and the implementation of transaction reporting and IFRS financial statements.

Thematic assessment on pre-trade controls implemented by investment service providers engaging in algorithmic trading

The FIN-FSA carried out a thematic review as part of a Common Supervisory Action coordinated by the European Securities and Markets Authority (ESMA). According to the FIN-FSA's observations, respondents had generally implemented the pre-trade controls for algorithmic trading required by regulation. Differences were observed with respect to the practical implementation of the controls and the related procedures.

Thematic review of the organisation of depositary activities for UCITS and AIF funds and the consideration of sustainability information in the supervisory duties of depositaries

Every UCITS fund and AIF managed by an authorised Alternative Investment Fund Manager must have a depositary responsible for the safekeeping of the investment funds’ assets. The depositary markets in Finland are very concentrated, with five entities providing depositary services in Finland in 2024. The FIN-FSA found in the thematic review that depositaries continue to have low personnel resources. The oversight of subscriptions and redemptions for the investment funds was organised appropriately for the most part. Shortcomings and deficient processes were found in the verification of information concerning funds’ sustainability risks and sustainability disclosures.

Thematic review of investment service providers’ sustainability requirements in clients’ suitability assessments and product governance (in Finnish)

In the thematic review, the FIN-FSA took the view that banks and investment service providers must have clear guidelines and processes for obtaining and recording the information required for clients’ suitability assessments. Companies must, in particular, improve the recording of the grounds for suitability assessments and sustainability preferences. In addition, companies must have appropriate product governance arrangements in place to ensure that the products offered are also compatible with the target client group’s sustainability objectives. The thematic review was conducted as a joint supervisory action coordinated by ESMA.

Supervision of sustainability reporting by listed companies

The majority of the eight non-financial companies that were the subject of the thematic review were medium-sized companies. The thematic review took into account ESMA’s focus areas, with emphasis on reporting of the double materiality assessment process. Companies’ reporting of the double materiality process was largely compliant with regulation. There was variation across companies in the reporting of the process for identifying and assessing material sustainability-related impacts, risks and opportunities. There was also major dispersion across companies in the number of material sustainability topics reported.

Thematic review of reporting of investment decision-makers in transaction reporting (in Finnish)

The objective of the thematic review was to ensure that the information on decision-makers acting on behalf of a client or company is correct and that investment service providers’ transaction reporting to the FIN-FSA complies with regulation. The FIN-FSA observed that several companies have deficiencies in the reporting of decision-maker information. Typical errors were the omission of decision-maker information in representation situations (e.g. power-of-attorney trades), in full discretionary asset management and in the reporting of transmitted orders. In some cases, deficient or incorrectly reported information concerned a significant number of reported transactions.

IFRS enforcement 

The subject of IFRS enforcement comprised the IFRS financial statements of eight non-financial listed companies. The majority of these companies were at least medium-sized. In line with ESMA’s priorities, supervision covered matters related to liquidity as well as management judgement and estimates. Approximately one-third of the findings concerned financial instruments, and the remaining findings were distributed widely across different parts of the financial statements. The most significant findings related to impairment of assets and the classification of financial liabilities as a result of covenant breaches. In addition, the IFRS treatment of price hedges related to electricity procurement contracts was covered.

The following summaries were published of inspections of supervised entities in the capital market sector: 

• Ålandsbanken Funds Ltd: Organisation of the valuation of assets in an open-ended real estate fund (summary) H1/2025 (in Swedish)
• Titanium Fund Management Company Ltd: Organisation of the valuation of assets of an open-ended real estate fund (summary) H1/2025 (in Finnish)
• LocalBitcoins Ltd: Anti-money laundering, preventing terrorist financing, and payer information (summary) H1/2025 (in Finnish)
• S-Bank Fund Management Ltd: Organisation of risk management and valuation of funds (summary) H1/2025 (in Finnish)

Supervision of anti-money laundering emphasised compliance with sanctions

In the supervision of the anti-money laundering, the focus during the year was on customer due diligence, compliance with sanctions and supervision of the Transfer of Funds Regulation. During the year, the anti-money laundering and compliance with sanctions were also assessed in sixteen supervisory reviews across different sectors. Inspections concerning anti-money laundering were targeted at credit institutions and payment service providers. In particular, inspections of compliance with the Transfer of Funds Regulation provided new information on how the Financial Action Task Force’s (FATF) new recommendation on payment transparency addresses the need to clarify long payment chains. Regarding sanctions compliance, two inspections were conducted during the year in addition to a broad thematic review that also drew on the specialised expertise of a commercial operator. The results of the thematic review will be addressed as part of ongoing supervision with all the supervised entities covered by it.

In connection with authorisations and registrations, the Anti-Money Laundering Division continues to be responsible for the prevention of money laundering and terrorist financing as well as for sanctions compliance. In particular, authorisation applications by new crypto-asset service providers have significantly occupied the Division.

Towards the end of 2025, the restriction of Teboil’s money transfers due to sanctions against Lukoil became a topic for examination and also media attention. The FIN-FSA covered the topic on its website, publishing a supervision release FIN-FSA recommends that supervised entities exercise vigilance owing to the US sanctions decision of 22 October 2025 (in Finnish) as well as a status update Financial Supervisory Authority’s comment on Teboil entrepreneurs’ appeal (updated 22.12.2025).

Supervisory actions related to anti-money laundering and those targeted at a given sector of supervised entities in the review year are described in the respective sector-specific chapters.

Supervision of ICT and cyber security guided by DORA regulation

The Digital Operational Resilience Act (DORA) began to apply on 17 January 2025. DORA comprehensively regulates the management of ICT and cyber risks by entities supervised by the FIN-FSA. The FIN-FSA decided to require 11 supervised entities to carry out threat-led penetration testing to improve security. In spring 2025, information was collected for the first time on the registers of supervised entities containing the ICT third-party service providers used by them. The information was compiled at Union level and 19 critical ICT third-party service providers were designated for oversight under DORA at the end of the year. DORA also changed the requirements for incident reporting.

In the review year, the FIN-FSA incorporated into its own regulatory framework the joint guidelines of the European Supervisory Authorities on the estimation of aggregated annual costs and losses caused by major ICT-related incidents.

Cross-sectoral assessments and stress tests of cyber resilience and the use of artificial intelligence

Cyber resilience stress test (in Finnish)

The cyber resilience stress test targeted the banking, capital markets and insurance sectors. The stress test was implemented as a thematic review and involved a total of 12 significant supervised entities. The thematic review examined how supervised entities would act in a severe but plausible cyber incident scenario and recover from it. In the stress test scenario, all preventive measures of the supervised entities failed and the cyber attack caused serious disruptions to the databases of their most important systems. The stress test therefore did not assess the supervised entities’ ability to prevent cyber attacks in advance but their ability to react to a cyber attack and recover from it. The assessment was made based on questionnaire responses and documents provided by the supervised entities. The FIN-FSA has provided entity-specific feedback based on the results.

Thematic review of the use of AI in the financial sector

In spring 2025, the FIN-FSA conducted a thematic review of the use of artificial intelligence (AI) in the financial sector. The purpose of the thematic review was to examine the use of AI as well as related plans by entities operating in the financial sector in Finland. The information collected was also used in preparing for market supervision duties under the EU AI Act (Regulation No 2024/1689). Legislation supplementing the AI Act entered into force on 1 January 2026.

Supervisory actions related to ICT and cyber security and those targeted at a given sector of supervised entities in the review year are described in the respective sector-specific chapters.

¹ In the thematic review, the second line of defence was defined as 1) a risk supervisory function independent of business activities and 2) a function supervising compliance with regulations and internal policies as referred to in chapter 9, section 8 of the Act on Credit Institutions (610/2014).