It is reported that the “sovereignty requirements” under the certification framework for cloud service providers (SecNumCloud) disadvantage—and effectively preclude—foreign cloud firms from providing services to government agencies. The latest SecNumCloud guidance retains foreign ownership and board limits, which would effectively force foreign firms to set up a local joint venture to be certified under SecNumCloud as “trusted” and thus able to manage European data and digital services. These new provisions are in addition to their current use as a de facto discriminatory barrier, as France has not certified firms from other EU member states and from outside the EU.
Since 2016, only four companies, all French, have been certified (3DS Outscale (a subsidiary of Dassault Systemes), OVHcloud, Oodrive, and Worldline Cloud services). It is mandatory for public agencies to use SecNumCloud-certified services. Art. 19.6 of the SecNumCloud requires that cloud service providers be “immune to non-EU laws” established via corporate ownership structure limitations. Specifically, the law specifies that individual shareholders outside the EU cannot possess more than 25% of the company and collectively 39% of the value and voting rights of the company. They also cannot have veto rights, nor can they nominate a majority of members of boards. Together, all of these requirements essentially preclude the majority of foreign-owned and run cloud firms from SecNumCloud certification.

Under Section 19.6.a of the Certification framework for cloud service providers (SecNumCloud) requirements repository, the registered office, central administration or main establishment of the service provider must be established within a member state of the European Union. France's Policy on the Security of Information Systems of the State states that if certificates are available, certified products or services are to be preferred, effectively putting non-EU providers at a disadvantage.

Art. 85 of the Utilities Directive (2014/25/EU) contains provisions allowing contracting public entities to reject foreign goods not covered by any EU international commitments from its tender procedures. In these cases, a tender submitted for the award of a supply contract may be rejected where the proportion of the products originating in third countries exceeds 50% of the total value of the products constituting the tender (Art. 85.2). Additionally, in cases of equivalent offers, the provisions provide for a preference for European tenders and tenders covered by EU's international obligations. In practice, this possibility has rarely been used.
In France, the Directive has been transposed with the Public Order Code (CCP), which contains the provisions governing public order contracts, following a distinction between public contracts and concessions.

The Public Procurement Code, Chapter 3, Section 1, stipulates that French public authorities shall guarantee equivalent treatment to economic operators and works, supplies and services from States that are signatories to the WTO Government Procurement Act and economic operators from EU Member States. In other cases, authorities may introduce criteria or restrictions in the tender documents based on the origin of the goods or services.

It is reported that the lack of transparency is a challenge for public procurement procedures in France, especially for foreign bidders, including with respect to overly narrow definitions of tenders, and implicit biases in favor of local vendors and state-owned enterprises.

Finland has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

The EU Directive on Audiovisual Media Services (AVMS) covers traditional broadcasting services as well as audiovisual media services provided on-demand, including via the Internet. Art. 13.1 provides for Member States to secure a minimum 30% share of European works in the catalogues as well as "ensuring prominence" of those works. "Prominence" involves promoting European works by facilitating access to such works using any appropriate means to ensure their prominence. The Directive has been implemented by Member States in different ways, ranging from very extensive and detailed measures to a mere reference to the general obligation to promote European works.
In Finland, the EU Directive was transposed into domestic law through the amendment of the Act on Electronic Communication Services of December 2020 (Law No. 1207/2020 on Amending the Electronic Communications Services Act). According to Art. 209 of the Act, subscription programme service providers must reserve at least 30% of their programme list for European works and ensure the visibility of these works within the list. This obligation does not apply to subscription programme service providers with a small turnover or audience, or in cases where compliance would be practically impossible or unjustified. Furthermore, Finland has not implemented financial contribution obligations for VOD service providers.

The Act on Electronic Communications Services implements the EU toolbox on securing the security and protection of critical parts of the communications network. The Act gives the Finnish government powers to deem certain telecommunications components and equipment a threat to national security and exclude them from the Finnish network. While the Act does not explicitly name Huawei or ZTE, as other EU member states have, it is likely that components from these telecommunications providers will face heightened scrutiny or possible bans.

The Consumer Rights Directive 2011/83/EU provides an updated framework aimed at encouraging online sales. The Directive has been implemented by the Finnish Consumer Protection Act 2005.

Finland has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

Finland has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbour. Not all Member States have transposed the relevant articles consistently, leading to divergent national case law that could cause legal insecurity on an EU level.
In Finland, the Act 458/2002 on Information Society Services and Electronic Commerce implements the E-Commerce Directive almost verbatim, but at the same time, it has some important distinctions, such as not implementing Art. 15 on prohibition of monitoring obligations.

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbour. Not all Member States have transposed the relevant articles consistently, leading to divergent national case law that could cause legal insecurity on an EU level.
In Finland, the Act 458/2002 on Information Society Services and Electronic Commerce implements the E-Commerce Directive almost verbatim, but at the same time, it has some important distinctions, such as not implementing Art. 15 on prohibition of monitoring obligations.

It is reported that the Finnish Transport and Communications Agency (FICORA), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

The Act on the Secondary Use of Health and Social Data facilitates the use of personal data in social and health activities for secondary purposes, establishing specific conditions regarding the environments in which such data may be analysed. While the Act itself does not impose restrictions on the transfer of personal data, the Social and Health Data Permit Authority has issued Regulation 1/2022, which, in Section 3.1.2 of Annex 1, stipulates that the environment must be physically located within the EU/EEA.