It is reported that SecNumCloud’s “sovereignty requirements” disadvantage—and effectively preclude—foreign cloud firms from providing services to government agencies. The latest SecNumCloud guidance retains foreign ownership and board limits, which would effectively force foreign firms to set up a local joint venture to be certified under SecNumCloud as “trusted” and thus able to manage European data and digital services. These new provisions are in addition to its current use as a de facto discriminatory barrier as France has not certified firms from other EU member states and from outside the EU. Since 2016, only four companies, all French, have been certified (3DS Outscale (a subsidiary of Dassault Systems), OVHcloud, Oodrive, and Worldline Cloud services). It is mandatory for public agencies to use SecNumCloud certified services. Art. 19.6 of the SecNumCloud’s requires that cloud service providers be “immune to non-EU laws,” established via corporate ownership structure limitations. Specifically, the law specifies that individual shareholders outside the EU cannot possess more than 25% of the company, and collectively 39% of the value and voting rights of the company. They also cannot have veto rights, nor can they nominate a majority of members of boards. Together, all of these requirements essentially preclude majority foreign owned and run cloud firms from SecNumCloud certification.

Finland has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

Finland has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

The Consumer Rights Directive 2011/83/EU provides an updated framework aimed at encouraging online sales. The Directive has been implemented by the Finnish Consumer Protection Act 2005.

Finland has not signed the United Nations (UN) Convention on the Use of Electronic Communications in International Contracts.

The Act on Electronic Communications Services implements the EU toolbox on securing the security and protection of critical parts of the communications network. The Act gives the Finnish government powers to deem certain telecommunications components and equipment a threat to national security and exclude them from the Finnish network. While the Act does not explicitly name Huawei or ZTE, as other EU member states have, it is likely that components from these telecommunications providers will face heightened scrutiny or possible bans.

The EU Directive on Audiovisual Media Services (AVMS) covers traditional broadcasting services as well as audiovisual media services provided on-demand, including via the Internet. Article 13(1) provides for Member States to secure a minimum 30% share of European works in the catalogues as well as "ensuring prominence" of those works. "Prominence" involves promoting European works through facilitating access to such works using any appropriate means to ensure prominence of European works. The Directive has been implemented by Member States in different ways, ranging from very extensive and detailed measures to a mere reference to the general obligation to promote European works.
In 2020, the Finnish parliament transposed the Directive by amending the 2014 Act on Electronic Communications Services. Section 209 of the amended Act states the 30% quota on European works. Finland has not imposed further local preference requirements on streaming services, unlike other EU member states that have set laws on streaming service investment requirements in local markets as well.

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbor. Not all Member States have transposed the relevant articles consistently, leading to divergent national case law that could cause legal insecurity on an EU level.
In Finland, the Act 458/2002 on Information Society Services and Electronic Commerce implements the E-Commerce Directive almost verbatim, but at the same time it has some important distinctions such as not implementing Art. 15 on prohibition of monitoring obligations.

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbor. Not all Member States have transposed the relevant articles consistently, leading to divergent national case law that could cause legal insecurity on an EU level.
In Finland, the Act 458/2002 on Information Society Services and Electronic Commerce implements the E-Commerce Directive almost verbatim, but at the same time it has some important distinctions such as not implementing Art. 15 on prohibition of monitoring obligations.

Chapter 19 of the Information Society Code allows the Ministry of the Interior to request retention obligations of telecommunications providers without a judicial warrant. These retention obligations require telecommunications providers to retain traffic and location data for certain individuals or between 6-12 months, depending on the type of data, for use by the authorities in solving certain criminal acts. While the contents of communications cannot be accessed by authorities, Chapter 19 gives the Finnish government the ability to amend certain retention obligations by Government Decree. Thus, Chapter 19 essentially allows Finnish authorities to access personal traffic and location data for individuals suspected of committing certain crimes without a warrant.

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union (ECJ) declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.
In Finland, data retention laws are still in force but as of 2021 are under review. Chapter 19 of the Information Society Code authorizes the Finnish Ministry of the Interior to request data retention obligations of telecommunications providers. The retention obligations require telecommunications providers to retain traffic and location data for individuals under investigation for certain crimes for a period of 6-12 months, depending on the type of data. It is also true that following the ECJ ruling invaliding the Data Retention Directive, the scope and the application of the Finnish Information Society Code is limited. For instance, it does not include website browsing. Moreover, small operators are not required to retain their data. The data retention period goes from six months to 12 months, according to the category of the data.

The Accounting Act (Chapter 2, Sections 7 and 9) requires that a copy of the accounting records be kept within Finland. Alternatively, the records can be stored in another EU country if a real-time connection to the data is guaranteed.

Finland has a telecommunications authority: the Finnish Transport and Communications Agency (FICORA). However, it is reported that the decision-making process of this entity is not fully independent from the government.

It is reported that there is no requirement for functional separation for operators with significant market power in the telecom market. However, accounting separation is required in certain cases.

It is reported that the State of Finland owns 17.59% of the shares of Elisa Corporation. Elisa Corporation is one of the leading telecommunications service providers in the country and offers a wide range of services, including mobile telephony, broadband services, cable television, data services and business solutions.