Finland 2026, What Boards and Executives Must Do Now to Manage Criminal Liability After the Criminal Code Reforms

Criminal liability in Finland has shifted materially in 2025–2026, and boards that have not yet responded face escalating prosecution and reputational risk. A convergent package of Criminal Code amendments, criminalising sanctions violations, tightening sector-specific offences, and updating weapons-related provisions, now sits alongside a draft government proposal for a standalone police criminal-intelligence regime that would grant broader information-gathering powers over corporate data. Together, these reforms lower the threshold at which routine business activity can trigger criminal exposure for legal entities and their senior officers. This article provides a consolidated, prioritised board playbook: the governance actions, compliance protocols and investigatory safeguards that general counsel, compliance officers and executives must implement now.

Executive Summary, Five Immediate Board Actions

Before reading the full analysis, every board and CEO should confirm the following five actions are either completed or in motion. Each addresses a specific risk created by the 2026 legislative package.

1. Convene an extraordinary board session. Agenda: criminal liability in Finland under the amended Criminal Code, status of sanctions screening, and approval of an emergency response protocol for police inquiries.
2. Engage or confirm external criminal-defence counsel. Retain a lawyer experienced in business-related criminal offences who can be reached within hours, not days. Board-approved retainer agreements should be in place before an investigation materialises.
3. Impose a sanctions compliance freeze. Instruct the CFO and compliance function to pause, review and re-clear all transactions touching EU-sanctioned jurisdictions, entities or goods categories until an updated gap assessment is complete.
4. Notify D&O insurers. Under most policies, “circumstances that may give rise to a claim” must be reported promptly. The reformed Criminal Code and the police criminal-intelligence draft constitute such circumstances for boards in exposed sectors.
5. Issue a company-wide legal hold and evidence-preservation notice. All electronic and physical documents potentially relevant to sanctions compliance, environmental reporting, occupational safety and police data requests must be preserved immediately. Destruction, even routine, creates obstruction risk.

The statutory context behind each action is set out in detail below. The Finnish Criminal Code (39/1889, as amended) is the primary statutory instrument; it defines criminal offences, sanctions and corporate criminal liability provisions applicable to legal entities. The Ministry of Justice frames criminal law as “the body of law that regulates questions related to criminal liability,” and Board members must now treat that regulation as a direct governance obligation.

Why Finland’s 2026 Criminal Code Amendments Matter to Boards and Executives

The criminal code amendments in Finland did not arrive as a single statute. Instead, several legislative instruments and regulatory actions converged between mid-2025 and spring 2026, each expanding the perimeter of criminal liability for businesses. Boards that tracked only one strand, such as sanctions, may have missed the cumulative effect.

The table below maps the key dates, the legislative or regulatory change, and the corresponding board-level action required.

The cumulative effect is a measurable shift in prosecution risk. Where previously businesses might face administrative fines or regulatory reprimands, the amended Criminal Code now channels certain conduct, particularly sanctions violations and environmental offences, directly into the criminal justice system. Corporate criminal liability in Finland applies where offences are committed in the activities of a corporation, and the offence can be attributed to a failure of oversight by management. This is not theoretical: the Finnish legal system has applied corporate fines since Chapter 9 of the Criminal Code entered force, and the 2025–2026 amendments broaden the catalogue of offences to which corporate liability attaches.

Sanctions Criminalisation, Scope, Corporate and Individual Exposure

Are companies and executives now criminally liable for EU sanctions breaches under Finland’s 2026 changes? The answer is unequivocally yes. The Finnish Criminal Code now contains distinct criminal offences specifically for violating EU sanctions, replacing the previous approach where sanctions violations in Finland were prosecuted under more generic provisions such as regulation offences. The amendments, which entered into force on 20 May 2025, implement the EU Sanctions Criminalisation Directive and introduce a three-tier offence structure.

• Sanctions offence (intentional). Deliberately violating or circumventing EU restrictive measures, including asset freezes, trade embargoes and travel bans, now constitutes a standalone criminal offence.
• Aggravated sanctions offence. Where the violation involves significant economic value, is committed in a particularly methodical manner, or causes serious harm to EU foreign or security policy objectives, higher penalties apply.
• Negligent sanctions offence. Even careless or inadvertent breaches, where the actor should have known the transaction was prohibited, carry criminal liability. This is the provision most likely to affect boards, because inadequate screening systems can be characterised as negligence.

Corporate criminal liability applies to all three offence tiers. A legal entity can face a corporate fine where the offence has been committed in the entity’s operations and management has failed to exercise required care and diligence. Individual executives face personal criminal liability where they participated in, directed or failed to prevent the violation despite having the authority and duty to do so.

The following sanctions risk matrix helps boards identify priority areas for immediate review.

Sanctions, Practical Remediation and Reporting Steps for Boards

Once the risk matrix has been reviewed against the company’s actual operations, the board should approve and minute the following remediation steps:

1. Commission an independent gap assessment. Engage external counsel or a specialist compliance firm to evaluate current sanctions screening, onboarding protocols and transaction-monitoring systems against the new Criminal Code offence definitions.
2. Freeze high-risk transactions pending review. Any transaction flagged by the gap assessment as potentially involving sanctioned entities, goods or jurisdictions should be paused until cleared by legal counsel.
3. Update third-party due diligence. Require all counterparties in affected supply chains to complete a sanctions compliance questionnaire and provide end-user certificates where applicable.
4. Establish a reporting protocol to authorities. Where a past violation is identified, the board must decide, with counsel, whether and how to report to the relevant Finnish authority. Early voluntary disclosure may mitigate penalties.
5. Engage forensic accounting. For complex transaction histories, forensic review of payment flows can identify retrospective exposure before authorities do.

A recommended board resolution format: “The Board resolves to (a) commission an independent sanctions-compliance gap assessment to be completed within 60 days, (b) authorise the CFO to freeze all transactions involving [listed jurisdictions/entities] pending legal clearance, and (c) instruct the General Counsel to prepare a voluntary disclosure assessment for the next board meeting.”

Police Criminal Intelligence in Finland, What the Proposal Means for Internal Investigations and Privilege

On 19 February 2026, the Ministry of the Interior sent for comments a draft government proposal for legislation on police criminal intelligence. If enacted, this proposal would create a standalone police criminal-intelligence regime in Finland, granting police broader powers to gather, process and share information in the pre-investigation phase, before a formal criminal investigation has been opened.

For boards and general counsel, the practical implications are significant. The proposal would expand the circumstances under which police can request corporate data, potentially including internal investigation materials, communications records, and operational databases. It would also widen information-disclosure powers between police units and, industry observers expect, increase cooperation requests between police and corporate compliance functions.

The likely practical effect will be that companies face earlier and broader requests for information, at a stage when the legal basis for those requests, and the company’s obligations, may be less clearly defined than during a formal pre-trial investigation. This creates three governance imperatives:

1. Map your data holdings now. General counsel should create a comprehensive inventory of all data categories that police might request: emails, financial records, HR files, internal investigation reports, compliance dashboards, and IT logs. Assign each category a sensitivity classification and a privilege assessment.
2. Establish a formal decision-making protocol for police requests. Designate a single point of contact (typically the General Counsel or a nominated deputy) authorised to receive, evaluate and respond to police information requests. No employee should produce documents to police without counsel’s approval.
3. Adopt a cross-border data management plan. For companies with operations in multiple jurisdictions, police data requests may conflict with GDPR obligations, foreign blocking statutes, or contractual confidentiality undertakings. Map these conflicts in advance and prepare template objection letters.

The police criminal-intelligence proposal remains in the consultation phase. However, boards should not wait for final enactment. The governance measures above are prudent regardless of the proposal’s final form and will serve the company well in any interaction with authorities under the existing police criminal-intelligence framework.

Privilege and Evidence Handling, Practical Counsel Checklist

Internal investigations privilege in Finland is more limited than in common-law jurisdictions. Finnish law does not recognise a broad attorney–client privilege equivalent to that available in England or the United States. However, careful structuring of internal investigations can increase the likelihood that counsel-led work product remains protected. The following protocol should be adopted by every company that may face a criminal inquiry:

• Counsel-led investigation structure. All internal investigations relating to potential criminal conduct should be initiated, directed and documented by external criminal-defence counsel, not by the company’s internal compliance or HR teams acting alone.
• Privilege logs. Maintain a contemporaneous log of every document created during the investigation, noting author, recipient, date, purpose (legal advice vs. business purpose), and counsel involvement. This log is essential if privilege is later challenged.
• Segregation of investigation teams. Individuals involved in the internal investigation should not simultaneously serve as the company’s liaison with police or regulators. This prevents inadvertent waiver of privilege.
• Counsel-only communication channels. Use dedicated, encrypted communication channels for investigation-related exchanges. Label all communications “Privileged and Confidential, Prepared at the Direction of Legal Counsel.”
• IT forensics chain of custody. If digital evidence is collected during the investigation, maintain a forensic chain of custody from collection through storage. Use independent forensic IT providers where possible.
• Written privileged-investigation policy. The board should approve a standing policy that sets out these protocols in advance. A policy adopted before an investigation arises is far more credible than one created retroactively.

Sector-Specific Criminal Offences, Environment, Safety and Weapons

The criminal code amendments in Finland have not been limited to sanctions. Environmental criminal offences in Finland have received increased statutory clarity, and the updated provisions tighten the link between corporate management failures and individual criminal liability for environmental damage. Occupational safety offences similarly carry heightened board-level exposure where management has failed to maintain adequate prevention systems.

Updated police guidance on weapons offences, effective since 1 January 2026, clarifies reporting thresholds and enforcement approaches. For companies in the defence, security or dual-use technology sectors, this guidance creates additional compliance touchpoints that must be integrated into existing regulatory frameworks.

Boards should treat these sector-specific changes as triggers for compliance-framework updates, not as abstract legislative developments. The key board oversight controls are:

• Compliance audit programme. Commission annual external audits of environmental, occupational safety and, where applicable, weapons-related compliance, with results reported directly to the board.
• KPI integration. Incorporate compliance KPIs (incident rates, near-miss reports, screening failure rates, regulatory correspondence volumes) into board reporting packs.
• Risk register updates. Add the specific Criminal Code offence categories, impairment of the environment, occupational safety offence, weapons offence, to the company’s enterprise risk register with named risk owners.

Environmental Offences, Board Checklist and Red Flags

For companies with environmental exposure, the following targeted actions address the highest-probability risks under the amended code:

• Supplier environmental audits. Require key suppliers to certify compliance with environmental permits and regulations; include audit-right clauses in contracts.
• Incident reporting escalation. Ensure any environmental incident, spill, emission exceedance, waste-handling failure, is reported to the board within 24 hours, with immediate notification to counsel.
• External remediation verification. Where environmental damage has occurred, engage independent environmental consultants to verify that remediation meets regulatory requirements before reporting completion to authorities.
• Regulatory notice timelines. Map all statutory deadlines for environmental notifications (permits, incident reports, remediation updates) and assign compliance-function ownership for each.

A sample board-reporting KPI set should include: number of environmental incidents per quarter, average time to regulatory notification, remediation completion rate, and supplier audit compliance percentage.

When the Police Request Information or Open an Investigation, Board and Executive Playbook

What should a board do when police request information or open a criminal investigation? The answer must be rehearsed before it is needed. Ad hoc responses, particularly document production without counsel review, are the single most common source of avoidable board liability in Finland.

The following step-by-step playbook should be adopted as a standing board protocol:

1. Impose an immediate legal hold. The moment a police request or investigation is known or reasonably anticipated, issue a company-wide legal-hold notice. All potentially relevant documents, electronic and physical, must be preserved. Routine destruction schedules must be suspended for affected categories.
2. Activate the internal response team. This should be a pre-designated group: General Counsel (lead), CEO, CFO, Head of Compliance, and communications director. The response team’s first task is to assess the scope of the police request and the company’s legal obligations.
3. Engage external criminal-defence counsel immediately. The retained counsel should review the police request, advise on the company’s legal obligation to comply or its right to challenge, and manage all subsequent communications with authorities.
4. Notify D&O insurers. Under most D&O policies, the duty to notify arises when circumstances come to the attention of the insured that may give rise to a claim. A police request or investigation meets this threshold. Late notification can prejudice coverage.
5. Coordinate internal and external communications. The board should approve all internal staff communications and any external press statements. Uncoordinated statements by employees or executives can create evidence that is later used against the company or individuals.

Communications and Disclosure Obligations for Public Companies

For companies listed on Nasdaq Helsinki or other regulated markets, a criminal investigation or police inquiry may trigger continuous disclosure obligations under the Market Abuse Regulation (MAR). The board must assess, with counsel, whether the investigation constitutes inside information that must be disclosed to the market.

The decision framework is:

• Is the information precise? A formal police investigation or a police request for specific company data is generally precise enough to qualify.
• Would it significantly affect the share price? A criminal investigation into the company’s core operations, senior management or significant transactions will almost certainly be price-sensitive.
• Can disclosure be delayed? MAR permits delayed disclosure if immediate disclosure would prejudice the company’s legitimate interests and delay is not likely to mislead the public. Coordinate this assessment with counsel and investor relations simultaneously.

A template holding statement: “[Company] confirms it has received an inquiry from Finnish authorities. The company is cooperating with authorities and has engaged external legal counsel. [Company] will provide further information as appropriate and in compliance with its disclosure obligations.”

Board Liability in Finland, D&O and Insurance Considerations

The 2026 criminal code amendments increase the practical importance of directors’ and officers’ liability insurance. Boards should conduct an immediate review of existing D&O coverage against the following checklist:

• Coverage scope. Confirm that the policy covers defence costs arising from criminal investigations and prosecutions, not only civil claims. Some policies exclude criminal matters or impose sub-limits.
• Notification triggers. Review the policy’s notification clause to determine when the duty to notify arises. Most policies require notification of “circumstances”, which means the board should notify now if the company operates in a sanctions-exposed or environmentally sensitive sector.
• Retrospective cover. If criminal exposure pre-dates the current policy period, confirm whether the policy provides cover for prior acts or whether a separate run-off policy is needed.
• Entity cover. Verify that the policy covers the corporate entity (not only individual directors), as the expanded corporate criminal liability provisions may trigger entity-level claims.
• Indemnification agreements. Review board indemnification provisions in the articles of association and any side agreements. Ensure they are enforceable under current Finnish law and align with the D&O policy terms.

Early indications suggest that Finnish insurers are already adjusting D&O premiums and terms in response to the expanded criminal liability landscape. Boards that delay renewal discussions or fail to disclose the amended risk profile may find themselves underinsured.

Implementation Roadmap, 90-Day Plan and 12-Month Governance Milestones

Compliance for executives in Finland now requires a structured implementation timeline, not a one-off review. The following roadmap assigns actions to responsible parties and sets deadlines.

90-Day Priority Actions (Immediate–August 2026):

• Board: Approve emergency response protocol, retain external criminal-defence counsel, approve sanctions compliance freeze.
• General Counsel: Complete corporate data mapping, adopt privilege protocol, issue legal-hold template, review D&O notification obligations.
• CEO/CFO: Commission independent sanctions gap assessment, suspend routine document-destruction schedules for affected categories, notify D&O insurers.
• Compliance function: Update sanctions screening tools, distribute revised compliance training materials, establish quarterly Finlex monitoring process.

12-Month Governance Milestones (May 2026–May 2027):

• Board: Quarterly criminal-liability review on board agenda; annual external audit of sanctions, environmental and safety compliance; board resolution confirming compliance attestation from management.
• General Counsel: Annual review and update of privilege protocol, investigation playbook and police-response procedure; training programme for senior management on criminal liability exposure.
• CEO/CFO: Integration of compliance KPIs into management reporting; annual D&O policy renewal with updated risk disclosure; establishment of an escalation schedule for suspected criminal conduct.
• Compliance function: Annual third-party supplier audit; update of enterprise risk register with new Criminal Code offence categories; post-incident review after any regulatory contact.

Conclusion, Criminal Liability in Finland Demands Board Action Now

The 2025–2026 reforms to criminal liability in Finland are not incremental adjustments. They represent a structural expansion of criminal exposure for legal entities and their senior officers, spanning sanctions, environmental offences, occupational safety and the police’s information-gathering powers. Boards that continue to treat criminal compliance as a legal-department function rather than a governance priority are exposed to prosecution, personal liability and reputational harm.

To recap, the five non-negotiable board actions are: convene an extraordinary board session on criminal liability, engage external criminal-defence counsel, impose a sanctions compliance freeze pending gap assessment, notify D&O insurers, and issue a company-wide legal-hold notice. These steps should be completed within days, not weeks.

For a confidential board briefing, a criminal-liability gap assessment, or to retain experienced Finnish criminal-defence counsel, contact Global Law Experts. The GLE lawyer directory connects boards directly with specialists in Finnish criminal law and corporate investigations.

Sources

1. Finlex, Criminal Code of Finland (39/1889)
2. Finlex, Latest Amendments in Updated Legislation
3. Valtioneuvosto, Government Proposal for Legislation on Police Criminal Intelligence (19 Feb 2026)
4. Poliisi, Young Offender Guidance
5. Ministry of Justice, Criminal Law Overview
6. Dittmar & Indrenius, Liability for Sanctions Violations Is Increasing in Finland
7. Global Law Experts, Criminal Liability for Sanctions Violations Finland 2026
8. UNODC, Criminal Code of Finland (Unofficial English Translation)
9. Chambers Practice Guides, HR Internal Investigations 2026: Finland
10. Nordia Law, Directors’ and Officers’ Liability Insurance (D&O)