Traficom Steps Into the Spotlight
When Finland's Transport and Communications Agency — better known as Traficom — was named the country's sole national competent authority for AI Act enforcement in mid-2025, the appointment raised eyebrows. A transport regulator overseeing artificial intelligence? But the choice was deliberate. Traficom already supervised Finland's digital infrastructure, telecommunications networks, and cybersecurity frameworks, giving it an institutional fluency in the kind of technical oversight that AI governance demands.
The agency has been quietly preparing for months. A dedicated AI supervision unit of roughly forty specialists was assembled through the second half of 2025, drawing talent from Finland's robust technology sector and academic institutions including Aalto University and the Finnish Center for Artificial Intelligence. The unit is organized into three divisions: risk classification, conformity assessment, and market surveillance — mirroring the tripartite structure of the AI Act itself.
What sets Finland's approach apart from the skeletal frameworks other member states have proposed is the degree of operational specificity. Traficom published its AI Act Supervision Guidelines in November 2025, a 140-page document that translates the regulation's often abstract provisions into concrete compliance checkpoints. The guidelines include decision trees for risk classification, standardized documentation templates, and a tiered inspection protocol that distinguishes between desk-based reviews and on-site technical audits. No other national authority has published anything remotely comparable.
Traficom's director of digital supervision, Maija Ylönen, has been characteristically direct about the agency's philosophy. In a December interview with Helsingin Sanomat, she noted that Finland's regulatory culture has always favored clarity over ambiguity: "Companies operating here should never have to guess what we expect of them. The AI Act is complex, but compliance shouldn't be a mystery." That sentiment — pragmatic, transparent, almost Nordic in its understatement — pervades the entire enforcement framework Helsinki has built.
Inside Finland's Enforcement Toolkit
Finland's national implementing legislation, which entered force on January 1, 2026, goes beyond what the AI Act strictly requires at this stage. While the regulation's full enforcement deadline isn't until August 2025 for the prohibitions on unacceptable-risk AI systems, with broader high-risk provisions phasing in through 2027, Helsinki chose to stand up its complete supervisory apparatus early — including the penalty framework that most member states are still debating.
The Finnish law establishes a graduated sanctions regime. Minor procedural violations — failure to maintain adequate technical documentation, for instance — carry administrative fines calibrated to company revenue, starting at one percent of annual global turnover. More serious breaches, such as deploying a prohibited AI system or knowingly marketing a high-risk system without the required conformity assessment, can trigger fines of up to three percent of global turnover, or thirty million euros, whichever is greater. These figures align with the AI Act's own caps, but Finland has added an intermediate tier for negligent non-compliance that the EU regulation leaves to national discretion.
— Maija Ylönen, Director of Digital Supervision, Traficom
Perhaps more consequential than the fines is the supervisory architecture. Traficom has the power to issue binding compliance orders, suspend the marketing of AI systems pending investigation, and — in extreme cases — order the withdrawal of a system from the EU market entirely. The agency can also conduct unannounced inspections of AI developers and deployers operating within Finnish jurisdiction, a provision that several industry groups lobbied against during the legislative process.
Finland has also established a regulatory sandbox, one of the first under the AI Act's Article 57 framework. The sandbox allows companies to test high-risk AI systems in a controlled environment under Traficom's direct supervision, with relaxed documentation requirements but mandatory incident reporting. The first cohort of twelve companies entered the sandbox in early January, including three healthcare AI startups and a Finnish defense contractor developing autonomous logistics systems.
How the Rest of Europe Compares
Finland's early activation has exposed an uncomfortable truth: most EU member states are nowhere near ready. A European Commission progress report leaked in late December revealed that only six of the twenty-seven member states had designated their national competent authorities by the end of 2025. Fewer still had begun drafting the implementing legislation needed to give those authorities actual enforcement power.
Germany has taken a characteristically federal approach, splitting AI Act responsibilities between the Federal Network Agency (BNetzA) for general-purpose AI and the Federal Office for Information Security (BSI) for high-risk systems in critical infrastructure. But the jurisdictional boundaries remain unclear, and industry representatives have complained about contradictory guidance from the two agencies. France has designated ARCEP, its telecommunications regulator, as the lead authority but has yet to publish implementing regulations. The Netherlands has proposed a new body entirely — the Dutch AI Authority — but parliamentary approval isn't expected before April.
The divergence creates a patchwork problem that the AI Act was specifically designed to prevent. AI companies operating across multiple member states face the prospect of different interpretation standards, different inspection regimes, and different penalty calculations depending on which national authority is supervising them. Finland's early, comprehensive approach actually deepens this asymmetry in the short term: a company fully compliant with Traficom's guidelines might still face unexpected requirements when France or Germany finally stand up their own frameworks.
Brussels is aware of the risk. The European AI Office, established in early 2024 to coordinate national implementation, has been holding monthly synchronization meetings with member state representatives. But coordination is not harmonization, and the AI Office has no power to compel national authorities to adopt uniform standards. The result is a regulatory landscape that will remain fragmented well into 2027, with Finland's model serving less as a template to be copied than as a reference point against which other approaches will inevitably be measured.
What This Means for AI Companies
For the roughly 350 companies that Traficom has identified as falling within the AI Act's scope in Finland alone, the transition from theoretical regulation to operational enforcement has been jarring. Compliance costs are the immediate concern. An industry survey conducted by Technology Industries of Finland in November found that mid-sized AI companies expect to spend between two hundred thousand and five hundred thousand euros on AI Act compliance in 2026, covering documentation, conformity assessments, and the technical modifications needed to meet transparency and human oversight requirements.
The burden falls disproportionately on smaller firms. Large technology companies — the Nokias and the Supercomputer Centers — have dedicated regulatory affairs teams and the resources to absorb compliance costs as overhead. But Finland's AI ecosystem is dominated by startups and scale-ups, many of which are building high-risk systems in healthcare, education, and employment without the institutional infrastructure to navigate a regulatory framework of this complexity. Several founders have told this publication, off the record, that they are considering relocating their AI operations to member states where enforcement remains dormant — a form of regulatory arbitrage that undermines the entire purpose of a harmonized European regulation.
Traficom is not blind to this dynamic. The agency's sandbox program is explicitly designed to reduce compliance friction for smaller companies, and Ylönen has signaled that the early months of enforcement will prioritize guidance over penalties. "We are not here to punish innovation," she said at a January industry roundtable in Espoo. "We are here to ensure that innovation happens within a framework that protects people." But the tension between fostering a competitive AI sector and enforcing a regulation that many in the industry view as premature and overly prescriptive will define Finnish — and eventually European — technology policy for years to come.
The broader strategic question is whether Finland's first-mover status will prove to be an advantage or a liability. Early movers in regulation, like early movers in markets, can set standards that others must follow. But they also bear the cost of experimentation, and any missteps — an overly aggressive enforcement action, a sandbox program that fails to produce viable compliance pathways — will be studied not as Finnish errors but as evidence for or against the AI Act itself. Helsinki has placed a significant bet that structured, transparent, and operational enforcement is better than the alternative of waiting. By August, when the rest of Europe is required to catch up, we will have the first real data on whether that bet was correct.