A new online tool helps operators assess whether the obligations of the NIS2 Directive apply to them

Fimea has launched a new online tool that allows operators to assess whether they fall within the scope of national cybersecurity legislation under the NIS2 Directive of the EU. The National Cybersecurity Act (124/2025), which implements the NIS2 Directive, entered into force on 8 April 2025. It aims to strengthen the level of cybersecurity across the EU, especially in areas critical to society. The tool is intended for operators in health and manufacturing sectors supervised by Fimea, such as manufacturers of medicines, medicinal substances and medical devices, pharmacies and blood service establishments.

With the tool, organisations can determine if they are either an essential or important entity, and the tool also provides instructions for registering in the NIS2 entity list maintained by the authority. Based on the assessment, operators can check the obligations laid down in the Cybersecurity Act (124/2025) concerning matters such as cybersecurity risk management and incident reporting. Please note that if an operator is essential in a sector supervised by Fimea, it must register in Fimea’s NIS2 entity list as an essential entity. 

The service is available in Finnish on the Fimea website.