Cybersecurity Act enters into force - new regulation for operators

The new Cybersecurity Act entered into force on 8 April 2025. The Cybersecurity Act implements the EU’s NIS2 Directive. The aim of the new legislation is to ensure that there is a common level of cybersecurity across the European Union.  

The Act introduces new obligations for several sectors, including operators supervised by the Finnish Medicines Agency (Fimea). The new obligations include:

• an obligation to register as an operator with Fimea within a month of the Act’s entry into force,
• cybersecurity risk management obligations and
• cybersecurity incident reporting obligations.

According to the Cybersecurity Act, the following key operators will be subject to Fimea’s control in Finland, among others: 

• manufacturers of medicinal substances and medicines,
• manufacturers of medical devices and in vitro medical devices for diagnostics,
• blood establishments,
• operators involved in the research and development of medicines,
• pharmacies and
• other potential medical device operators as specified in more detail in the Cybersecurity Act.

NB! If you are unsure whether the operator you represent should register in Fimea’s list of official operators or that of another supervising authority, email us prior to registration.  

Control measures relate in particular to large and medium-sized enterprises, more precise definitions of which can be found in the Cybersecurity Act. 

Fimea will launch an NIS2 operator registration e-service under the Cybersecurity Act on 22 April 2025. Representatives of operators established in Finland may, however, now apply to the Finnish Digital and Population Data Services Agency for NIS2 operator list e-service authorisation. Authorisation for reporting the details of an operator in connection with cybersecurity is shared with, for example,  the Finnish Energy Authority and Traficom, and it is used in the suomi.fi login for registration on Fimea’s NIS2 list of operators.

Further information concerning the details needed to register on the NIS2 list of operators are available on Fimea’s Cybersecurity webpage.

Please note that you should not give your operator details in an unencrypted email.  

Information about the new Cybersecurity Act and the obligations of operators

In December 2024 Fimea organised webinars on the introduction of obligations connected with cybersecurity. The webinars are on YouTube and the materials can be found in the Fimea media bank. More information on the webinars can be obtained if necessary at [email protected].

Fimea’s cybersecurity webinar 3.12.2024 (YouTube, in Finnish)

• Webinar 3.12.2024 materials in the Fimea media bank (in Finnish)

Fimea’s cybersecurity webinar 17.12.2024 (YouTube, in Finnish)

• Webinar 17.12.2024 materials in the Fimea media bank (in Finnish)

More information:

Cybersecurity Act 124/2025 (Finlex, in Finnish)

Fimea’s webpages on the supervision of cybersecurity

Traficom’s online news article 8.4.2025: ‘Cybersecurity Act passed by Parliament, obligations under the NIS 2 Directive enter into force 8 April 2025’

Notification of significant incidents in Traficom’s e-service