Assessment tool for the Cybersecurity Act
Fimea’s assessment tool for the Cybersecurity Act allows companies to assess whether they fall within the scope of the Cybersecurity Act (124/2025). The operator must identify themselves as falling within the scope of the Act and sign up for the list of operators on their own initiative. It should be noted that the result provided by the assessment tool is indicative.
Select the sector information describing the entity you represent. You can select multiple sectors.
All sectors within the scope of the Cybersecurity Act (the NIS2 Directive) and the authorities supervising them are included in the general information package published by the National Cyber Security Centre of the Finnish Transport and Communications Agency Traficom.
Entities involved in manufacture of basic pharmaceutical products
Entities involved in manufacture of pharmaceutical preparations
Entities involved in research and development of medicinal products
Pharmacies
Blood establishments
Entities supplying and providing medicinal products and medical devices in accordance
with the EU Directive on the application of patients’ rights in cross-border healthcare (2011/24/EU)Entities manufacturing medical devices considered critical during a serious public health
threat
Manufacturer of medical devices and in vitro diagnostic medical devices
Please select the company’s size category. The size category is determined based on the business ID for companies registered in Finland. The operator only falls within the scope of the Act if its size is sufficiently large or its operations are otherwise considered critical.
NOTE: The assessment of the company’s size criteria must take into account belonging to a group and other ownership affiliations. The determination of the size of the company is based on Commission Recommendation 2003/361/EC.
A company is considered to be large if it has at least 250 employees or an annual turnover of more than EUR 50 million and a balance sheet of EUR 43 million.
A company is considered to be medium-sized if it has at least 50 employees or an annual turnover and balance sheet exceeding EUR 10 million.
NOTE: If a company exceeds the criteria for a large company, it is no longer considered to be medium-sized.
The company does not meet or exceed the criteria for a medium-sized enterprise.
Select the ones that apply to the entity you represent from the options below. The entity only falls within the scope of the Act if its size is sufficiently large or its operations are otherwise considered critical.
The entity has been designated as a critical entity under the Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience (310/2025).
NOTE: For entities supervised by Fimea, critical entities will be designated by the Ministry of Social Affairs and Health at the latest by 17 July 2026.
The Cybersecurity Act also applies to an entity, regardless of its size, that engages in activities referred to in Annex I or II or is an entity referred to in those annexes, if:
it provides a service that is essential for maintaining critical societal or economic functions and that is not provided by other entities;
a disruption in the service it provides would significantly affect public order, public safety, or public health;
a disruption in the service it provides could cause a significant systemic risk, particularly in sectors where such a disruption could have cross-border effects; or
it is critical due to its particular importance at the national or regional level for the relevant sector or type of service, or for other interdependent sectors in a Member State of the European Union.
NOTE: In order to ensure uniformity of interpretation, it is recommended that operators whose inclusion in the scope of the Act would be based on the above-mentioned non-size-dependent criteria wait for the Government Decree to be specified. Once the Government Decree has been issued and the criteria for non-size-dependent entities have been specified, the entity that meets the criteria must report or update its information in Fimea’s NIS2 entity list.
Based on the responses, the entity does not fall within the scope of the Cybersecurity Act in the sector supervised by Fimea. The Cybersecurity Act applies to the entity only if it is sufficiently large in size or its operations are otherwise considered critical.
Please note that if the entity is part of a corporate group or has other ownership connections, the information of these affiliated entities must also be considered when assessing the size criteria. Refer to the definition of enterprise size in the European Commission Recommendation 2003/361/EC.
Based on the responses, the entity falls within the scope of the Cybersecurity Act and is considered an important entity in the sector supervised by Fimea.
Please refer to Fimea’s guidance on the obligations under the Cybersecurity Act and register in Fimea’s entity list.
If the entity engages in other activities covered by the Cybersecurity Act that are supervised by another NIS2 supervisory authority, it must register separately in each authority’s entity list. All sectors covered by the Cybersecurity Act and their respective supervisory authorities are compiled in the general information package provided by by the National Cyber Security Centre of the Finnish Transport and Communications Agency Traficom.
Based on the responses, the entity falls within the scope of the Cybersecurity Act and is an essential entity in the sector supervised by Fimea.
Please refer to Fimea’s guidance on the obligations under the Cybersecurity Act and register in Fimea’s entity list.
If the entity engages in other activities subject to the Cybersecurity Act that are supervised by another authority, it must register separately in each supervisory authority’s entity list. All sectors covered by the Cybersecurity Act and their respective supervisory authorities are compiled in the general information package provided by the National Cyber Security Centre of the Finnish Transport and Communications Agency.
Based on the responses, the entity falls within the scope of the Cybersecurity Act and is an essential entity in the sector supervised by Fimea.
Please refer to Fimea’s guidance on the obligations under the Cybersecurity Act and register in Fimea’s entity list.
If the entity engages in other activities subject to the Cybersecurity Act that are supervised by another authority, it must register separately in each supervisory authority’s entity list. All sectors covered by the Cybersecurity Act and their respective supervisory authorities are compiled in the general information package provided by the National Cyber Security Centre of the Finnish Transport and Communications Agency.
Oops, no result. Check your choices!
{{ errorText }}
Creating PDF. This may take awhile.
Something went wrong. Try again!