Frequently asked questions

No, if it has a company-based operation in these sectors in Finland. Company registration as an NIS2 entity supervised by Fimea must be carried out with Fimea if the enterprise in question is medium-sized or large or operates in one of the sectors in Finland described in cybersecurity legislation.

10.4.2025 

No; no need. 

10.4.2025

The entity must be an operator registered in Finland. Manufacturers established elsewhere in the same way register in the country in which they are located.

10.4.2025

At this stage, holders of licences for pharmaceutical wholesalers as such are not covered under NIS2 legislation. It is possible, however, that a holder of a licence for pharmaceutical wholesalers, as a critical entity, will also become an essential NIS2 entity by virtue of the CER Directive. 

10.4.2025

Current information suggests that such is the case, i.e. the requirement is to practise the activity here in Finland. 

10.4.2025

If the enterprise operates in one of the sectors referred to in Article 1(2) of Directive 2001/83/EC on medicinal products for human use. 

10.4.2025

With regard to research and development services for medicinal products, this is restricted to the business of an entity within the meaning of Article 1(2) of Directive 2001/83/EC on medicinal products for human use. 

10.4.2025

If the size of the enterprise and the sector definition fit, then yes.

10.4.2025

Distributors and importers of medical devices are currently not required to register in the NIS2 operator list. However, this may change depending on the designation of CER entities under the CER Directive. We will provide updates when the matter becomes relevant. 

16.6.2025

Registration in Valvira’s NIS2 operator list is sufficient if the hospital pharmacy’s information systems are fully integrated into the wellbeing services county’s systems. 

16.6.2025

You register primarily as an essential entity if the entity is essential as developer / producer of medicines. The system allows you to choose more than one sector or entity type. 

10.4.2025

The person must have the authorisation of the enterprise to make a notification. It may be a different person, who previously provided Fimea with information. 

10.4.2025

The NIS2 Directive requires that an entity under supervision reports its participation in voluntary cybersecurity information-sharing arrangements as defined by the Directive. Under Section 23 of the Cybersecurity Act, voluntary sharing arrangements include, for example, cooperation with Traficom’s Cybersecurity Centre CSIRT unit in information exchange groups where cybersecurity information is shared.

Voluntary sharing arrangements also include being on an industry-specific mailing list maintained by Traficom’s Cybersecurity Centre CSIRT unit. These lists distribute security bulletins on current topics related to the sector. All entities covered by the Cybersecurity Act (124/2025) can join the list.

15.1.2026

The company is not a medium-sized enterprise as the limit values of more than 50 staff and turnover or the balance sheet total of more than EUR 10 million are not reached.   

10.4.2025

If the same entity is involved in several sectors as described in Annexes I and II to the Cybersecurity Act and its activities match the definition of partly essential and partly important, the enterprise is essential. 

10.4.2025

The Commission Recommendation states that a check should be made that the enterprise has not exceeded or fallen below the relevant ceilings over two consecutive accounting periods. (Commission Recommendation concerning the definition of micro, small and medium-sized enterprises [2003/361/EC]) 

10.4.2025

Everyone with access to the system is included in the number of staff employed. The same applies to the number of staff working for subcontractors operating on the premises, if they have access to systems. However, there may be exceptions, clarifications or revisions with regard to this interpretation when cooperating with the supervisory authorities. 

10.4.2025

No. The balance sheet is company-specific. 

10.4.2025

Regarding group-related questions, we recommend reviewing the EU Commission’s recommendation on the definition of micro, small, and medium-sized enterprises (eur-lex.europa.eu). Article 3, sections 2 and 3 explain affiliated and partner enterprises.

15.1.2026

According to section 11 of the Cybersecurity Act, a significant incident means one that has caused or may cause serious disruption to services or significant financial losses to the entity concerned, or one that has affected or may affect other natural or legal persons by causing significant material or non-material damage. This is not an absolutely unambiguous definition of what constitutes a significant incident. The Commission has adopted a separate Implementing Regulation on this for digital service providers (2024/2690). It specifies cases where an incident is regarded as significant, e.g. for cloud computing service providers. Although it may not concern the manufacture of medical devices directly, it is worth having a quick look at the Regulation, as you can get an idea about the thinking behind this for digital service providers. It is also worth debating a potential case with your supervisory authority. 

10.4.2025

Information about significant incidents sent to Traficom’s incident notification application goes to the supervisory authority, the CSIRT unit and a single point of contact, and in due course anonymised and aggregated data on the notification go to ENISA. 

10.4.2025

If a significant incident has been identified, a notification of it has to be made. It is safer to report a suspicion, and if the situation is such that nothing had needed to be done about it, it can then of course be evident from a follow-up notification and final report that there had been no significant incident after all. 

10.4.2025

The Cybersecurity Act applies to entities designated as critical under the Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience (310/2025), regardless of their size. For entities supervised by Fimea, the critical entities will be designated by the Ministry of Social Affairs and Health no later than 17 July 2026. After that, the designation of critical entities will take place every four years.

10.4.2025, Updated 1.7.2025

Obligations and supervision do not start immediately. After the law enters into force, there is a transition period (12 months) during which the company must register and implement the requirements. Obligations become fully effective at the end of the transition period.

15.1.2026