Resilience of critical entities

The relevant supervisory authority shall monitor compliance with the regulatory obligations of the critical entity. 

Fimea acts as the supervisory authority for the following entities defined as critical: 

a) operatos engaged in research and development of medicinal products as referred to in Article 1 subparagraph 2 of Directive 2001/83/EC of the European Parliament and of the Council on the Community code relating to medicinal products for human use, hereinafter referred to as the Medicinal Products Directive;
b) manufacturers of basic pharmaceutical products and pharmaceutical preparations as referred to in Section C, Division 21 of NACE Rev.2 of Regulation (EC) No 1893/2006 of the European Parliament and of the Council establishing the statistical classification of economic activities NACE Rev. 2 and amending Council Regulation (EEC) No 3037/90 and certain Community Regulations in the various statistical domains, as last amended by Commission Delegated Regulation (EU) 2023/137;
c) manufacturers of medical devices considered critical during a public health emergency as referred to in Article 22 of Regulation (EU) 2022/123 of the European Parliament and of the Council on strengthening the role of the European Medicines Agency in crisis preparedness and management as for medicinal products and medical devices;
d) holders of wholesale distribution authorization as referred to in Article 79 of the Medicines Directive and pharmacies;
e) operators supplying and providing medicinal products and medical devices under the Patients Directive and blood establishments

Supervision is imposed on the critical entity in order to monitor compliance with the obligations laid down by law to the extent necessary. 

According to the CER Directive, EU member states must identify critical entities for the first time by 17 July 2026. For entities supervised by Fimea, the Ministry of Social Affairs and Health will name the critical entities. The decision shall be valid for a maximum of four years.

10§: A private or public corporation or its operational part may be identified as a critical entity if: 

1) the entity provides one or more services that are essential for the functional capacity of society;
2) the entity operates or the critical infrastructure owned, managed or used by it is located in Finland; and
3) the deviation would have significant disruptive effects as referred to in sections 11 and 12 on
 a) the provision of one or more essential services by the entity; or
 b) the provision of other essential services in sectors dependent on the service.

The identification of a critical entity takes into account the national resilience plan on critical entities and the national risk assessment on critical infrastructure and resilience of critical entities, as well as cross-border activities and European commensurateness.

More information on significant disruptive effects from The Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience (310/2025) (Finlex, in Finnish).

The Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience imposes obligations on critical entities regarding matters such as risk assessment, ensuring resilience, resilience plans and incident procedures.

Operators identified as critical entities on the basis of the Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience are subject to the Cybersecurity Act regardless of their size, which also imposes obligations on critical entities under the Cyber Security Act. These obligations are

• Obligation to register in the supervising authority’s list of entities 
• Cybersecurity risk management obligations
• Cybersecurity incident reporting obligations

The Cybersecurity Act, including Sections 10–18 and 41, shall apply to a critical entity three months after the entity has been notified of the decision by which it has been identified as a critical entity. However, the provisions of Sections 7–9 of the Cybersecurity Act shall apply to a critical entity only nine months after the entity has been notified of the decision by which it has been identified as a critical entity.

More information on the obligations of a critical entity and their relationship with other legislation in The Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience (310/2025) (Finlex, in Finnish).