Cybersecurity

The supervision applies to several sectors.  Fimea’s supervision covers operators in the following health and manufacturing sectors:  

• Manufacturers of basic pharmaceutical products and pharmaceutical preparations
• Entities involved in the research and development of medicinal products
• Pharmacies and health care professionals supplying and providing medicines and medical devices 
• Manufacturers of medical devices and in vitro medical devices for diagnostics

The Act applies to a legal person or a natural person (operator) who:  

1) carries out the activities referred to in Annex I or II or is an operator referred to in those Annexes; and

2) Meets or exceeds the conditions for medium-sized enterprises in accordance with Article 2 of the Annex to Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises and provides services or operates in a member state of the European Union. Comission Recommendation.

In addition, this act shall apply to operators of any size engaged in activities referred to in Annexes I or II or operators referred to in those Annexes if:

1) it provides a service that is essential for the maintenance of critical functions of society or the economy and that is not provided by other operators;

2) a disruption in the service it provides would have a significant impact on public order, public security or public health;

(3) a disruption in the service it provides could pose a significant systemic risk, in particular in sectors where such disruption could have cross-border effects; or

4) it is critical because it is of particular importance at national or regional level for the sector or type of service concerned or for other interdependent sectors in a member state of the European Union. 

The criteria may be specified by government decree. 

In addition, the Cyber Security Act applies to operators identified as critical under the CER Directive, regardless of their size.  

The operators are divided into essential and important entities, which is influenced not only by size but also by the sector. In addition, both size-independent entities and critical entities under the CER Directive are essential operators. The obligation to register in the list of entities and the risk management and reporting obligations apply to both essential and important entities.  

Note: The operator must identify themselves as falling within the scope of the Act and sign up for the list of entities on their own initiative. 

The following obligations are introduced by the Cyber Security Act

• Obligation to register in the supervising authority’s list of entities
• Cybersecurity risk management obligations
• Cybersecurity reporting obligations

Do I have to register with Fimea?  

A registration in Fimea’s NIS2 entity list must be submitted if the operator falls within the scope of the Act and is subject to Fimea’s supervision. 

How do I submit a notification for Fimea’s NIS2 entity list?  

Essential and important entities that are supervised by Fimea according to the Cyber Security Act 124/2025, can now make a registration in Fimea’s NIS2 entity list via PDF form.

PDF-ilmoituksen tekeminen:  
•    Fill in the information of the entity you represent to the PDF form
•    Send the PDF form by Fimea’s secure mail to: [email protected] 
•    Instructions to Fimea’s secure mail
•    You will receive a confirmation from the service mail when your message has been received

Operator details should not be sent in an unencrypted email.
Electronic services for registration will be opened later. Fimea will inform separately about the opening of electronic services

The notification collects the operator data referred to in section 41 of the Act, which includes: 

• Name of entity
• Their address, email address, telephone number and other up-to-date contact information;
• Their range of IP addresses;
• The relevant sector and part thereof as referred to in Annex I or II to NIS 2;
• Whether it is an essential entity;
• List of Member States of the European Union in which it provides services covered by the NIS 2 Directive; and
• Participation in the voluntary cybersecurity information sharing arrangement referred to in section 23 

In accordance with the Cyber Security Act, operators would be subject to risk management obligations, according to which, among other things, operators must identify, assess and manage risks related to the security of the communications networks and information systems used in their operations or service provision. The operator shall also implement risk management measures that are up-to-date, proportionate and adequate in relation to the risks posed to the communications networks and information systems used in their operations and the significance of the communications network or information system for the operator’s operations and service provision. More information on risk management in Cyber Security Act.  

The Finnish Transport and Communications Agency’s National Cyber Security Centre is producing a recommendation on cybersecurity risk management measures.

In accordance with section 11 of the Cyber Security Act, the operator must immediately notify the supervisory authority of a significant incident.

Notification of a significant incident is made through Traficom’s incident notification application.

Notification of a significant incident (Traficom)

A significant incident is an incident that 

• Has caused or may cause serious disruption of services or significant financial losses to the operator concerned, or
• incident that has or may have affected other natural or legal persons by causing significant material or non-material damage. 

The reporting obligation includes time limits regarding the submission of the initial report, further report and final report (sections 11, 12, 13)

• The first notification must be submitted within 24 hours of the detection of the incident and a follow-up notification must be submitted within 72 hours of the detection of the incident. 
• At the request of the supervising authority, the operator shall provide additional information on the status updates and progress of the processing of the significant incident. If the significant incident is long-term, the operator must submit an interim report no later than one month after submitting the follow-up notification.
• The operator shall submit to the supervisory authority a final report on the significant incident within one month of the submission of the follow-up notification or, in the case of a long-term incident, within one month of the end of its processing.

In addition, the operator must, if necessary, report the incident and cyber threat to parties other than the authorities, such as the recipients of their services (section 14).  

Fimea will soon introduce electronic services for reporting information on cyber security operators. Fimea will inform separately about the opening of electronic services.

The e-service for the NIS2 list of operators is intended for the following key and important operators within the scope of the Act: 

• Manufacturers of basic pharmaceutical products and pharmaceutical preparations
• Entities involved in the research and development of medicinal products
• Pharmacies and health care professional supplying and providing medicines and medical devices
• Manufacturers of medical devices and in vitro medical devices for diagnostics

Through the e-service, you can: 

• Report your operator information in accordance with section 41 of the Cyber Security Act
• Manage your reported information (submit change notifications)
• Operators shall submit any changes to the information referred to in this section without delay. A change to the information referred to in subsection 2 shall be notified to the supervisory authority within two weeks and a change to the information referred to in subsection 3 within three months of the date of the change. 
• Check your registered information.