Frequently asked questions

The company is not a medium-sized enterprise as the limit values of more than 50 staff and turnover or the balance sheet total of more than EUR 10 million are not reached.  

If the same entity is involved in several sectors as described in Annexes I and II to the Cybersecurity Act and its activities match the definition of partly essential and partly important, the enterprise is essential. 

The Commission Recommendation states that a check should be made that the enterprise has not exceeded or fallen below the relevant ceilings over two consecutive accounting periods. (Commission Recommendation concerning the definition of micro, small and medium-sized enterprises [2003/361/EC])

Entities covered by the Cybersecurity Act by virtue of the CER Directive are to be specified and designated later in separate legislation.  This is the subject of Government Bill 205/2024, presently under parliamentary review; it mentions the fact that critical entities, as far as those supervised by Fimea are concerned, would be specified by the Ministry of Social Affairs and Health by 17 July 2026.

Everyone with access to the system is included in the number of staff employed. The same applies to the number of staff working for subcontractors operating on the premises, if they have access to systems. However, there may be exceptions, clarifications or revisions with regard to this interpretation when cooperating with the supervisory authorities. 

No, if it has a company-based operation in these sectors in Finland. Company registration as an NIS2 entity supervised by Fimea must be carried out with Fimea if the enterprise in question is medium-sized or large or operates in one of the sectors in Finland described in cybersecurity legislation. 

According to section 11 of the Cybersecurity Act, a significant incident means one that has caused or may cause serious disruption to services or significant financial losses to the entity concerned, or one that has affected or may affect other natural or legal persons by causing significant material or non-material damage. This is not an absolutely unambiguous definition of what constitutes a significant incident. The Commission has adopted a separate Implementing Regulation on this for digital service providers (2024/2690). It specifies cases where an incident is regarded as significant, e.g. for cloud computing service providers. Although it may not concern the manufacture of medical devices directly, it is worth having a quick look at the Regulation, as you can get an idea about the thinking behind this for digital service providers. It is also worth debating a potential case with your supervisory authority.

You register primarily as an essential entity if the entity is essential as developer / producer of medicines. The system allows you to choose more than one sector or entity type.

No; no need.

The person must have the authorisation of the enterprise to make a notification. It may be a different person, who previously provided Fimea with information. 

 The entity must be an operator registered in Finland. Manufacturers established elsewhere in the same way register in the country in which they are located.

Information about significant incidents sent to Traficom’s incident notification application goes to the supervisory authority, the CSIRT unit and a single point of contact, and in due course anonymised and aggregated data on the notification go to ENISA.

If a significant incident has been identified, a notification of it has to be made. It is safer to report a suspicion, and if the situation is such that nothing had needed to be done about it, it can then of course be evident from a follow-up notification and final report that there had been no significant incident after all.

At this stage, holders of licences for pharmaceutical wholesalers as such are not covered under NIS2 legislation. It is possible, however, that a holder of a licence for pharmaceutical wholesalers, as a critical entity, will also become an essential NIS2 entity by virtue of the CER Directive.

Current information suggests that such is the case, i.e. the requirement is to practise the activity here in Finland.

If the enterprise operates in one of the sectors referred to in Article 1(2) of Directive 2001/83/EC on medicinal products for human use.

No. The balance sheet is company-specific.

With regard to research and development services for medicinal products, this is restricted to the business of an entity within the meaning of Article 1(2) of Directive 2001/83/EC on medicinal products for human use.

If the size of the enterprise and the sector definition fit, then yes.