Cybersecurity (NIS2)
A new Cybersecurity Act, based on the European Union’s NIS2 Directive, entered into force on 8 April. The Act introduces significant cybersecurity obligations for numerous operators across various sectors. Its aim is to strengthen cybersecurity and harmonise the level of security throughout the EU.
Traficom’s National Cyber Security Centre has put together an NIS2 directive information package on its website. Read about the content and obligations of the directive.
The Cybersecurity Act broadly applies to many different sectors. The obligations only apply to operators of sufficient size or operators whose activities are otherwise considered critical.
In the sectors supervised by Tukes, companies are subject to the obligations if they have at least 50 employees or if their annual net sales and balance sheet total exceed EUR 10 million.
Essential and important operators
Operators are divided on the basis of criticality in to essential (more critical) and important (less critical) operators.
An energy sector company is defined as an essential operator (more critical) if it has at least 250 employees or if its annual net sales exceed EUR 50 million and its balance sheet total exceeds EUR 43 million. Chemical and manufacturing sector companies are seen as important (less critical) operators.
Essential operators are operators that are determined to be critical on the basis of the CER directive. The implementation of the CER directive is still under way, and the critical operators are yet to be determined. An operator may also be an essential operator irrespective of its size, provided that any of the following criteria are met:
- The operator provides a service which is essential for maintaining operations that are critical for society or the economy and which is not provided by any other operators.
- A disruption in the service provided by the operator would have a significant effect on public order, public safety or public health.
- A disruption in the service provided by the operator could result in a material systemic risk, especially in sectors where such a disruption could have cross-border impacts.
- The operator is critical due to its particular significance at the national or regional level with regard to the sector or service type in question or other interdependent sectors of EU member states.
These criteria may be specified by a Government decree.
For more detailed sector-specific definitions, see the appendix on the National Cyber Security Centre website (in Finnish). The Act does not apply to an operator if the activities specified in the appendix are occasional and minor. The occasional and minor nature of the activities must be assessed in relation to the duration of the activities, the main purpose of the activities, the scope of the activities and the number of persons or customers dependent on the activities. In other words, the company’s operations must be examined more extensively than based on the company's main activity or the classification declared as the company’s sector. See also the European Commission’s recommendation regarding the definition of small and medium-sized enterprises 2003/361/EC.
Tukes’ sector supervision responsibilities
Energy sector
Supervision is divided between Tukes and the Energy Authority such that Tukes supervises energy production and storage companies. The Energy Authority supervises distribution and transfer network owners and natural gas sellers.
Tukes supervises the following operators in the energy sector:
- Oil sector (oil refinery and distribution terminals)
- Hydrogen production and storage operators
- Operators in the gas sector include
- holders of methane production, storage, processing, reforming and liquefaction equipment and undertakings carrying out these activities and
- the operators responsible for the commercial, technical and maintenance tasks of the above operators.
Manufacture, production and distribution of chemicals
Under the Cybersecurity Act, key operators shall include chemical manufacturers, producers and distributors. The sector is defined through the EU REACH Regulation (EC No 1907/2006) and the Act on the Safe Handling and Storage of Dangerous Chemicals and Explosives (390/2005). The obligations laid down in the Cybersecurity Act shall apply to a company if a substance or object (not a blend) manufactured by the company must be registered under the REACH Regulation and the operations require a permit referred to in section 23 of the Act on the Safe Handling and Storage of Dangerous Chemicals and Explosive (390/2005) or a notification referred to in section 24. Distributors of chemicals bound by a permit or notification obligation are also included in the scope of application. More information about determining the sector is available in a separate interpretation guide (see PDF file). The European Chemicals Agency ECHA’s website provides further information on the definition of manufacturer and distributor.
Manufacturing
The NIS2 Directive defines the manufacturing sector on the basis of the classification of economic activities (NACE) used in the EU. The following sectors are included in the manufacturing sector and they are covered by Tukes’ enforcement:
- Companies engaging in the manufacture of computer, electronic and optical products referred to in Section C, Division 26 of the NACE Rev. 2 classification.
- Companies engaging in the manufacture of electrical equipment referred to in Section C, Division 27 of the NACE Rev. 2 classification.
- Companies engaging in the manufacture of machinery and equipment not elsewhere classified referred to in Section C, Division 28 of the NACE Rev. 2 classification.
For more information about the NACE/TOL sector classification, see the Customs website. It is essential to examine the 2-digit divisions (26, 27 and 28), i.e. whether the manufactured product is a device referred to in the division. The groups under these levels may make determining the class easier but they do not list all devices that the 2-digit level refers to.
The obligations apply equally to important and essential operators, but they are supervised in different ways by the authorities. Only essential operators are subject to advance supervision.
You can find a list of all of the supervisory authorities including their sectors of responsibility on the website of the National Cyber Security Centre of the Finnish Transport and Communications Agency (in Finnish).
Operators are obliged to:
- Register with Tukes’ list of operators by 8 May at the latest
- Meet the statutory cybersecurity risk management obligations
- Immediately report any significant deviations concerning the service.
The operators themselves must recognise that they are subject to the scope of the law and register for the list of operators on their own initiative. You can use Tukes’ assessment tool to assist you. The registration for the list of operators takes place via an electronic service available in Finnish and Swedish. The person submitting the notification must have the right to act on behalf of the company. This right may, for example, be based on a role registered in the Trade Register that entitles the person to represent the company alone. If such a right does not exist, the company may authorise the person via a Suomi.fi mandate. More information on acting on behalf of a company and granting mandates as a company is available in the Suomi.fi e-Authorizations instructions under the sections Acting on behalf of an organisation and Granting a mandate as an organisation.
The operators must have access to an up-to-date cybersecurity risk management operating model in order to protect communications networks and information systems. The risk management framework must be established no later than 8 July.
For more information on the requirements, see the National Cyber Security Centre website.
In Finland, an incident notification is submitted using the National Cyber Security Centre Finland’s NIS2 notification application. When using the NIS2 report application, the National Cyber Security Centre will be notified in addition to Tukes. The National Cyber Security Centre uses the information to compile a situational picture of cybersecurity and provide information on information security at large.
- Cybersecurity Act 125/2025 (in Finnish nd Swedish)
- NIS2 directive
- CER directive
- European Commission’s recommendation regarding the definition of small and medium-sized enterprises 2003/361/EC
- National Cyber Security Centre Finland website
- NACE/TOL classification of economic activities
- Assessment tool for entities
More information and contacts
[email protected]
We will update the information on the sectors supervised by Tukes on this page.