Cybersecurity (NIS2)
A new Cybersecurity Act, based on the European Union’s NIS2 Directive, entered into force on 8 April. The Act introduces significant cybersecurity obligations for numerous operators across various sectors. Its aim is to strengthen cybersecurity and harmonise the level of security throughout the EU.
Traficom’s National Cyber Security Centre has put together an NIS2 directive information package on its website. Read about the content and obligations of the directive.
The Cybersecurity Act broadly applies to many different sectors. The obligations only apply to operators of sufficient size or operators whose activities are otherwise considered critical.
In the sectors supervised by Tukes, companies are subject to the obligations if they have at least 50 employees or if their annual net sales and balance sheet total exceed EUR 10 million.
Essential and important operators
Operators are divided on the basis of criticality in to essential (more critical) and important (less critical) operators.
An energy sector company is defined as an essential operator (more critical) if it has at least 250 employees or if its annual net sales exceed EUR 50 million and its balance sheet total exceeds EUR 43 million. Chemical and manufacturing sector companies are seen as important (less critical) operators.
Essential operators are operators that are determined to be critical on the basis of the CER directive. The implementation of the CER directive is still under way, and the critical operators are yet to be determined. An operator may also be an essential operator irrespective of its size, provided that any of the following criteria are met:
- The operator provides a service which is essential for maintaining operations that are critical for society or the economy and which is not provided by any other operators.
- A disruption in the service provided by the operator would have a significant effect on public order, public safety or public health.
- A disruption in the service provided by the operator could result in a material systemic risk, especially in sectors where such a disruption could have cross-border impacts.
- The operator is critical due to its particular significance at the national or regional level with regard to the sector or service type in question or other interdependent sectors of EU member states.
These criteria may be specified by a Government decree.
For more detailed sector-specific definitions, see the appendix on the National Cyber Security Centre website (in Finnish). The Act does not apply to an operator if the activities specified in the appendix are occasional and minor. The occasional and minor nature of the activities must be assessed in relation to the duration of the activities, the main purpose of the activities, the scope of the activities and the number of persons or customers dependent on the activities. In other words, the company’s operations must be examined more extensively than based on the company's main activity or the classification declared as the company’s sector. See also the European Commission’s recommendation regarding the definition of small and medium-sized enterprises 2003/361/EC.
Tukes’ sector supervision responsibilities
Energy sector
Supervision is divided between Tukes and the Energy Authority such that Tukes supervises energy production and storage companies. The Energy Authority supervises distribution and transfer network owners and natural gas sellers.
Tukes supervises the following operators in the energy sector:
- Oil sector (oil refinery and distribution terminals)
- Hydrogen production and storage operators
- Operators in the gas sector include
- holders of methane production, storage, processing, reforming and liquefaction equipment and undertakings carrying out these activities and
- the operators responsible for the commercial, technical and maintenance tasks of the above operators.
Manufacture, production and distribution of chemicals
Under the Cybersecurity Act, key operators shall include chemical manufacturers, producers and distributors. The sector is defined through the EU REACH Regulation (EC No 1907/2006) and the Act on the Safe Handling and Storage of Dangerous Chemicals and Explosives (390/2005). The obligations laid down in the Cybersecurity Act shall apply to a company if a substance or object (not a blend) manufactured by the company must be registered under the REACH Regulation and the operations require a permit referred to in section 23 of the Act on the Safe Handling and Storage of Dangerous Chemicals and Explosive (390/2005) or a notification referred to in section 24. Distributors of chemicals bound by a permit or notification obligation are also included in the scope of application. More information about determining the sector is available in a separate interpretation guide (see PDF file). The European Chemicals Agency ECHA’s website provides further information on the definition of manufacturer and distributor.
Manufacturing
The NIS2 Directive defines the manufacturing sector on the basis of the classification of economic activities (NACE) used in the EU. The following sectors are included in the manufacturing sector and they are covered by Tukes’ enforcement:
- Companies engaging in the manufacture of computer, electronic and optical products referred to in Section C, Division 26 of the NACE Rev. 2 classification.
- Companies engaging in the manufacture of electrical equipment referred to in Section C, Division 27 of the NACE Rev. 2 classification.
- Companies engaging in the manufacture of machinery and equipment not elsewhere classified referred to in Section C, Division 28 of the NACE Rev. 2 classification.
For more information about the NACE/TOL sector classification, see the Customs website. It is essential to examine the 2-digit divisions (26, 27 and 28), i.e. whether the manufactured product is a device referred to in the division. The groups under these levels may make determining the class easier but they do not list all devices that the 2-digit level refers to.
The obligations apply equally to important and essential operators, but they are supervised in different ways by the authorities. Only essential operators are subject to advance supervision.
You can find a list of all of the supervisory authorities including their sectors of responsibility on the website of the National Cyber Security Centre of the Finnish Transport and Communications Agency (in Finnish).
Operators are obliged to:
- Register with Tukes’ list of operators by 8 May at the latest
- Meet the statutory cybersecurity risk management obligations
- Immediately report any significant deviations concerning the service.
The operators must have access to an up-to-date cybersecurity risk management operating model in order to protect communications networks and information systems. The risk management framework must be established no later than 8 July.
For more information on the requirements, see the National Cyber Security Centre website.
The operators themselves must recognise that they are subject to the scope of the law and register for the list of operators on their own initiative. You can use Tukes’ assessment tool to assist you.
The registration for the list of operators takes place via an electronic service available in Finnish and Swedish.
With the form, the company can:
- register in Tukes’ operator list
- report changes to the information in the operator list
- notify that it no longer falls within the scope of the regulation.
The notification collects information about the operator and its activities in accordance with Section 41 of the Cybersecurity Act. Operators must inform the supervisory authority of any changes to the information within two weeks of the change being made.
Note: The person submitting the notification must have the right to act on behalf of the company. This right may, for example, be based on a role registered in the Trade Register that entitles the person to represent the company alone. If such a right does not exist, the company may authorise the person via a Suomi.fi mandate. In the authorization matter, there is a reference to the KEHA-keskus > Local government e-service, which pertains to Tukes' transactions in the electronic service system.
More information on acting on behalf of a company and granting mandates as a company is available in the Suomi.fi e-Authorizations instructions under the sections Acting on behalf of an organisation and Granting a mandate as an organisation.
The obligation to provide IP address information to the supervisory authority is laid down in the NIS2 Directive, the Cybersecurity Act, the Act on Information Management in Public Administration, and the Act on Electronic Communications Services (Articles 3 and 27 of the NIS2 Directive, Section 41 of the Cybersecurity Act, Section 18a of the Information Management Act, and Section 165 of the Act on Electronic Communications Services).
Providing IP address information enables the proactive identification of vulnerabilities, cyber threats, and insecurely configured communication networks and information systems in organisations subject to the NIS2 Directive. Any such findings will be reported to the organisation in question, improving its ability to protect itself against the exploitation of vulnerabilities and cyber threats.
In Finland, these measures are the responsibility of the so-called CSIRT unit of the Finnish Transport and Communications Agency (Traficom), which has the right to obtain information from the operator register via the supervisory authority (Cybersecurity Act, Section 41).
In accordance with the requirements of the NIS2 Directive, an operator subject to the regulation must report all public IP address ranges belonging to the operator to the supervisory authority. The purpose is not to report the IP address ranges of potential customer organisations. It is also not necessary to report so-called dynamic IP addresses that change at frequent intervals.
To ensure effective support measures, we encourage operators to provide additional details about IP address ranges in the form, where possible.
If the operator’s IP addresses are managed by a third party, such as a telecommunications operator or service provider, it is the responsibility of the regulated operator to obtain this IP address information and submit it to the supervisory authority.
IP address: A numerical identifier for a data processing or communications device or a network interface connected to the internet, for example: 198.51.100.34.
IP address range: A group of public IP addresses forming a range.
IP address ranges must be reported in the NIS2 operator register in one of the following formats:
- 198.51.100.0–198.51.100.255 or 93.190.96.0–93.190.103.255 (IP range) or
- 198.51.100.0/24 or 93.190.96.0/21 (CIDR format)
If a wider address range is not known, individual IP addresses may also be reported:
- e.g., 198.51.100.34 or
- IPv6 addresses: e.g., 2001:db8:3333:4444:5555:6666:7777:8888 or
2001:0db8:3333:4444:0000:0000:0000:0000/64 (CIDR format).
Note: The following networks are so-called private networks, i.e. internal address spaces, and must not be reported to the operator register:
- IPv4:
- 10.0.0.0–10.255.255.255 or 10.0.0.0/8
- 172.16.0.0–172.31.255.254 or 172.16.0.0/12
- 192.168.0.0–192.168.255.255 or 192.168.0.0/24
- IPv6:
- fc00::/7
- fec0::/10
To obtain the required information, we recommend that you contact your internal IT support or your service provider.
According to Section 11 of the Cybersecurity Act, the operator must immediately notify the supervisory authority of any significant incident.
In Finland, an incident notification is submitted using the National Cyber Security Centre Finland’s NIS2 notification application. When using the NIS2 report application, the National Cyber Security Centre will be notified in addition to Tukes.
A significant incident refers to an incident that:
- has caused or may cause a serious disruption to services or substantial financial losses to the operator concerned, and
- has affected or may affect other natural or legal persons by causing considerable material or immaterial damage.
An initial notification must be submitted within 24 hours of detecting the significant incident, and a follow-up notification must be submitted within 72 hours of detection.
The operator must provide the supervisory authority with a final report on the significant incident within one month of submitting the follow-up notification or, in the case of a long-lasting incident, within one month of the conclusion of its handling.
In addition, the operator must, where necessary, notify parties other than the authority — such as recipients of its services — of any significant incident or significant cyber threat.
The National Cyber Security Centre uses the information to compile a situational picture of cybersecurity and provide information on information security at large.
- Cybersecurity Act 125/2025 (in Finnish nd Swedish)
- NIS2 directive
- CER directive
- European Commission’s recommendation regarding the definition of small and medium-sized enterprises 2003/361/EC
- National Cyber Security Centre Finland website
- NACE/TOL classification of economic activities
- Assessment tool for entities
More information and contacts
[email protected]
We will update the information on the sectors supervised by Tukes on this page.