Protection of critical infrastructure and critical entities resilience (CER)

The Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience (CER Act) entered into force on 1 July 2025. The act applies to 11 sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, and the production, processing and distribution of food.

A public or private entity can be identified as a critical entity if it provides services that are essential for society, and the disruption of these services would have significant disruptive effects. The responsible ministries in each sector must identify and determine the critical entities in their sectors by 17 July 2026. The Cybersecurity Act also applies to critical entities regardless of the size of the company.

Tukes supervises companies under its responsibility, which comprise the critical entities in the energy sector subsectors oil, hydrogen and gas.

The key obligations of a critical entity are as follows:

Risk assessment of operational risks
Measures and plan to ensure resilience
Notification of the point of contact and contact details
Notification of significant incidents that may disrupt the provision of essential services.

The national legislation is based on the CER Directive (Critical Entities Resilience Directive), which entered into force in 2023.

Inquiries: Ministry of the Interior: Act on the Protection of Infrastructure Critical to Society and on the Improvement of Resilience

Protection of critical infrastructure and critical entities resilience (CER)

Finnish Safety and Chemicals Agency (Tukes)