Cybersecurity Act (NIS2)
The Cybersecurity Act provides for the management of cybersecurity risks. It implements the minimum obligations required in the NIS2 Directive for risk management and non-compliance reporting by healthcare operators and EU reference laboratories.
The Cybersecurity Act entered into force on 8 April 2025. Read more about the Act on the Traficom website.
NIS2 is the new Network and Information Security Directive, a cybersecurity directive replacing the current Network and Information Security Directive (NIS1). The aim of this legislation is to ensure a uniform level of cybersecurity across the European Union. At national level, Valvira supervises compliance with the obligations of the Cybersecurity Act in the healthcare sector.
List of operators
Healthcare operators covered by the Cybersecurity Act are obliged to register in the list of operators of Valvira by 8.5.2025. The obligations apply to welfare areas and all healthcare organisations employing more than 50 people or with a turnover of more than EUR 10 million.
The Act also requires operators to comply with the cybersecurity risk management obligations under the Directive and to report significant cybersecurity incidents to Valvira. Operators must identify themselves as being covered by the law and register on their own initiative on the list of operators.
Sign up to the list of operators
A separate form is used to register for the list of operators. Changes to the organisation's details are also reported on the same form.
Sign up to the list of operators
Notification procedure
Incident notifications under the Cybersecurity Act must be made using the new Traficom form application. The notification procedure is a three-step process with time limits. The first notification must be made within 24 hours of the discovery of a significant incident. Organisations not subject to NIS2 obligations can submit voluntary incident notifications.
Frequently asked questions about the NIS2 Directive
The obligations of the Cybersecurity Act apply to both public and private healthcare organisations that employ more than 50 people or have a turnover of more than EUR 10 million. These obligations also apply to organisations that are registered in Soteri as a service provider and service unit for healthcare services.
For example, the Cybersecurity Act applies to the following operators:
- the wellbeing services counties, the City of Helsinki and the HUS Group
- Private service providers of healthcare services registered in Soteri that employ more than 50 people or have a turnover of more than EUR 50 million. The Cybersecurity Act also applies to private service providers who provide healthcare and social welfare services as referred to in the Act on the Supervision of Social Welfare and Health Care.
- nationally designated EU reference laboratories.
Although the scope of the Cybersecurity Act only covers healthcare service providers and EU reference laboratories in the healthcare sector, the Cybersecurity Act and its obligations apply to all operations of the organisation. What this means is that the physical premises, operating environment, information networks and information systems must also comply with those obligations; they do not apply only to the organisation’s actions in providing the actual healthcare or reference laboratory services.
By comparison, the Cybersecurity Act does not apply for example to the following:
- companies and individuals that manufacture patient and client information systems as referred to in the Act on the Processing of Client Data in Healthcare and Social Welfare, or information system service providers
- companies and individuals that manufacture user environments as referred to in the Act on the Secondary Use of Health and Social Data
- private service providers that only provide social welfare services
- healthcare service providers with 50 or fewer employees and with a turnover of no more than EUR 10 million.
In certain scenarios, however, the Cybersecurity Act may be applied to healthcare service providers falling under the minimum threshold. This may happen for example if an operator is providing a service which is essential for maintaining critical functions in society at large or in the economy and which is not offered by any other operator.
More information on derogations can be found on the Traficom website.
At national level, Valvira supervises compliance with the obligations of the Cybersecurity Act in the healthcare sector. Valvira conducts risk-based supervision of compliance with the obligations of the Cybersecurity Act. This may be ex ante or ex post supervision.
- Ex ante supervision focuses on key operators and may involve document inspections or physical inspection visits.
- Ex post supervision Is usually triggered by a non-compliance notification submitted by an operator or another report received by the agency.
Valvira may impose sanctions on operators, including:
- a warning
- a binding order (e.g. a restriction on management activities or a requirement to rectify shortcomings by a given deadline)
- reinforcing an order with a conditional fine
- a proposal for a penalty fee, to be decided by a penalty fee committee to be set up at Traficom
- Valvira may obligate an operator to have a security audit focusing on cybersecurity risk management carried out
Valvira also provides general guidance on the obligations in the Cybersecurity Act and how to comply with them.
Under the Cybersecurity Act, an operator has the obligation to:
- Identify and manage cybersecurity risks
- Establish and update a risk management policy
- Adopt the risk management policy and execute risk management actions
- Prevent and minimise the impact of incidents that threaten cybersecurity on the organisation’s functions, continuity of operations, recipients of services and other services.
- Report significant incidents and report on how they are managed
- Sign up for the list of operators and send notifications of any changes in details.
An operator must identify, assess and manage cybersecurity risks to the communications networks and information systems used in its operations or services.
The purpose of risk management is to prevent or mitigate the impact of incidents on functions, continuity of operations, service recipients and other services. Incidents are occurrences such as cyber-attacks and other telecommunications and system failures.
The objective of risk identification is to ensure that the level of security of the communication networks and information systems used in operations or the providing of services and the level of risk management measures are adequate and proportionate to the risks and to the importance of the communication network or information system.
Any change in the number of personnel or the turnover of an organisation may have a bearing on its obligations under the Cybersecurity Act. Such changes must be entered in the list of operators when necessary. A change notification can be submitted using the same form as for signing up.
The Cybersecurity Act provides for cybersecurity risk management measures. The National Cyber Security Centre at Traficom has prepared a recommendation for cybersecurity risk management measures for the NIS supervisory authorities. Organisations may also use this recommendation as input for their risk management planning.
Operators are required to devise and keep updated a risk management policy for cybersecurity in their organisation. This policy must be in place by 8 July 2025.
An incident is considered significant if it:
- has caused or may cause a serious disruption to services
- causes financial losses to the operator concerned
- has affected or may affect other operators in such a way as to cause substantial material or non-material damage.
If the incident relates to the essential requirements of an individual information system, it must be reported as an incident under the Act on the Processing of Client Data in Healthcare and Social Welfare.
For more information on significant incidents as per the Cybersecurity Act, see the Traficom website.