Directive (EU) 2022/2555 of the European Parliament and of the Council (NIS2 Directive) lays down measures that aim to achieve a high common level of cybersecurity across the Union, with a view to improving the functioning of the internal market.
The Finnish Food Authority acts as the supervisory authority for the NIS2 Directive and the national legislation on its implementation in the food industry. The Cybersecurity Act 124/2025 entered into force on 8 April 2025.
Scope of the NIS2 Directive
The NIS2 Directive applies to public and private entities of a type referred to in Annex I and II to the Directive which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article, and which provide their services or carry out their activities within the Union.
The operator fulfils or exceeds the conditions of Commission Recommendation 2003/361/EC for medium-sized enterprises:
- Medium-sized companies are companies that employ at least 50 persons or whose annual turnover and balance sheet total exceed EUR 10 million, i.e. the company is a medium-sized operator.
- The criteria for a medium-sized company are exceeded when the company employs at least 250 persons or has an annual turnover of more than EUR 50 million and a balance sheet total of more than EUR 43 million, i.e. the company is a large operator.
In other words, in the food industry, a company is subject to obligations when the company has at least 50 employees or annual turnover and balance sheet total exceeds EUR 10 million.
The NIS2 Directive also applies to operators of a type referred to in Annex I or II, regardless of their size, where:
- the operator is the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities
- disruption of the service provided by the operator could have a significant impact on public safety, public security or public health
- disruption of the service provided by the operator could induce a significant systemic risk, in particular for sectors where such disruption could have a cross-border impact
- the operator is critical because of its specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State
- the operator is identified as critical operator under the CER Directive
The other critical sectors in Annex II include production, processing and distribution of food as a sector and as the type of operator food businesses as defined in Article 3, point (2), of Regulation (EC) No 178/2002 of the European Parliament and of the Council which are engaged in wholesale distribution and industrial production and processing.
When a food business engages in wholesale distribution, industrial production or processing and meets or exceeds the size criteria of a medium-sized enterprise or meets the criteria of operators independent of size, the operator falls within the scope of the Directive and the Act.
According to the Directive and the Act, operators are either essential or important, depending on the industry, criticality and size. Food business operators are important operators in terms of size classification, but operators independent of size and critical operators under the CER Directive are essential operators. The table prepared by the National Cyber Security Centre Finland of Traficom (in Finnish) (pdf) outlines the organizations covered by the Directive.
- An operator falling within the scope of the Directive and the Act recognizes that it falls within the scope of application and registers on its own initiative in the Finnish Food Authority's list of operators. The notification must be submitted no later than one month after the entry into force of the Act or when the operator's criteria are met.
- The operator fulfils the risk management obligations under the Directive and the Act. The risk management operating model must be drawn up within three months of the entry into force of the Act or when the operator's criteria are met.
- The operator shall notify the supervisory authority of a significant incident without delay.
The obligations of the Directive and the Act apply to both important and essential operators, but supervision is targeted at operators in different ways. The essential operators are subject to ex-ante supervision.
Check whether the operator's criteria are met (the company's industry and size).
- The scope of application does not include, for example, primary production, feed production, retail trade, storage, transport, food contact material operations and food service operations. However, if an operator is subsequently identified as a critical operator under the CER Directive, the obligations of the Cybersecurity Act also apply to these operators.
- The operator criteria apply to the entire company's business, not just the share of food operations.
Register for the Finnish Food Authority's list of operators by 8 May 2025 at the latest.
- Register through the e-service ilppa. Instructions and a link to the electronic registration service can be found here Ilppa: Operator's notifications (in Finnish or Swedish).
- In e-services, you can:
- Report your operator information in accordance with section 41 of the Cybersecurity Act.
- Manage your reported data (make notifications of changes).
- Review your registered data.
- If electronic registration is not possible, you can also register using the form and secure email as follows:
- Fill in the form (in Finnish or Swedish) and save it on your computer.
- Send the completed form to the Finnish Food Authority by secure email.
- The Finnish Food Authority will receive the form and send a confirmation message to the operator once the registration has been processed.
The notification collects information on the operator and its operations in accordance with section 41 of the Cybersecurity Act:
- Name of the operator
- Address information, email address, telephone number and other up-to-date contact details
- IP address ranges
- Relevant sector, subsector and type of entity referred to in Annex II to the NIS2 Directive
- Information on whether the company is an essential operator
- List of Member States of the European Union where the company provides services covered by the NIS2 Directive and
- Participation in the voluntary sharing arrangement of cybersecurity information referred to in section 23 of the Cybersecurity Act.
Operators must notify the supervisory authority of any changes in the information within two weeks of the date of the change.
Provisions on the disclosure of IP addresses to the supervisory authority are laid down in the NIS2 Directive, the Cybersecurity Act, the Information Management Act and the Act on Electronic Communications Services (Articles 3 and 27 of the NIS2 Directive, Section 41 of the Cybersecurity Act, Section 18 a of the Information Management Act and Section 165 of the Act on Electronic Communications Services).
Reporting IP addresses enables the proactive detection of vulnerabilities, cyber threats, and insecurely configured communication networks and information systems in organizations subject to the NIS2 Directive. These findings are reported to the organization, which improves the ability of the relevant parties to protect themselves against the exploitation of vulnerabilities and cyber threats. In Finland, the measures are handled by the CSIRT unit of the Finnish Transport and Communications Agency, which has the right to receive information from the supervisory authority about the list of operators (Cybersecurity Act, Section 41).
Under the obligations of the NIS2 Directive, entities governed by the regulatory framework must submit to the supervisory authority information on all of the entity’s public IP ranges.
The IP addresses to be reported include the organization's own public IP address ranges. The intention is therefore not to report the IP address ranges of any potential customer organizations. It is also not appropriate to report dynamic IP addresses that change frequently.
To ensure that the support measures are as effective as possible, we encourage organizations to provide additional clarifying information about their IP address ranges in the form, if possible.
If the entity’s IP ranges are managed by another party, such as a telecommunications operator or some other service provider, the entity governed by the regulation must obtain the IP address information and submit it to the supervisory authority.
- IP address: A numerical code identifying a data processor, data transmission equipment or a network connection connected to the internet, e.g. 198.51.100.34.
- IP range: An IP range comprising a set of public network addresses (IP addresses).
- IP ranges must be submitted for the list of NIS2 entities in the following format:
- e.g. 198.51.100.0 to 198.51.100.255 or 93.190.96.0 to 93.190.103.255 (IP range) or
- e.g. 198.51.100.0/24 or 93.190.96.0/21 (CIDR format)
- If necessary, the information may also be provided as individual IP addresses if a wider range is unknown: e.g., 198.51.100.34
- The information may also be submitted in IPv6 format: e.g. 2001:DB8:3333:4444:5555:6666:7777:8888 or 2001:0db8:3333:4444:0000:0000:0000:0000/64 (CIDR format)
- PLEASE NOTE: The following networks are private networks, i.e. internal address ranges, and should not be submitted to the list of entities:
- IPv4:
- 10.0.0.0-10.255.255.255 tai 10.0.0.0/8
- 172.16.0.0-172.31.255.254 tai 172.16.0.0/12
- 192.168.0.0-192.168.255.255 tai 192.168.0.0/24
- IPv6:
- fc00::/7
- fec0::/10
- IPv4:
To gather the information required, we recommend that you contact your own IT administration of service provider.
Entities within the scope of the NIS2 Directive must notify any changes to the IP address information submitted to the supervisory authority without delay, and, in any event, within two weeks of the date of the change.
According to section 11 of the Cybersecurity Act, the operator must notify the supervisory authority of any significant incident without delay.
Notify a significant incident to Traficom's incident notification application.
A significant incident refers to an incident that:
- has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned
- has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
An early warning must be submitted within 24 hours of detecting a significant incident, and an incident notification must be submitted within 72 hours of detecting a significant incident.
An early warning must include:
- the detection of a significant incident;
- whether a significant incident is suspected to have been caused by a criminal offence or other unlawful or malicious act;
- the possibility and likelihood of cross-border impacts, as well as information related to the anticipation of cross-border impacts.
The incident notification must include:
- an assessment of the nature, severity and impact of the significant incident;
- the indicators of technical compromise, where available;
- possible updates to the information in the early warning.
The operator must submit a final report on the significant incident to the supervisory authority within one month of the submission of the incident notification or, in the case of a long-term incident, within one month of the end of its processing.
The final report must include:
- a detailed description of the incident, including its severity and impact;
- the type of threat or root cause that is likely to have triggered the incident;
- applied and ongoing mitigation measures; and
- a report on possible cross-border impacts.
In addition, the operator must, if necessary, report a significant incident and a significant cyber threat to parties other than the authorities, such as the recipients of its services.
More information
NIS2.kyberturvallisuus@ruokavirasto.fi