Finland's New Cybersecurity Act: What Food Industry Leaders Must Know—and Do
by Ilpo Elfving / Econ CEO
Loading article content...
More Articles
AI Is a Supply Chain, Not a Magic Button: What NIS2 Means for AI Governance
Finland's Cybersecurity Act makes management personally accountable for AI risks. For food, trade, and health leaders, AI is not a tool—it is a digital supply chain that requires the same governance as any critical vendor.
When Top Talent Becomes Food Delivery Drivers: Why Finland Cannot Utilize the Skills It Educates
A graduated AI engineer delivers food for Wolt under threat of deportation while 50-70% of international students drop out from specialized fields. How the Integrator-PM model and internal AI can solve Finland's talent integration crisis.
Finland's Cybersecurity Act (124/2025) marks a historic turning point for the food industry. For the first time, legislation places personal and legal responsibility for cybersecurity directly on your company's management and obliges your leadership to self-identify their inclusion under the law. This is no longer an internal IT department matter—it is a strategic business obligation that demands direct involvement and demonstrable expertise from your board and CEO.
The law's entry into force on April 8, 2025, initiated a strict timeline, with the most critical deadline—the implementation of a risk management procedure—set for July 8, 2025. Time is short, and your operations must be documented, in use, and approved by your board. Non-compliance exposes your company not only to sanctions of up to €7 million but also to operational disruptions and reputational challenges.
In this article, I will outline the concrete measures you must take and demonstrate how this regulatory change can be transformed into a strategic competitive advantage and enhanced resilience.
Executive Decision-Making: Critical Actions and Immediate Deadlines
⚠️
CRITICAL DEADLINE APPROACHING
The deadline for establishing and documenting your cybersecurity risk
management procedure is July 8, 2025. If your company is not yet in full
implementation mode, now is the final moment to act. The registration deadline
with the Finnish Food Authority was May 8, 2025—if this has been missed,
complete it immediately. Authorities expect active efforts toward compliance.
8 May 2025
Registration deadline with the Finnish Food Authority
8 July 2025
Deadline for risk management procedure
€7M
Maximum fine or 1.4% of global turnover
24–72h
Incident reporting timeline
Food industry companies are typically classified as important entities under the NIS2 regulation, for which the maximum administrative fine is €7 million or 1.4% of global annual turnover (whichever is greater).
Management is directly responsible: According to Section 10 of the
Cybersecurity Act, your company's board of directors, supervisory board, and
CEO are legally responsible for ensuring sufficient expertise in cybersecurity
risk management and for approving cybersecurity risk management measures. The
law's mention of sufficient familiarity will likely require documented
training or orientation. This is no longer just a concern for the IT
department; it is a board-level responsibility.
Econ's InsightThe Reality of Compliance
Immediate Actions for Management
Determine if your company is covered by the Cybersecurity Act: Check if your company is classified as an important entity under NIS2 regulation. If so, find out what that means in practice.
Ensure you have registered with the Finnish Food Authority: If your company, which falls within the scope of the law, has not yet registered, do so immediately with the Finnish Food Authority via the Ilppa e-service.
Implement risk management: Establish a comprehensive cybersecurity risk management procedure—a kind of "cyber-HACCP"—that covers the 12 core areas required by the law. The deadline for documenting and implementing this is July 8, 2025.
Prepare for incident reporting: Develop robust internal processes for detecting and reporting significant cybersecurity incidents to the Finnish Food Authority within 24–72 hours.
Secure your DIGITAL supply chain: Actively assess and manage cybersecurity risks related to your direct suppliers and service providers, especially those offering critical ICT products or services for your operations. Note: This applies to digital systems and services, not the physical food supply chain, although they are interconnected.
Cybersecurity Act 124/2025: A New Reality for the Food Industry
The Cybersecurity Act 124/2025 is Finland's national implementation of the EU's NIS2 Directive (Directive (EU) 2022/2555). The Finnish Cybersecurity Act came into force on April 8, 2025, to strengthen the cyber resilience of critical sectors.
NIS2 Directive (EU) 2022/2555
EU Legal Basis
Cybersecurity Act 124/2025
Finnish Implementation
Traficom
National Coordinator
Finnish Food Authority
Food Sector Supervisor
Traficom (The Finnish Transport and Communications Agency) acts as the national single point of contact for NIS2 coordination, while the Finnish Food Authority (Ruokavirasto) serves as the supervisory authority for the food sector.
The law recognizes that cyber threats targeting key food industry sectors can be as devastating as physical disasters, affecting not only individual companies but also public safety, consumer confidence, and the integrity of the national supply chain.
Why Cybersecurity is Business-Critical in the Food Industry
Cyber threats may seem abstract compared to concrete food safety risks like contamination, but they can disrupt production, erode consumer trust, and even pose direct risks to public safety. The impacts vary across food industry actors:
Food Manufacturers and Processors
Production Line Disruptions: Ransomware attacks on Manufacturing Execution Systems (MES) or Supervisory Control and Data Acquisition (SCADA) systems can halt production lines for days or weeks.
Quality Control Compromise: Cyberattacks on the control systems for pasteurization, sterilization, or cooling can compromise food safety.
Theft of Recipes and Intellectual Property: Unauthorized access to proprietary recipes, process parameters, or customer data.
Loss of Supply Chain Visibility: Disruptions to Enterprise Resource Planning (ERP) systems affecting raw material procurement and production planning.
Operational Technology (OT) systems, such as production line control systems (PLC, SCADA), require special attention in the food industry. These are often older, not designed for network connectivity, and their disruption can directly impact production continuity and even food safety. The law's risk management obligations also cover these OT environments.
Food Wholesalers and Distributors
Logistics Network Disruptions: Cyberattacks on Warehouse Management Systems (WMS) or Transportation Management Systems (TMS) can paralyze distribution.
Cold Chain Monitoring Failure: Compromised temperature monitoring systems threatening product quality and safety.
Attacks on EDI/Peppol Systems: Disruptions to electronic data interchange systems affecting order processing, invoicing, and supplier communication.
Customer Data Breaches: Unauthorized access to customer information, purchasing processes, or pricing data.
Cross-Entity Digital Vulnerabilities
Compromise of Enterprise Resource Planning (ERP) Systems: Core business systems managing everything from procurement to customer relations.
Attacks on Financial Management Systems: Accounting systems, payment processing, and banking connections.
Breaches of Communication Platforms: Email systems, collaboration platforms, and supplier and customer portals.
Disruptions to Cloud Services: SaaS applications for CRM, inventory management, or quality assurance.
Cyberattacks are a continuous and growing threat to the food industry.
According to Dragos's Q1 2025 report, 708 industrial organizations globally
were targeted by ransomware attacks, a significant increase from the
previous quarter. Specifically, the manufacturing sector was targeted in
480 cases, with the food and beverage industry accounting for 75 of
these cases (16% of manufacturing attacks). These figures clearly show that
the food sector is an attractive target for cybercriminals.
The scope of the Cybersecurity Act in the food sector targets medium-sized and large entities engaged in the wholesale, industrial production, or processing of food that meet specific size criteria. It is crucial that companies themselves identify whether they fall within the scope of the law.
💡
Common Misconceptions About Size Criteria
Note: When assessing your company's size, you must consider the entire
company, not just the units engaged in food wholesale, industrial production,
or processing.
To fall within the scope of the law, a company must meet:
EITHER the employee count threshold (≥ 50 employees)
ORboth financial thresholds:
annual turnover >€10M
balance sheet total >€10M
Therefore, exceeding the employee count alone is sufficient, but exceeding the turnover threshold is not enough if the employee count is below 50 and the balance sheet threshold is not met.
Size Criteria (Company-Wide Assessment)
Meeting the employee count OR both financial criteria brings an entity within the scope of the law:
Employee Count
≥ 50 employees
Financial Criteria
Annual turnover AND balance sheet total > €10M
Scope by Food Sector Entity Type
IN SCOPE (if size criteria are met and engaged in industrial activity or wholesale):
Industrial Food Production and Processing:
Large-scale dairy processing, cheese making
Industrial processing of meat/fish/fruits/vegetables
Commercial bakeries, grain milling, starch production
Food wholesale distributors to retail or large-scale catering
Cash-and-carry wholesalers (if size criteria are met)
Specialized raw material suppliers to manufacturers
Food import/export companies
Food logistics companies engaged in significant food wholesale or distribution-related warehousing, whose own digital systems (such as WMS) are critical to this operation
GENERALLY OUT OF SCOPE (unless designated as critical under the CER Directive by mid-2026):
Primary production in agriculture/fishing (farms, fish farms)
Feed manufacturing
Retail stores and supermarkets (direct retail)
Restaurants, most catering services, and direct-to-consumer food services
Food packaging material manufacturers (unless they also provide critical digital services to the food sector)
Standard food warehousing and transport (unless providing critical digital services or designated under the CER Directive)
💡
Clarification for Multi-Sector Companies: Retail/Food Service with Centralized Production
The main focus of the Cybersecurity Act 124/2025 in the food sector is on industrial-scale production, processing, and wholesale. Pure retail or food service operations are generally outside the scope of the law.
The critical difference arises if a company meeting the size criteria, whose main business might be retail or food service, also operates significant wholesale operations or centralized food manufacturing or processing units on an industrial scale.
If your company engages in such activities, contact the Finnish Food Authority at NIS2.kyberturvallisuus@ruokavirasto.fi↗ to clarify whether you fall within the scope of the law.
Turning Regulation into a Competitive Advantage
Although Act 124/2025 introduces new obligations, a strategic approach to compliance can unlock significant business benefits:
Operational Resilience: Robust cybersecurity directly translates to better protection against disruptions, minimizing downtime and ensuring business continuity.
Supply Chain Trust: Demonstrating strong cybersecurity practices increases trust among suppliers and B2B customers, potentially becoming a competitive differentiator.
Modernization Opportunities: The regulatory review may highlight inefficient systems, leading to modernization opportunities such as automation, enhanced data exchange, or consolidation of systems and software licenses.
Cost Savings: Proactive risk management is almost always cheaper than dealing with the aftermath of an incident.
Improved Data Governance: Implementation enhances overall data management, quality control, traceability, and other regulatory requirements.
✅
Strategic Advantage
The Cybersecurity Act 124/2025 is not just a regulatory hurdle but a catalyst
to review and improve your digital operations, strengthen your resilience, and
potentially find significant operational and financial efficiencies.
Key Compliance Requirements: Three Main Points
If your food company falls within the scope, Act 124/2025 requires three main actions:
1. Registration with the Finnish Food Authority
Deadline: May 8, 2025 (If you have not registered, do so immediately!)
Entities within the scope were required to self-identify their inclusion and register with the Finnish Food Authority via the Ilppa e-service. This notified the authority that your company is a NIS2 entity in the food sector.
Information to be provided:
Organization name, business ID, address, and contact details (including a cybersecurity contact person)
Public IP address ranges used by the organization (in accordance with Traficom's detailed guidance, e.g., 198.51.100.0/24)
Confirmation of sector classification (food production, processing, or wholesale)
Information on any cross-border activities within the EU
⚠️
Missed the May 8, 2025 Deadline?
Register immediately via the Ilppa e-service (Report an
activity↗). While late registration is not
ideal, it demonstrates a willingness to comply. The authority's primary
goal is to help companies achieve compliance, not to immediately penalize
good-faith efforts.
2. Implementation of a Cybersecurity Risk Management Procedure and its Contents
Deadline: July 8, 2025 (This is a critical deadline—little time remains!)
This is the cornerstone of compliance and a continuous process, not a one-time task. According to Section 47 of the Cybersecurity Act, your company must establish, implement, and maintain—as well as regularly assess and update—a documented cybersecurity risk management procedure, which can also be seen as a form of "cyber-HACCP procedure".
If your company already has quality or risk management systems in place (such as HACCP, ISO 22000, ISO 27001), these existing processes and documentation should be leveraged and expanded to cover cybersecurity requirements.
The risk management measures must be proportionate to your company's size, the likelihood of incidents, and their potential impact. They must take into account available state-of-the-art solutions and the cost of implementation.
Section 9 of the Act defines 12 areas that the cybersecurity risk management procedure must cover:
12 Cybersecurity Risk Management Areas
🎯
1. Cybersecurity risk management policy and assessing the effectiveness of risk management measures
Define and document your cybersecurity governance framework. Create a top-management-approved policy. Integrate cyber risks into existing risk management (HACCP, quality, supply chain) and define roles.
🔒
2. Information security policy of networks and information systems
Document specific procedures for securing IT and Operational Technology (OT) systems. Separately consider office IT networks and production OT networks, which often have older equipment.
🛠️
3. Security in network and information systems acquisition, development and maintenance
Integrate cybersecurity requirements into the procurement processes for systems and equipment from the outset, especially for production equipment and control systems.
🔗
4. Product security, overall quality of suppliers’ services, resilience, and cybersecurity practices of supply chains
Assess and manage the risks of your DIGITAL supply chain: ICT product and service partners, such as software and cloud service providers. This does not directly apply to the physical raw material chain.
📋
5. Asset management and identification of important operations
Identify and maintain an inventory of all your digital assets (IT/OT). Identify and classify critical systems that directly impact food safety, quality, and production continuity.
3. Reporting Significant Incidents
Timeline: Early warning within 24 hours, more detailed notification within 72 hours, final report within one month.
You are legally obligated to report significant incidents to the Finnish Food Authority (via Traficom's national incident reporting portal). A significant incident is one that:
Has caused or is capable of causing severe operational disruption or considerable financial loss to your company
Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage
Examples from the food sector:
Ransomware attacks that halt production or affect food safety systems
Data breaches that expose customer data, supplier information, or proprietary recipes
Cyberattacks on quality management or traceability systems
Compromise of EDI/Peppol systems affecting supply chain communication
Any cyber incident requiring a production shutdown or product recall
Critical Deadlines and Current Status: Act Now!
Critical Deadlines for Implementing Act 124/2025
According to Section 47(3) of the Cybersecurity Act (124/2025), the risk management procedure referred to in Section 8 of the Act must be established within three months of the law's entry into force (April 8, 2025), making the absolute deadline July 8, 2025.
⚠️
The Reality
With the July 8, 2025, deadline just weeks away, companies should already be well into the
implementation phase of their risk management procedure, not just the initial planning.
Developing and implementing a comprehensive and compliant cybersecurity risk management procedure
typically requires at least 6–12 months, depending on the organization's size and starting point.
For companies just starting: Focus first on a documented risk assessment and baseline
security controls. Full implementation can be phased, but you must have justifiable
interim measures in place by July 8.
Quick Start: Baseline Cyber Hygiene for Food Companies
If formal cybersecurity is new and resources are limited, start with these key practices. While they alone do not meet all NIS2 requirements, they form a critical foundation and align with Traficom's recommendations for baseline information security practices (Act 124/2025, Section 9, paragraph 11).
Install and continuously update antivirus/antimalware software on all computers and servers. Enable automatic updates for operating systems and all software. Implement and configure a basic network firewall.
🔐
2. Secure Passwords and MFA
Enforce strong, unique passwords for all user and system accounts. Deploy a password manager for employees. Enable multi-factor authentication (MFA) wherever possible, especially for remote access and administrator accounts.
💾
3. Data Backup and Recovery Testing
Implement automatic daily backups of all critical business data and system configurations. Store backups securely and separately (e.g., offline or in a separate cloud environment). Regularly test your ability to restore from these backups.
🎓
4. Staff Awareness and Reporting
Provide basic training for all staff on identifying phishing emails, suspicious links, and social engineering tactics. Establish a simple, clear internal process for employees to report suspected security incidents immediately.
🌐
5. Basic Network Security
Secure your Wi-Fi network (use WPA3 encryption, strong passwords). Segment your network where possible (separate guest Wi-Fi from corporate systems; ideally separate office IT from production/OT networks). Change default administrator passwords on all network devices.
ℹ️
Start Small, Build Forward
These baseline practices counter many common threats and form the foundation for more comprehensive NIS2 compliance. Focus on consistent application and employee engagement.
Leverage existing frameworks: If you already have HACCP, ISO 22000, BRC, or IFS certifications, use their risk management and documentation structures as a basis. Many processes can be extended rather than rebuilt.
Self-Assessment: Compliance Readiness Check
Use this tiered approach, based on Traficom's verification categories, to assess your current cybersecurity posture against the requirements of Act (124/2025) and identify gaps.
Level 1 is mandatory documentation. Start with Level 1 and progress incrementally towards Level 2.
Level 2 provides good operational assurance.
Level 3 offers a higher level of assurance, recommended for larger/higher-risk food sector entities or those aiming to demonstrate mature cybersecurity.
ℹ️
Level 1: Documentation and Policy Review (Do you have the plans?)
Cybersecurity Policies:
Do you have written, management-approved cybersecurity policies covering the 12 key risk areas?
Do staff know where to find these policies, and do they understand their roles?
Are policies reviewed and updated regularly (at least annually or after significant changes/incidents)?
Risk Assessment Documents:
Have you documented your cybersecurity risk assessment process?
Do you maintain a list/register of identified cyber risks in your food operations?
Are critical digital assets (IT/OT) identified and their specific risks assessed?
Incident Response Plan:
Do you have a documented incident response plan, including roles, responsibilities, and communication procedures?
Does it cover the 24/72-hour reporting requirements to the Finnish Food Authority?
Have you practiced or simulated your response procedures?
Training and Awareness Records:
ℹ️
Level 2: Technical Evidence and Implementation Review (Are your plans working?)
System Configurations:
Review actual system settings (firewalls, access controls, security software) with IT/OT staff or external support. Verify that secure configurations are implemented and default credentials changed.
Access Control Audit:
Audit user accounts, access rights, and MFA implementation on key systems. Check for dormant accounts or excessive privileges. Ensure administrator access is restricted and monitored.
Patch and Vulnerability Management:
Review processes for identifying and applying software updates and security patches. Check for outdated or unsupported software/firmware.
Monitoring and Log Review:
Review security logs from key systems. Check if monitoring alerts are configured for suspicious activities. Verify backup success rates and system availability logs.
ℹ️
Level 3: Advanced Testing and Validation (How resilient are you really?)
Vulnerability Scanning:
Conduct regular network vulnerability scans (internal and external) to identify exploitable weaknesses. Test web applications for common vulnerabilities.
Penetration Testing:
Consider using qualified third-party professionals to conduct controlled penetration tests on your critical systems to simulate real-world attacks.
Recovery and Continuity Testing:
Perform actual recovery tests from backups to ensure data integrity and recovery times. Conduct business continuity exercises for major incident scenarios.
Compliance Validation:
Consider an independent third-party audit or gap analysis against the requirements of the Act (124/2025) or known frameworks like ISO 27001 or IEC 62443 for OT systems.
External Support
Cybersecurity Consultants: Independent experts can assist with gap analyses, policy development, risk management implementation, and compliance validation. Look for consultants with experience in the food industry and/or OT security.
Managed Security Service Providers (MSSPs): For companies lacking in-house security expertise, MSSPs can provide outsourced monitoring, threat detection, and incident response services.
Industry Associations: Food industry associations may offer cybersecurity resources, best practice sharing, and peer learning opportunities tailored to the sector.
ℹ️
Start with Official Finnish Sources
Begin with official Finnish sources, such as guidance from the Finnish Food
Authority and the NCSC-FI's Cybermeter, as well as Traficom's detailed
recommendation. As your program matures, adapt to relevant international
standards and consider professional help if your risk assessment indicates a
need.
Focus on Securing the DIGITAL Supply Chain
Act (124/2025) places significant emphasis on managing cybersecurity risks in your supply chains. A critical note for the food industry: This covers all direct suppliers whose digital products or services, if compromised, could impact the security of your operations, networks, and information systems.
The food industry is accustomed to managing the physical supply chain (raw materials, packaging, logistics). The NIS2 Act concerns the digital supply chain—IT vendors, software providers, cloud service providers, and other technology partners and stakeholders on whose information systems your operational activities depend.
Key Requirements for Food Companies
📋
Maintain a List of DIGITAL Suppliers
Create and maintain a comprehensive list of all direct suppliers and service providers, paying special attention to those providing critical ICT products and services for your operations.
🔍
Assess Supplier Security Practices
Evaluate the cybersecurity posture of your critical suppliers through questionnaires, review of certifications (e.g., ISO 27001), assessment of security policies, or audits for high-risk suppliers.
📄
Contractual Security Requirements
Include specific cybersecurity clauses in supplier contracts, including requirements for maintaining security standards, notifying of breaches, and cooperating in incident response.
🔧
Manage Product Vulnerabilities
Understand the typical vulnerabilities of procured products and services. Monitor vulnerability disclosures and apply patches/mitigations promptly. Consider requesting Software Bills of Materials (SBOMs) for critical software.
🚨
Plan for Supplier Incidents
Develop contingency plans for cyber incidents at critical suppliers. What if your cloud-based ordering system goes down? What if the remote maintenance connection for your production line PLCs is compromised?
High-Risk Digital Dependencies:
Manufacturing Execution Systems (MES) controlling production lines
Enterprise Resource Planning (ERP) systems managing core business processes
Supply Chain Management (SCM) systems coordinating procurement and logistics
Warehouse Management Systems (WMS) controlling distribution
Quality Management Systems (QMS) ensuring compliance
EDI/Peppol systems for B2B communication
SCADA/industrial automation systems managing production equipment
Examples of Digital Suppliers to Consider:
EDI/Peppol Security: Assess the end-to-end security of your electronic data interchange partners and Peppol access points.
Digital Connections of Raw Material and Packaging Suppliers: EDI, portals, APIs.
Third-Party Logistics Providers (3PLs): and their warehouse management systems.
Cloud Service Providers: for food traceability and quality systems.
Equipment Maintenance Providers: with remote access capabilities.
ℹ️
Analogy for Supplier Security
Just as you audit your raw material suppliers for food safety certifications
and practices, you must now scrutinize the cybersecurity measures of your key
digital suppliers. A compromised software update from a trusted vendor can be
as damaging as a contaminated batch of raw materials.
Management's Responsibility: This Is Not Just an IT Task
A key feature of Act (124/2025) is the direct legal responsibility placed on the company's management. According to Section 10 of the Act, management must ensure sufficient expertise in cybersecurity risk management and approve the cybersecurity risk management measures.
Competence Requirement
Management must maintain sufficient expertise in cybersecurity risk management
Approval Authority
Management must approve cybersecurity risk management measures
Training Obligation
Management must participate in appropriate cybersecurity training
Supervisory Responsibility
Management must oversee the implementation of security measures
What this means in practice for food industry leaders:
Integrate Cyber Risk into Governance: Cybersecurity risk must be a regular agenda item for the board, discussed alongside financial, operational, and food safety risks.
Resource Allocation: Management is responsible for ensuring an adequate budget, personnel, and resources for cybersecurity, proportionate to the identified risks.
Promote a Security Culture: Foster a company-wide culture of cybersecurity, just as you would a strong food safety culture.
Personal Development: Board members and executives should actively improve their understanding of cybersecurity risks and best practices.
The law is clear: cybersecurity expertise and approval cannot be solely
delegated to the IT department. Management must be actively involved and
aware. This requires a proactive approach starting from the top of your food
company.
Econ's Insight:The Law and Operational Reality
Supervision: Sanctions and Consequences
The Finnish Food Authority has significant supervisory powers to ensure compliance with Act (124/2025).
Penalty Fee
€7M or 1.4% of global turnover, whichever is higher
Type of Supervision
Risk-based, ex-post
Supervisory Philosophy and Context of Sanctions
While the maximum administrative sanctions are substantial (€7 million or 1.4% of global turnover), the Finnish Food Authority's supervisory approach emphasizes:
Proportionality: Sanctions are proportionate to the size of the company and the severity of the violation.
Consideration of Good Faith: The authority considers the company's proactive measures to correct deficiencies and its willingness to cooperate.
Gradual Supervision: Warnings and requests to improve operations generally precede financial penalties.
Industry Understanding: Recognition of the food industry's operational constraints and legacy systems.
However, this cooperative approach only applies to companies actively seeking compliance. Intentional negligence or failure to respond to the authority's communications will trigger supervisory actions.
Violations that may lead to sanctions:
Failure to implement adequate cybersecurity risk management measures across all 12 core areas.
Failure to report significant incidents to the Finnish Food Authority within the deadlines.
Failure to register with the Finnish Food Authority or to provide updated information.
Intentional or grossly negligent failure to comply with binding orders from the supervisory authority.
Food industry companies are generally classified as important entities in the directive. They are primarily subject to ex-post supervision, for example, in connection with the reporting or failure to report a significant incident, rather than continuous proactive auditing like essential entities.
However, if, in the course of other supervision by the Finnish Food Authority, there is reason to believe that the obligations of the Cybersecurity Act have been neglected, this may trigger supervisory actions.
While the fines are substantial, for food companies, the operational
disruptions, loss of production, product spoilage, supply chain interruptions,
and reputational damage resulting from a successful cyberattack (due to
inadequate security) can often be far more costly than any regulatory
sanction. Compliance is fundamentally about business resilience.
Econ's Perspective:Holistic Business Impact
Available Tools and Resources
Official Resources
Finnish Food Authority - As the supervisory authority for the food sector, it provides specific guidance on implementing NIS2:
Detailed Recommendation (160 pages): "Finnish Transport and Communications Agency Traficom recommendation on cybersecurity risk management measures for NIS supervisory authorities" - This document is an essential tool and provides concrete examples and verification methods for the practical implementation of all 12 risk management areas.
Cybermeter: A free self-assessment tool for evaluating baseline cybersecurity and receiving improvement recommendations.
Incident Reporting Portal: A centralized portal for NIS2 incident notifications.
Threat Intelligence: Regular alerts and advisories - subscribe for updates.
Cross-reference table: Traficom provides a cross-reference table that maps NIS2 requirements to internationally recognized standards like ISO 27001, NIST CSF, and IEC 62443 - understand how existing frameworks align with NIS2.
International Standards and Frameworks
ISO/IEC 27001 & 27002: Internationally recognized standards for Information Security Management Systems (ISMS) and security controls. Provides a comprehensive framework that aligns well with NIS2 requirements.
NIST Cybersecurity Framework (CSF): A risk-based framework developed by the U.S. National Institute of Standards and Technology. Widely used globally and referenced in Traficom's guidance.
IEC 62443 series: Standards for the security of industrial automation and control systems (IACS). Highly relevant for food manufacturers with automated production lines and OT networks.
CIS Controls: A prioritized set of actions to protect against the most common cyber-attacks. Offers practical, actionable guidance for baseline security.
Final Implementation Checklist
Phased Implementation Plan
Immediate Actions (next 7 days)
Confirm scope and appoint an internal lead for NIS2 compliance.
Register with the Finnish Food Authority via the Ilppa service.
Download and review Traficom's 160-page recommendation document.
Assess your current cybersecurity level using the NCSC-FI's Cybermeter tool.
Short-Term Actions (next 30 days)
Conduct a comprehensive risk assessment covering all 12 required areas.
Document existing security measures and identify gaps.
Develop the framework for your cybersecurity risk management procedure.
Successful compliance with Finland's Cybersecurity Act (124/2025) is more than
just a regulatory burden for the food industry. It is an investment in
business continuity, resilience, and trust in a digital operating environment.
The responsibility for leading and succeeding in this strategic shift
ultimately lies with your company's management.
Finland's New Cybersecurity Act: What Food Industry Leaders Must Know—and Do - Econ
👥
6. Personnel security and cybersecurity training
Implement cybersecurity awareness training programs for everyone, including management and production staff. Train to recognize cyber threats that affect food safety.
🔑
7. Access management and authentication procedures
Implement robust access control and use strong authentication methods, such as multi-factor authentication (MFA), especially for remote access and critical systems.
🔐
8. Policies and procedures regarding the use of cryptography and encryption
Define when and how you use encryption to protect sensitive data (e.g., recipes, customer data, product development) both at rest and in transit.
🚨
9. Incident detection and handling in order to maintain and recover security and reliability
Develop the capability to detect cyber incidents quickly. Integrate this into existing food safety incident response procedures and assess the impact of incidents on quality.
💾
10. Backup management, disaster recovery planning, and crisis management
Ensure you can maintain or quickly restore key operations after a significant cyber incident. Prioritize the recovery of food safety and quality systems.
🛡️
11. Baseline information security practices to ensure security of operations, hardware, and software
Maintain baseline cyber hygiene, such as system hardening, patch management, and malware protection, that are also compatible with industrial automation (OT) environments.
🏢
12. Measures to secure the physical environment and premises of networks and information systems
Secure the physical environment where your critical IT and OT systems are located, including production line control cabinets and server rooms.
👤
6. Access Control Review
Regularly review who has access to which systems and data. Remove access for former employees immediately upon their departure. Strictly limit administrator privileges to those who need them for their job functions.
📋
7. Basic Asset Inventory
Create and maintain a list of all your IT and OT devices (servers, workstations, PLCs, network equipment) and key software applications. Mark which systems are critical for your food operations.
📝
8. Simple Security Policies
Develop and communicate basic, understandable security rules for employees. Cover topics like acceptable use of company IT, personal device use (BYOD) if allowed, email security, and data handling.
Do you maintain records of cybersecurity training provided to staff (including management)?
Is cybersecurity awareness part of new employee onboarding?
Plan management cybersecurity training and an awareness program.
Critical Deadline Actions (by July 8, 2025)
Finalize and document the comprehensive cybersecurity risk management procedure.
Obtain board/CEO approval for cybersecurity measures.
Implement proportionate security controls based on the risk assessment.
Establish incident detection and reporting procedures.
Train staff on cybersecurity responsibilities and incident reporting.
Ongoing Compliance
Regular review and update of the risk management procedure.
Continuous monitoring and improvement of security measures.
Annual cybersecurity training for all staff, including management.
Regular testing of incident response and business continuity procedures.
