Finland's New Cybersecurity Act: What Food Industry Leaders Must Know—and Do

Finland's Cybersecurity Act (124/2025) marks a historic turning point for the food industry. For the first time, legislation places personal and legal responsibility for cybersecurity directly on your company's management and obliges your leadership to self-identify their inclusion under the law. This is no longer an internal IT department matter—it is a strategic business obligation that demands direct involvement and demonstrable expertise from your board and CEO.

The law's entry into force on April 8, 2025, initiated a strict timeline, with the most critical deadline—the implementation of a risk management procedure—set for July 8, 2025. Time is short, and your operations must be documented, in use, and approved by your board. Non-compliance exposes your company not only to sanctions of up to €7 million but also to operational disruptions and reputational challenges.

In this article, I will outline the concrete measures you must take and demonstrate how this regulatory change can be transformed into a strategic competitive advantage and enhanced resilience.

Food industry companies are typically classified as important entities under the NIS2 regulation, for which the maximum administrative fine is €7 million or 1.4% of global annual turnover (whichever is greater).

Immediate Actions for Management

• Determine if your company is covered by the Cybersecurity Act: Check if your company is classified as an important entity under NIS2 regulation. If so, find out what that means in practice.

• Ensure you have registered with the Finnish Food Authority: If your company, which falls within the scope of the law, has not yet registered, do so immediately with the Finnish Food Authority via the Ilppa e-service.

• Implement risk management: Establish a comprehensive cybersecurity risk management procedure—a kind of "cyber-HACCP"—that covers the 12 core areas required by the law. The deadline for documenting and implementing this is July 8, 2025.

• Prepare for incident reporting: Develop robust internal processes for detecting and reporting significant cybersecurity incidents to the Finnish Food Authority within 24–72 hours.

• Secure your DIGITAL supply chain: Actively assess and manage cybersecurity risks related to your direct suppliers and service providers, especially those offering critical ICT products or services for your operations. Note: This applies to digital systems and services, not the physical food supply chain, although they are interconnected.

The Cybersecurity Act 124/2025 is Finland's national implementation of the EU's NIS2 Directive (Directive (EU) 2022/2555). The Finnish Cybersecurity Act came into force on April 8, 2025, to strengthen the cyber resilience of critical sectors.

Traficom (The Finnish Transport and Communications Agency) acts as the national single point of contact for NIS2 coordination, while the Finnish Food Authority (Ruokavirasto) serves as the supervisory authority for the food sector.

The law recognizes that cyber threats targeting key food industry sectors can be as devastating as physical disasters, affecting not only individual companies but also public safety, consumer confidence, and the integrity of the national supply chain.

Cyber threats may seem abstract compared to concrete food safety risks like contamination, but they can disrupt production, erode consumer trust, and even pose direct risks to public safety. The impacts vary across food industry actors:

Food Manufacturers and Processors

• Production Line Disruptions: Ransomware attacks on Manufacturing Execution Systems (MES) or Supervisory Control and Data Acquisition (SCADA) systems can halt production lines for days or weeks.

• Quality Control Compromise: Cyberattacks on the control systems for pasteurization, sterilization, or cooling can compromise food safety.

• Theft of Recipes and Intellectual Property: Unauthorized access to proprietary recipes, process parameters, or customer data.

• Loss of Supply Chain Visibility: Disruptions to Enterprise Resource Planning (ERP) systems affecting raw material procurement and production planning.

Operational Technology (OT) systems, such as production line control systems (PLC, SCADA), require special attention in the food industry. These are often older, not designed for network connectivity, and their disruption can directly impact production continuity and even food safety. The law's risk management obligations also cover these OT environments.

Food Wholesalers and Distributors

• Logistics Network Disruptions: Cyberattacks on Warehouse Management Systems (WMS) or Transportation Management Systems (TMS) can paralyze distribution.

• Cold Chain Monitoring Failure: Compromised temperature monitoring systems threatening product quality and safety.

• Attacks on EDI/Peppol Systems: Disruptions to electronic data interchange systems affecting order processing, invoicing, and supplier communication.

• Customer Data Breaches: Unauthorized access to customer information, purchasing processes, or pricing data.

Cross-Entity Digital Vulnerabilities

• Compromise of Enterprise Resource Planning (ERP) Systems: Core business systems managing everything from procurement to customer relations.

• Attacks on Financial Management Systems: Accounting systems, payment processing, and banking connections.

• Breaches of Communication Platforms: Email systems, collaboration platforms, and supplier and customer portals.

• Disruptions to Cloud Services: SaaS applications for CRM, inventory management, or quality assurance.

The scope of the Cybersecurity Act in the food sector targets medium-sized and large entities engaged in the wholesale, industrial production, or processing of food that meet specific size criteria. It is crucial that companies themselves identify whether they fall within the scope of the law.

Size Criteria (Company-Wide Assessment)

Meeting the employee count OR both financial criteria brings an entity within the scope of the law:

Scope by Food Sector Entity Type

IN SCOPE (if size criteria are met and engaged in industrial activity or wholesale):

Industrial Food Production and Processing:

• Large-scale dairy processing, cheese making
• Industrial processing of meat/fish/fruits/vegetables
• Commercial bakeries, grain milling, starch production
• Beverage production (breweries, soft drinks)
• Frozen food manufacturing, ice cream; preservation
• Industrial oil/fat processing; sugar refineries
• Spice processing, flavor manufacturing

Food Wholesale and Distribution:

• Food wholesale distributors to retail or large-scale catering
• Cash-and-carry wholesalers (if size criteria are met)
• Specialized raw material suppliers to manufacturers
• Food import/export companies
• Food logistics companies engaged in significant food wholesale or distribution-related warehousing, whose own digital systems (such as WMS) are critical to this operation

GENERALLY OUT OF SCOPE (unless designated as critical under the CER Directive by mid-2026):

• Primary production in agriculture/fishing (farms, fish farms)
• Feed manufacturing
• Retail stores and supermarkets (direct retail)
• Restaurants, most catering services, and direct-to-consumer food services
• Food packaging material manufacturers (unless they also provide critical digital services to the food sector)
• Standard food warehousing and transport (unless providing critical digital services or designated under the CER Directive)

Although Act 124/2025 introduces new obligations, a strategic approach to compliance can unlock significant business benefits:

• Operational Resilience: Robust cybersecurity directly translates to better protection against disruptions, minimizing downtime and ensuring business continuity.

• Supply Chain Trust: Demonstrating strong cybersecurity practices increases trust among suppliers and B2B customers, potentially becoming a competitive differentiator.

• Modernization Opportunities: The regulatory review may highlight inefficient systems, leading to modernization opportunities such as automation, enhanced data exchange, or consolidation of systems and software licenses.

• Cost Savings: Proactive risk management is almost always cheaper than dealing with the aftermath of an incident.

• Improved Data Governance: Implementation enhances overall data management, quality control, traceability, and other regulatory requirements.

If your food company falls within the scope, Act 124/2025 requires three main actions:

1. Registration with the Finnish Food Authority

Deadline: May 8, 2025 (If you have not registered, do so immediately!)

Entities within the scope were required to self-identify their inclusion and register with the Finnish Food Authority via the Ilppa e-service. This notified the authority that your company is a NIS2 entity in the food sector.

Information to be provided:

• Organization name, business ID, address, and contact details (including a cybersecurity contact person)
• Public IP address ranges used by the organization (in accordance with Traficom's detailed guidance, e.g., 198.51.100.0/24)
• Confirmation of sector classification (food production, processing, or wholesale)
• Information on any cross-border activities within the EU

2. Implementation of a Cybersecurity Risk Management Procedure and its Contents

Deadline: July 8, 2025 (This is a critical deadline—little time remains!)

This is the cornerstone of compliance and a continuous process, not a one-time task. According to Section 47 of the Cybersecurity Act, your company must establish, implement, and maintain—as well as regularly assess and update—a documented cybersecurity risk management procedure, which can also be seen as a form of "cyber-HACCP procedure".

If your company already has quality or risk management systems in place (such as HACCP, ISO 22000, ISO 27001), these existing processes and documentation should be leveraged and expanded to cover cybersecurity requirements.

The risk management measures must be proportionate to your company's size, the likelihood of incidents, and their potential impact. They must take into account available state-of-the-art solutions and the cost of implementation.

Section 9 of the Act defines 12 areas that the cybersecurity risk management procedure must cover:

3. Reporting Significant Incidents

Timeline: Early warning within 24 hours, more detailed notification within 72 hours, final report within one month.

You are legally obligated to report significant incidents to the Finnish Food Authority (via Traficom's national incident reporting portal). A significant incident is one that:

• Has caused or is capable of causing severe operational disruption or considerable financial loss to your company
• Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage

Examples from the food sector:

• Ransomware attacks that halt production or affect food safety systems
• Data breaches that expose customer data, supplier information, or proprietary recipes
• Cyberattacks on quality management or traceability systems
• Compromise of EDI/Peppol systems affecting supply chain communication
• Any cyber incident requiring a production shutdown or product recall

According to Section 47(3) of the Cybersecurity Act (124/2025), the risk management procedure referred to in Section 8 of the Act must be established within three months of the law's entry into force (April 8, 2025), making the absolute deadline July 8, 2025.

If formal cybersecurity is new and resources are limited, start with these key practices. While they alone do not meet all NIS2 requirements, they form a critical foundation and align with Traficom's recommendations for baseline information security practices (Act 124/2025, Section 9, paragraph 11).

Use this tiered approach, based on Traficom's verification categories, to assess your current cybersecurity posture against the requirements of Act (124/2025) and identify gaps.

• Level 1 is mandatory documentation. Start with Level 1 and progress incrementally towards Level 2.
• Level 2 provides good operational assurance.
• Level 3 offers a higher level of assurance, recommended for larger/higher-risk food sector entities or those aiming to demonstrate mature cybersecurity.

External Support

• Cybersecurity Consultants: Independent experts can assist with gap analyses, policy development, risk management implementation, and compliance validation. Look for consultants with experience in the food industry and/or OT security.

• Managed Security Service Providers (MSSPs): For companies lacking in-house security expertise, MSSPs can provide outsourced monitoring, threat detection, and incident response services.

• Industry Associations: Food industry associations may offer cybersecurity resources, best practice sharing, and peer learning opportunities tailored to the sector.

Act (124/2025) places significant emphasis on managing cybersecurity risks in your supply chains. A critical note for the food industry: This covers all direct suppliers whose digital products or services, if compromised, could impact the security of your operations, networks, and information systems.

The food industry is accustomed to managing the physical supply chain (raw materials, packaging, logistics). The NIS2 Act concerns the digital supply chain—IT vendors, software providers, cloud service providers, and other technology partners and stakeholders on whose information systems your operational activities depend.

High-Risk Digital Dependencies:

• Manufacturing Execution Systems (MES) controlling production lines
• Enterprise Resource Planning (ERP) systems managing core business processes
• Supply Chain Management (SCM) systems coordinating procurement and logistics
• Warehouse Management Systems (WMS) controlling distribution
• Quality Management Systems (QMS) ensuring compliance
• EDI/Peppol systems for B2B communication
• SCADA/industrial automation systems managing production equipment

Examples of Digital Suppliers to Consider:

• EDI/Peppol Security: Assess the end-to-end security of your electronic data interchange partners and Peppol access points.
• Digital Connections of Raw Material and Packaging Suppliers: EDI, portals, APIs.
• Third-Party Logistics Providers (3PLs): and their warehouse management systems.
• Cloud Service Providers: for food traceability and quality systems.
• Equipment Maintenance Providers: with remote access capabilities.

A key feature of Act (124/2025) is the direct legal responsibility placed on the company's management. According to Section 10 of the Act, management must ensure sufficient expertise in cybersecurity risk management and approve the cybersecurity risk management measures.

What this means in practice for food industry leaders:

• Integrate Cyber Risk into Governance: Cybersecurity risk must be a regular agenda item for the board, discussed alongside financial, operational, and food safety risks.

• Resource Allocation: Management is responsible for ensuring an adequate budget, personnel, and resources for cybersecurity, proportionate to the identified risks.

• Promote a Security Culture: Foster a company-wide culture of cybersecurity, just as you would a strong food safety culture.

• Personal Development: Board members and executives should actively improve their understanding of cybersecurity risks and best practices.

The Finnish Food Authority has significant supervisory powers to ensure compliance with Act (124/2025).

Supervisory Philosophy and Context of Sanctions

While the maximum administrative sanctions are substantial (€7 million or 1.4% of global turnover), the Finnish Food Authority's supervisory approach emphasizes:

• Proportionality: Sanctions are proportionate to the size of the company and the severity of the violation.
• Consideration of Good Faith: The authority considers the company's proactive measures to correct deficiencies and its willingness to cooperate.
• Gradual Supervision: Warnings and requests to improve operations generally precede financial penalties.
• Industry Understanding: Recognition of the food industry's operational constraints and legacy systems.

However, this cooperative approach only applies to companies actively seeking compliance. Intentional negligence or failure to respond to the authority's communications will trigger supervisory actions.

Violations that may lead to sanctions:

• Failure to implement adequate cybersecurity risk management measures across all 12 core areas.
• Failure to report significant incidents to the Finnish Food Authority within the deadlines.
• Failure to register with the Finnish Food Authority or to provide updated information.
• Intentional or grossly negligent failure to comply with binding orders from the supervisory authority.

Food industry companies are generally classified as important entities in the directive. They are primarily subject to ex-post supervision, for example, in connection with the reporting or failure to report a significant incident, rather than continuous proactive auditing like essential entities.

However, if, in the course of other supervision by the Finnish Food Authority, there is reason to believe that the obligations of the Cybersecurity Act have been neglected, this may trigger supervisory actions.

Official Resources

Finnish Food Authority - As the supervisory authority for the food sector, it provides specific guidance on implementing NIS2:

• Finnish Food Authority's NIS2 guidance for the food sector: Cybersecurity Directive (NIS2) in the food industry (in Finnish)↗
• Contact: NIS2.kyberturvallisuus@ruokavirasto.fi↗
• Registration: https://ilppa.fi/ilmoitus-aloitus↗

Traficom / National Cyber Security Centre Finland (NCSC-FI) offers extensive resources:

• Website: https://www.kyberturvallisuuskeskus.fi/en↗

  • Detailed Recommendation (160 pages): "Finnish Transport and Communications Agency Traficom recommendation on cybersecurity risk management measures for NIS supervisory authorities" - This document is an essential tool and provides concrete examples and verification methods for the practical implementation of all 12 risk management areas.
  • Cybermeter: A free self-assessment tool for evaluating baseline cybersecurity and receiving improvement recommendations.
  • Incident Reporting Portal: A centralized portal for NIS2 incident notifications.
  • Threat Intelligence: Regular alerts and advisories - subscribe for updates.
  • Cross-reference table: Traficom provides a cross-reference table that maps NIS2 requirements to internationally recognized standards like ISO 27001, NIST CSF, and IEC 62443 - understand how existing frameworks align with NIS2.

International Standards and Frameworks

• ISO/IEC 27001 & 27002: Internationally recognized standards for Information Security Management Systems (ISMS) and security controls. Provides a comprehensive framework that aligns well with NIS2 requirements.

• NIST Cybersecurity Framework (CSF): A risk-based framework developed by the U.S. National Institute of Standards and Technology. Widely used globally and referenced in Traficom's guidance.

• IEC 62443 series: Standards for the security of industrial automation and control systems (IACS). Highly relevant for food manufacturers with automated production lines and OT networks.

• CIS Controls: A prioritized set of actions to protect against the most common cyber-attacks. Offers practical, actionable guidance for baseline security.

---

Sources:

• Finlex – Act 124/2025 (Cybersecurity Act, in Finnish↗)
• Directive (EU) 2022/2555 (NIS2 Directive↗)
• Finnish Food Authority – Guidance on the application of the NIS2 Directive in the food sector (in Finnish)↗
• Traficom / NCSC-FI – Recommendation for NIS supervisory authorities on cybersecurity risk management measures (in Finnish)↗
• Dragos – Dragos Industrial Ransomware Analysis Q1 2025↗