Digital security is a pillar of national preparedness: every essential function in our society depends on digital systems and infrastructure.
The cutting edge of cyber resilience is found in heavily regulated industries, where supervisory authorities ensure robust tolerance to cyber disruptions. The financial sector is a prime example of this.
Yet cybersecurity is a prerequisite for business continuity across far less regulated sectors as well. In Finland, it is difficult to imagine an industry where a disruption in network connectivity, for example, would not bring business operations to a standstill.
Many companies have accumulated technology debt due to the challenging economic situation. This debt creates clear risks and vulnerabilities for their businesses,
says Tero Virtanen, Head of Market Finland, Vivicta.
He underlines that risk management for critical IT services is an area where all companies could do better. Even organizations that think they’re doing 'just fine' need to step up, because 'just fine' simply doesn’t cut it anymore.
We are used to always having electricity and well-functioning connections, whatever the situation,
Tero Virtanen remarks.
“We had business operations in Ukraine when Russia’s war of aggression began. The very concrete lessons we learned there about evacuating personnel and services have shaped our approach to preparedness. In Finland, organizational preparedness has largely been based on peacetime risks, even though we are exceptionally well prepared by European standards,” he says.
Glacial progress in cyber maturity
In 2024, Finland’s National Emergency Supply Agency, NESA, placed preparedness for military threats at the top of its strategy for the first time. In January 2026, NESA published the Cyber Survey of Finnish Sectors 2025 report. It revealed that cyber preparedness in Finland is moving at a glacial pace: there has only been minor development in the national cyber maturity level since 2022.
At the same time, the geopolitical landscape and security threats have tightened dramatically. The pandemic, the war in Ukraine, cable disruptions – uncertainty has become the new normal,
Tero Virtanen notes.
Risk management in critical companies is either fairly good or near nonexistent. There are very few companies in between,
explains Jari Pirhonen, Head of Security at Vivicta Finland, highlighting the report’s most worrying finding.
Pirhonen reminds that the Cybersecurity Act, which came into force in April 2025, obligates many companies to ensure an adequate level of cybersecurity across their supply chains. In practice, this means contractual requirements, audits, and regular monitoring.
“Large, well-prepared companies have to steer their entire supply chain through their own risk management efforts. They have their work cut out for them. The cyber resilience gap is so significant,” Jari Pirhonen reflects.
The cyber maturity report also called attention to a point that will hardly surprise any IT professional: the single most crucial factor separating highly mature companies from less mature ones is the commitment of their leadership to developing cybersecurity.
Cybersecurity must be on the agenda of top management. For the first time, even the Cybersecurity Act explicitly underlines that senior leadership is responsible for cyber risks,
Jari Pirhonen says.
“IT is not a support function. It’s a lifeline for business continuity in almost every company. In many organizations, information security reports to IT, and IT reports to the CFO. That’s too long a chain,” Tero Virtanen notes.
Tero Virtanen and Jari Pirhonen
Business operations must play a role in continuity planning
Virtanen and Pirhonen emphasize that IT alone can’t carry continuity planning; business operations must also play a role. As a minimum requirement, every executive team should know what information is critical to the business, where it’s located, who can access it, and how it’s protected.
They single out four essential elements that every business must have in order.
“First, security and preparedness practices must be strengthened. Processes, methods, and capabilities are only truly in place once they have been practiced together with the business,” Tero Virtanen says.
Second on the agenda is ensuring the ability to transfer critical services.
“If critical services are in the cloud, can they be moved to a data center if needed, or vice versa? Can they be relocated to Finland, or out of Finland, if necessary?” Jari Pirhonen describes.
Third, companies must secure their supply chains and reliable partnerships by determining what expertise must be available in-house – and what partners must be able to deliver locally from within Finland.
Vivicta has an exceptional capacity to serve Finnish customers with extensive local services. We operate certified, audited, and security-classified environments and are responsible for a wide range of IT services that are critical to society. We have customers for whom we can, if necessary, manage almost all critical services from Finland – provided, of course, that they are prioritized. Few others can do what we do,
Tero Virtanen notes.
Fourth on the agenda are the cornerstones of business continuity: automation and continuous testing.
“Core processes must come from muscle memory, regardless of the situation. Processes should be automated to such an extent that, in a crisis, experts can focus solely on problem-solving and crisis management,” Tero Virtanen asserts.
Preparedness is like life insurance
Virtanen and Pirhonen note that preparedness is a lot like life insurance: calculating the return on investment is highly unappealing.
“The business case is weak, that’s clear. If you’re weighing whether to invest in cybersecurity or develop a business application, it’s easy to guess which is more tempting – especially now, when we need to prepare for threats that many people don’t even want to think about,” Tero Virtanen says.
Yet if threats materialize, preparedness pays for itself many times over. The best-prepared companies know this and actively test their cyber resilience. They rehearse for different threat scenarios both internally and with key partners. Preparation for major crises also includes participation in industry-specific and national exercises.
In March 2026, the TIETO26 preparedness exercise for the information society includes, for the first time, scenarios involving military threats.
“Collaboration between authorities and companies is outstanding in Finland. It’s the envy of the world for good reason. It’s great to see how many of our customers are participating in TIETO26, practicing alongside us,” says Jari Pirhonen.
Still, no company can afford to assume that its cybersecurity measures are enough. What if multiple companies face an emergency simultaneously and the authorities’ phone lines are jammed? It is essential to secure reliable partners and IT service provider support for all scenarios to ensure supply chain resilience.
“Vivicta is – and will remain – in Finland, come what may,” Tero Virtanen emphasizes.
"Every company operating in Finland should ensure that business-critical services have been identified, continuity plans have been updated together with the business, and preparedness for different scenarios has been established through exercises. Vivicta is happy to support its clients in this," Tero Virtanen promises.