What would happen if, for example, the packaging industry in Eastern Finland were interrupted by a military threat? Food supply would be cut off, shelves would be emptied and alternative production capacity would need to be found quickly – from Sweden, Estonia or both.
These kind of situations are simulated in Information Society preparedness exercise – TIETO26, which brings together authorities and companies to develop cooperation and information exchange in exceptional circumstances. This time exercise focuses in particular on securing food supply chains that are highly digitalised and international.
“Our goal is to involve up to 170 organisations from the food industry and its supply chain industries, such as logistics and water services. We are expecting a total of 850 participants, of which 500 would participate also in the intensive phase,” says Antti Nyqvist, Head of Preparedness at Digipooli1. Supply chains and organisations critical to security of supply will also be involved in the exercise, including the National Emergency Supply Agency, National Cyber Security Centre Finland, the Police of Finland and the Finnish Defence Forces.
International scenarios put to the test
The TIETO26 exercise is not limited to Finnish organizations, but the Swedish and Estonian authorities are also expected to participate, in addition to companies with international operations.
“Situations in which we could get support from operators in neighbouring countries will be scripted for the exercise. It is important to know in advance who is doing what and by which mandate,” says Nyqvist.
The exercise provides training on preparedness, especially for widespread disruptions that can cripple critical parts of the supply chain. Preparedness for military threats is also an important theme to get forward in Finnish business life.
Focus on information exchange and a shared situational picture
During crises, speed and information management are essential. TIETO26 develops common mechanisms that enable authorities and companies to maintain an up-to-date, shared situational picture – both nationally and internationally.
“Finland is dependent on global supply chains and technology solutions. That is why we need to make sure that security of supply can be secured even during cross-border disruptions,” says Nyqvist.
The exercise offers companies the opportunity to test their own crisis preparedness in genuine, realistic situations that require seamless cooperation and decision-making.
An inclusive approach that supports learning
The core theme of the TIETO26 exercise is smooth exchange of information and common operating models, which are crucial in crisis situations. Trust, planning and a shared situational picture require considerable effort. They need to be built, and that requires practice.
For companies, TIETO26 is above all an opportunity to test their own plans and gain practical experience of how the authorities and international partners operate during a crisis, even in exceptional circumstances. When realistic situations are introduced to the exercise, it leads to deeper cooperation and knowledge of the right course of action if a crisis were to strike.
Fintraffic Team in TIETO24 exercise
Registrations for the TIETO26 exercise are now open
TIETO26 is part of the Finnish tradition of preparedness, which has been cultivated since the 1970s. This year, food supply chains and their operating conditions will be tested with international partners in circumstances where Finland is subject to widespread influence and where there is a potential military threat.
“Security of supply requires substantial effort. We need to practise it – together and across borders,” says Nyqvist.
Digipooli is a trust-based network for cooperation between companies and public authorities that promotes the digital security of society. We strengthen companies’ ability to anticipate disruptions and recover from them, as a resilient digital society is built together. We help companies succeed responsibly and securely. ↩︎
In a project funded by the National Emergency Supply Agency (NESA) and carried out by the NESO (National emergency supply organization) Digipool, we provide concrete information and practical steps for organizations to prepare in advance for the cybersecurity impacts of quantum computing. Through this pilot project, we support banking and financial sector actors, as well as other critical organizations, in anticipating quantum-related risks. For these organizations, a controlled and proactive implementation of the PQC transition is critical for both business continuity and preparedness.
PQC – What it’s about
As quantum computing advances and current encryption algorithms will be broken. Post-quantum cryptography (PQC) is a timely and inevitable change in cybersecurity. In practice, this means updating existing encryption solutions and their management methods to address future threats across all systems and devices.
PQC is not a single technology or project, but a broad transition that affects nearly all digital data transmission and many IT systems. The change is driven by the development of quantum computing, which is expected to be able to break currently used encryption significantly faster in the future. Part of the risk already exists today, as encrypted data can be stored and later decrypted using more powerful methods.
Future-proof PQC algorithms provide a way to protect against these threats. In Finland, companies’ preparedness for the PQC transition is still in its early stages, which is why efforts are being made to promote and accelerate the shift in cooperation with industry.
KvanTiVaPi – practical continuation of the 2024 study
AI’s interpretation of the animal referenced in the project name – Kvantivapi
KvanTiVaPi is not a savannah animal, but a pilot project launched in December 2025 with the goal of bringing preparedness for the cybersecurity impacts of quantum computing to a practical level. Our motto is: “Quantum security does not require a quantum computer.”
This first pilot targeted at the financial sector will conclude in February 2026. As a result, organizations will have a clearer picture of the impacts of the PQC transition and an understanding of how to initiate the change project.
Why is preparedness important right now?
Why is preparedness important right now?
The PQC transition will be complex and extensive. It will affect nearly all systems, and initially, especially data transmission. For such a complicated technological change in systems that are critical for national security and heavily regulated, early planning is essential:
Before the risk level becomes intolerable
Before regulation forces rapid solutions
Before current technologies, such as TLS 1.3, are phased out
Planning for the transition can already begin. A significant yet cost-effective first step is a crypto BoM (bill of materials, similar to a software bill of materials, SBOM). This is an inventory of your own systems and devices where encryption is used, helping to identify areas that require prioritization and resources. It guides the progression of the change. The project provides guidance for this and for outlining the transition path. When implemented correctly, the change is not just an obligation—it also brings identifiable opportunities.
See the reasons for starting the PQC transition journey in the recording of the kick-off event below.
Stronger algorithms protect data both during transmission and at rest. Combined with enhanced key management, they increase confidence that data cannot be exploited without authorization—even with future computing technologies.
Critical financial sector actors for national emergency preparedness participating
Critical financial sector actors for national emergency preparedness participating
Several critical financial sector actors have signed up for the pilot project to advance the PQC security of their systems. Participants include banks, insurers, and other major players in the financial sector.
Quantum computing preparedness
Pilot project is carried out by
The Digipool of the National Emergency Supply Organization and CGI Finland, supported by CGI’s global quantum expertise center. CGI plays a significant role in financial sector systems and is part of the Finnish quantum ecosystem. In addition, CGI participates in international PQC initiatives, including high-security expert work in national quantum cybersecurity projects.
In spring 2025, the Iberian Peninsula suffered extensive and sudden power outages. Public transport came to a sudden halt, food supply chains were interrupted and network connectivity problems made it difficult for information to flow in Spain, Portugal, Andorra and parts of France.
What was initially suspected to be a cyberattack, eventually turned out to be a technical fault in the electricity network, but it still served as a reminder of how vulnerable modern society is. Disruptions do not stop at national borders.
“It is increasingly important to extend preparedness training beyond national borders, so that crises and disruptions can be overcome quickly and society remains functional,” says KatriLiekkilä, Head of International Relations at the National Emergency Supply Agency (NESA).
Katri Liekkilä, Head of International Relations at the NESA
The crown jewel of Finnish preparedness training is the TIETO exercise, which is organised every two years. It brings together the organizations critical to the security of supply of Finnish society, from businesses to authorities and the third sector.
More realism and cross-border cooperation in exercises
The most recent TIETO exercise was organised in 2024. Its intensive phase simulated hybrid attacks on the energy and logistics sectors. The exercise demonstrated the importance of cross-sectoral cooperation in crises.
According to the feedback collected from the participants in the exercise, trust and solidarity strengthened, but cooperation between sectors and countries left room for improvement in some areas. TIETO26 addresses this shortcoming.
Finland’s most important preparedness training partner is Sweden.
Concrete, cross-border situations are introduced to the scenarios of the TIETO26 exercise. This allows companies with operations in Finland and Sweden, for example, to test and develop their cooperation, contingency plans and crisis communications in realistic situations with authorities and different partners.
“For example, the energy industry has a long tradition of joint exercises in the Nordic countries. At the local level, the exercises organised by rescue departments and municipalities also bring together water services, energy companies, infrastructure actors and other organizations,” says Liekkilä.
Sweden develops its preparedness training
Preparedness training is also being developed in Sweden. The way trainings are organized nationally differs from the Finnish model in many ways. In Sweden, the responsibilities have been decentralised to authorities in different sectors. The Swedish Civil Contingencies Agency’s (MSB) main task is one of coordination and support.
In Finland, on the other hand, NESA has permanent cooperation structures covering the entire society. They bring the public and private sectors together around the same table.
Robert Grankvist (MPF) and Hanna Waerland-Fager (MSB) in TIETO24 Exercise
“In future, we will have even more clear responsibilities when it comes to managing both crisis preparedness and the civilian part of the total defence, as well as a national responsibility for coordinating security of supply in Sweden. This means new tools, but also new obligations in the development of training and cooperation,” says Hanna Waerland-Fager, Strategic Advisor at MSB, with placement at the Embassy of Sweden in Helsinki
The new responsibilities also mean a new name. At the beginning of 2026, MSB will change its name to the Swedish Agency for Civil Defence and Resilience.
International participants also participating in the exercises in Sweden
The Exercise Total Defence series, which will run for several years and continue until 2027, is currently being implemented in Sweden. The series will culminate in a new kind of comprehensive security exercise, to which international participants may also be invited.
“We want the authorities and the private sector to train together. This way, we will know what competence and resources are available at the time of a crisis,” says Waerland-Fager.
According to both Waerland-Fager and Liekkilä, the internationalisation of preparedness exercises is progressing gradually. At the start, foreign organizations will only be participating in the role of an observer.
“Joint planning from the outset is necessary so that the exercise scenarios are relevant for both and the questions of authority are clear. Planning also requires a common understanding of the goals of the training and which capabilities that need to be tested,” says Waerland-Fager.
Although Sweden is Finland’s most important partner, Liekkilä emphasises that joint exercises will also be developed with Estonia and other Baltic countries, for example. Immediate proximity to Russia creates common interests and training needs.
“The Nordic and Baltic networks regularly exchange information and monitor each others’ exercises. Disruptions in other countries, such as the extensive power outages in the Iberian Peninsula, often serve as inspiration for the scenarios,” says Liekkilä.
Preparedness at Nordic and EU level
Being a member of the EU and NATO also increases joint preparedness training. The EU’s CER and NIS2 directives introduce new requirements. The CER (Critical Entities Resilience) Directive is aimed at improving the resilience of society’s critical services. The NIS2 Cybersecurity Directive, on the other hand, aims to ensure a common level of cybersecurity in the EU.
All this adds pressure to develop cross-border exercises.
“EU exercises are often focused on decision-making and the flow of information between different countries. Finland specialises in how the business sector can be connected to the training. This type of cooperation does not exist anywhere else,” says Liekkilä.
According to Hanna Waerland-Fager, EU-level cooperation complements the NATO and Nordic exercises. It provides a comprehensive safety and preparedness framework, including civilpreparedness.
International crises also raise issues of jurisdiction: in cross-border situations, the legislation of different countries determines who can act and with what mandate. According to Liekkilä, this is emphasised at EU level.
“Joint decision-making, as seen in the joint procurement of pandemic vaccines, can significantly speed up response times. The implementation of the CER Directive in different countries also determines which organizations are considered critical and how their preparedness is managed and monitored.”
Added value for companies in risk management
In Finland, trust between the public and private sectors has been built over decades. This makes joint training particularly effective.
“International exercises offer companies the opportunity to test their operating models with the entire supply chain. This ensures business continuity even in the event of a crisis,” says Liekkilä.
“It is important that the units that operate in both countries participate in the exercises. This allows us to genuinely model cross-border situations,” says Waerland-Fager.
Looking to the future
The TIETO26 exercise focuses on food supply chains, including water supply. Cooperation with Sweden is not only seen as topical, but also necessary.
“With cross-border crises, cross-border exercises are required. TIETO26 is a step towards a permanent, international exercise culture and more robust crisis resilience in the region,” says Liekkilä.
Russia’s aggression against Ukraine has revealed how the food and water supply systems, which are critical for security of supply, are also interdependent. Ukrainian food production has suffered in many ways during the war, in everything from primary production to industry.
The agricultural sector is particularly vulnerable to cyberattacks due to, among other things, inadequate cyber security measures. Russia has systematically attacked Ukraine’s grain stores, ports and logistics centres.
Hacker groups have also targeted the water supply in Ukraine. For example, in 2018, the Security Service of Ukraine prevented an attack on a water treatment plant, which could have caused a serious environmental disaster. Russia has adopted a routine of combining physical attacks with cyber attacks – preventing ict systems functionality and destroying infrastructure.
Finland is prepared for threat situations, but extensive cyberattacks could, at their worst, cause serious disruptions to society’s operations and manifest as, for example, empty retail shelves and problems with the food and water supply. This would also increase chaos in society and the risk of anarchy.
In a digitalised world, disruptions develop rapidly and take many forms, which is why we need to strengthen our preparedness to respond to different threat scenarios, even potential war situations. This is also the aim of the renewed TIETO26 exercise, which focuses on food and water supply chains.
“The strategy of the National Emergency Supply Agency (NESA) highlights food and water as key areas of security of supply. Nothing works without them,” says JuhaIlkka, Chief Preparedness Specialist at the NESA.
The strategy of the NESA aims to ensure that society is prepared for the possibility of military conflict, wide-ranging influence and serious disruptions in the global economy.
“The planning of the TIETO26 exercise is already in progress. In the practice games, we may even go over such severe situations where we simulate military events and the invoking of the Emergency Powers Act,” says AnttiNyqvist, Head of Preparedness at Digipooli.
Antti Nyqvist hosting TIETO24 Press Conference
The exercises evolve with the changing world
Initially, dealing with disruptions and securing telecommunications was practised under the leadership of the Finnish Defence Forces. Gradually, the national TIETO exercises have been transferred to Digipooli of National Emergency Supply Organisation (NESO), and from forests to office and remote conditions. “The place where businesses and authorities normally operate,” Nyqvist says.
The entire security of supply organisation has been involved in previous TIETO exercises, and the coming exercise will focus on the food and water supply and their supply chains, which include both the energy and ICT sectors. In addition, feedback from participants in the TIETO24 exercise has guided us to focus more closely on a single supply chain. They hoped to be able to practice and test out situations which are as realistic as possible and related to their own industries in the intensive phase of the exercise.
Digipooli hopes that a broad range of Finnish food and water supply companies and supply chain operators who may also have operations in Sweden or Estonia will participate in the exercise.
“We are also trying to attract food industry authorities from neighbouring countries to participate in the exercise so that we can practice cooperation,” Nyqvist says.
Previous exercises have also shown that limiting priorities and industries improves the effectiveness of the exercise.
“Participants will receive more industry-specific preparation training before the intensive phase. We are mapping out the teams’ goals and increasing feedback on the completion of the training and practice. The teams will also receive an assessment of how well they performed in the game,” Nyqvist says.
“Thanks to company-specific detailed feedback, the lessons learned are more likely to be adopted as the organisations’ practices,” Juha Ilkka goes on to say.
The TIETO26 exercise will also focus on the development of communication between companies, industry supply chains and authorities. Timely, clear and targeted communication is essential for coping with a crisis.
“It is important to practice how, to whom and with what words to communicate. We also need to practice how AI can be used in crisis communications. This way, we will be prepared for potential real-life situations,” says Hanna Kivelä, Chairperson of Digipooli and Managing Director of Fujitsu in Finland.
Hanna Kivelä, CEO / Fujitsu Finland Oy
The entire company to exercise, including management
Companies benefit the most from training if senior management also participates in the exercises with their employees.
“Management must act as a role model for the entire company. This way, the entire organisation understands that preparing and training for crises is more than just a slide in PowerPoint,” says Hanna Kivelä.
At Fujitsu, preventing disruptions in telecommunications and cyberattacks is vital. The company therefore practices for many different disruption situations.
“We livestreamed the TIETO24 exercise internally for the entire personnel, even though there was only a smaller core group of management and responsible persons at the exercise itself. This allowed everyone to see and participate in the exercise in a smart way. I also recommend that other companies adopt a similar practice. It is important that all employees have a concrete idea of what acting in a crisis looks like in reality. In this way, training becomes a company-wide thing, and that’s exactly what preparation is,” Kivelä emphasises.
International with a Finnish twist
Although an international dimension to the TIETO exercises is desirable in a globally operating world, the aim is to keep the exercise Finnish going forward as well. The international cooperation of companies for any widely affecting incidents is in the focus in TIETO26 exercise. Exercises between states are their own matter.
Swedish and Estonian authorities and the NATO Cyber Defence Committee were involved in the TIETO24 exercise to monitor the training. In the TIETO26 exercise, internationality will mainly be seen in the international organisations and supply chains of Finnish companies and the authorities of neighbouring countries.
Text by Antti Nyqvist / Digipool and Leena Filpus / Kubo
This writing highlights 2024 cloud services usage survey findings – a view to into situational info on the usage of cloud services in NESO (National emergency supply organization) companies.
Cloudservices usage overall!
According to the survey cloud services are here to stay. 60 % of the organisations has adopted cloud services and 80 % plans on increasing the portion of cloud services within the following couple of years. The reason for growth in usage seem to be easiness, flexibility and cost efficiency. This is at least what most of the respondents of the survey say. Overall penetration of the cloud services is already over 65% of the application base and will be over 80% after couple of years. This means that the dependency of the services is growing and it increases the significance of functioning telecommunications.
Penetration of cloudservices overall in NESO
Some good and some challenges
There is lots of good in cloud services. But to be able to seize the advantages reguires knowhow – especially to be able to implement secure cloud services. Respondents reported that implementation of Information security required more work than initially planned for thus creating surprises in the overall costs.
Cloudservices in critical operations – some caution observed
Cloudservices in critical operations – some caution observed
When talking about the critical operations of any company (Business critical or critical emergency supply chain operations), many are utilizing cloud services cautiously. Only 40 % of the respondents have report operating critical operations in cloud environment. And 12 % are not using cloud services at all in the critical operations. Most common reasoning behind the decision making here is related to the connectivity. Which should not be an issue in Finland, where the connections to surrounding world have been ensured in many ways and telecom operators and officials are working in cooperation to keep the networks up and running.
Decision making related to cloud services – More than just the costs
When asking for the topics affecting the decision making, the price was not the only reason for usage. Easiness and the overall architecture are equally important. Modern architectures often are more easily implemented in cloud services thus supporting the usage. Fortunately many reported emergency supply criticality being one viewpoint in decision making, which it should be.
The future of cloud service usage?
The usage of cloud services will increase, and as the dependency to them increases so does the need for skills and especially information security capabilities will be underlined. Despite the fact that cloud services will bring flexibility and modern technologies, the preparedness and security of supply needs to be kept in mind.
Commonly asked questions related to cloudservice usage – FAQ
We aim to answer these questions through the knowledge of experts in our could services faction.
What functions of the company can be taken to clouds?
What limitations there are to the emergency supply critical operations (if any)?
What service prociders or geographical areas should be avoided?
Is there a national level instruction or plan for cloud based disasters?
How the user can make sure that the information is kept safe?
How easy it is to change between cloud services or service providers?
These were the survey findings from 2024 survey on cloud service usage. Make justifiable decisions which will lead to secure cloud service usage.
The report describes the current usage of cloud services in NESO companies. It gives some estimates on how the companies see the future of cloud services and it also raises topics in which the companies should pay attention to.
Lisätietoja
Benefits and development of quantum computing
Quantum computers have the potential to solve problems that are practically impossible or extremely difficult for traditional supercomputers. With quantum computers, we can tackle enormous challenges, which has gathered significant interest in their development, and indeed, this development is happening on a massive scale. For example, China is investing tens of billions of euros in quantum technology development.
One does not need to be a clairvoyant to see that, given the substantial investment, the realization of quantum computing is expected to occur within a relatively short timeframe. As we begin to reap the benefits, business dependencies on the applications solved by quantum computing will grow. This will likely lead to an increased need to ensure the availability of quantum computing capacity, making it critical infrastructure for national security and for any business. Quantum computing capacity can already be utilized as a cloud service, emphasizing the importance of connectivity. Consequently, we may see more entities developing their capabilities in this field.
Finland is currently a pioneer in quantum computer development, with several companies actively involved in this area. This can be seen as a result of university research activities, which is highly favorable. However, this progress is overshadowed by the fact that, as a small country, Finland produces very few experts in the field. As a result, domestic companies must rely on international labor, and as these companies grow, their ties to Finland may weaken. From this perspective, Finland must nationally invest broadly in the development of expertise to meet the needs of research and business activities, as well as in preparedness measures that need to be initiated now. With our current foundation, we have excellent opportunities to remain leaders in the field, provided that investments are made.
Estimates of the timeline for quantum computing development milestones vary, but the consensus seems to be that by around 2030, quantum computing capabilities will render traditional computing methods and solutions obsolete. Given that quantum computing is already available as a commercial service, it is evident that its business opportunities should be explored now, while also preparing for the cybersecurity threats that advancements in quantum computing may bring. Fortunately, quantum-resistant encryption algorithms have also progressed, and standardizations in this area are expected as early as this year.
The Impacts of quantum computing development
Today, data is encrypted using both symmetric (secret key) and public key methods. With the advancement of quantum computing, the threat arises that efficient computation could break solutions based on public key methods. The business development of criminals (or states) may already be targeting this, aiming to exploit new technology to generate value for their operations.
Public key methods are used, for instance, in electronic signatures, and many encryption methods used on the Internet, such as TLS (Transport Layer Security) and PGP (Pretty Good Privacy), are based on public key encryption. In other words, the immense computational power of quantum computers can be misused, thus posing a significant threat to current data and communication encryption solutions. There are also geopolitical threats to consider, as the economic power alone of a hostile state possessing a quantum computer could threaten the national security and supply security of other states.
The threat extends to various solutions and information that require encryption. Examining information that, according to domestic legislation, must be kept secret for years reveals threats that, by the estimated timeline of around 2030, data encrypted and stolen now could be decrypted, raising many concerning thoughts. This threat, combined with knowledge of how well (or rather, how poorly) companies have managed their encryption solutions or understand the value of the data they manage, suggests that NOW is indeed the time to start preparing and ensuring that business can continue even in this disruptive situation.
Recommendations for Preparing for the Development of Quantum Computing
How should one properly prepare? Preparatory measures can be divided into three main areas:
Conduct an Inventory.
Identify the encryption solutions used within the organization, covering both software and hardware.
Identify at least the key encrypted data, classify it according to the need for confidentiality, and prioritize the need for re-encryption.
Plan the Transition to Quantum-Safe Solutions.
Develop a detailed plan for updating encryption systems based on the criticality of the systems and the actual risks.
Implement the Transition According to the Plan, Starting with the Most Critical Areas Based on Risks.
Roadmap for preparedness on the effects of Quantum Computing development
Estimates for implementing this “transition project” vary, but in the worst case, it could take years and encompass a period during which both traditional and newer encryption algorithms must be used. This requires expertise in both, or at least an understanding sufficient to demand the right solutions. It is possible that the development of quantum computing will outpace the ability to complete this transition, but what is certain is that preparation must begin now! And it should start with an inventory, especially if one has not been done yet or is incomplete.
You can download the recommendation document produced in the project from the NESA website.
Download the guidelines with recommendations here!
The document provides an overview of the literature and sources underlying this writing and presents the findings of a survey on the preparedness of companies within the Security of Supply Organization. Finally, it offers recommendations for preparatory measures. Plan your own roadmap and start implementing it!
