Security compliance
Regulations and certifications are vital to security
Regulations and certifications are increasingly critical to security - for both our customers and Nokia
Regulations and certifications are vital because they ensure that Nokia’s products and services meet stringent security expectations from governments, customers, and industry bodies. These expectations are growing rapidly due to the increasing complexity of networks, the rise of AI/ML and quantum computing, and the critical role of telecom infrastructure in national security.
To address this, we have established a comprehensive regulatory compliance management framework that enables a structured, business-driven approach to analyzing and implementing regulations across jurisdictions. This framework enhances preparedness, reduces risk exposure, and supports proactive compliance.
Key regulations and standards directly impacting Nokia include (not an exhaustive list):
- EU Cyber Resilience Act: mandates accountability and security for manufacturers and importers.
- Radio Equipment Directive (RED): enforces product safety, EMC, and spectrum efficiency.
- Network and Information Systems Directive (NIS 2): expands cybersecurity obligations across Nokia’s managed services and manufacturing.
- Product-related country-specific regulations are actively monitored and their requirements embedded in our DFSEC process.
- ISO/IEC 27001: provides a globally recognized standard for information security management.
- Nokia also plays a vital role in protecting U.S. critical infrastructure. Under a specialized agreement with the U.S. Government, we apply strict controls to ensure secure network access and product integrity. This commitment reflects our dedication to safeguarding national security and delivering trusted solutions for the future.
For Nokia, these are not just compliance checkboxes - they are strategic enablers that:
- Build trust with customers by demonstrating security assurance.
- Ensure market access in regulated regions.
- Protect Nokia’s reputation and business continuity.
- Support innovation by embedding security into product design and lifecycle management.
Nokia is fully aligned with the European Union’s Cyber Resilience Act (CRA), a regulation designed to enhance product security and ensure accountability across the digital supply chain. In 2024, we launched a dedicated CRA compliance program to proactively address the regulation’s requirements and be ready.
This program guides our efforts across key domains:
- Product design: Embedding security principles from the outset to ensure resilient architecture.
- Testing: Implementing rigorous validation protocols to identify and mitigate vulnerabilities.
- Documentation: Maintaining comprehensive records to support transparency and regulatory adherence.
- Supply chain management: Enforcing security standards across all supplier engagements to safeguard end-to-end integrity.
Nokia is also active in the CRA standardization activities.
Through this structured approach, Nokia reinforces its commitment to secure innovation and regulatory excellence across global markets.
The Radio Equipment Directive (RED) 2014/53/EU is a European Union regulation that sets mandatory requirements for placing radio equipment on the EU market. It covers product security, electromagnetic compatibility (EMC), and radio spectrum efficiency.
For Nokia, RED compliance is essential for market access and product certification. It requires:
- CE marking on all applicable products
- Cybersecurity safeguards under the 2021 Delegated Act
- Conformance declarations for configurations of hardware, firmware, and software
- Risk mitigation and vulnerability management for devices with radio interfa
The Network and Information Systems Directive (NIS 2), effective in the European Union (EU) since October 2024, sets stringent cybersecurity and incident reporting requirements for companies operating in critical sectors. As a trusted provider of critical networks and services, Nokia is fully committed to meeting NIS 2 obligations. This demonstrates our commitment to regulators and customers.
As an ISO 27001:2022-certified organization, Nokia maintains a robust Information Security Management System (ISMS) to systematically implement and manage security and compliance requirements. With strong leadership support, Nokia leverages its certified ISMS framework and independent audits to verify and continuously monitor compliance with NIS 2 requirements.
Our NIS 2-compliant managed services also support our customers' compliance efforts, strengthening our reputation as a secure and reliable technology provider.
Nokia is fully committed to complying with the China Cybersecurity Law (CSL), which governs national security, personal data protection, and critical infrastructure within mainland China. As a recognized Network Operator, we ensure that all products and services deployed in China meet CSL’s rigorous standards.
- Data localization: Personal and critical data collected in China is stored locally. Overseas transfers are permitted only when strictly necessary and subject to formal security assessments.
- Security reviews: Network products and services undergo mandatory reviews by Chinese authorities to ensure national security is upheld.
- Tiered protection system: Nokia applies CSL’s five-level classification system to assess and mitigate risks based on potential impact to national security and public interest.
- Annual audits: As a Critical Information Infrastructure Operator (CIIO), Nokia conducts yearly cybersecurity audits and reports findings to relevant Chinese departments.
CSL compliance within Nokia is managed by a cross-functional team including legal, regulatory, and business group experts.
Additionally, Nokia’s security incident management process is aligned with CSL requirements. Any incident affecting Chinese customers, networks, or data is escalated to our Computer Emergency Response Team (CERT) and reported to authorities as required.
ISO/IEC 27001 is an internationally recognized standard for Information Security Management Systems (ISMS). This standard provides a comprehensive framework for managing risks, establishing robust security policies, ensuring compliance with legal and regulatory requirements, fostering a culture of security awareness, and driving continuous improvement in security practices.
Nokia achieved ISO/IEC 27001 certification for its ISMS in 2011 and has consistently maintained and expanded its scope since then. Following extensive independent security audits, Nokia’s ISMS has been recertified to meet the updated ISO/IEC 27001:2022 standard. This recertification demonstrates Nokia's strong commitment to safeguarding customer data and delivering secure solutions and services globally.