Cybersecurity
Securing our digital landscape through
a unified cybersecurity strategy
Nokia secures its digital landscape through a unified strategy that integrates cybersecurity, sustainability, and service continuity.
Awareness
Mandatory training for employees and partners builds vigilance against threats like phishing and shadow IT.
Lab and factory security
Automated controls and risk monitoring protect critical assets in high-risk environments.
Critical information protection
Intellectual assets are identified and safeguarded to ensure business continuity.
Application security
Vulnerability scans, threat modeling, and secure design practices are embedded in development workflows.
Incident management
Nokia’s CERT team operates 24/7 to detect, contain, and resolve security incidents swiftly.
Sustainability and continuity
Security programs are aligned with ISO and NIST standards, ensuring resilience and minimal disruption.
Introducing the 4 pillars of Nokia’s awareness program
Information security training
- Nokia provides a yearly training, mandatory for all Nokia employees, to create awareness and adherence to Nokia Information Security Policy and practices .
- The training offers the most relevant topics, based on the feedback from several stakeholders.
- This training is also offered to all 3rd parties having access to Nokia’s network.
Phishing simulation program
- Nokia sends phishing simulations to all employees to help employees behaving correctly to phishing emails and follow best practices.
- Simulations mimic current industry threats, considering language, role and time zone.
- Employees are invited to report all receiving phishing mails for further analysis.
- Employees failing simulations repeatedly undergo additional training.
- Also organization- wide phishing benchmark campaigns are launched to compare Nokia’s result versus industry performance.
Security and privacy accreditation
- Nokia maintains a Security & Privacy Accreditation program, which provides the basis for security & privacy awareness, knowledge and skills to all Nokia employees
- Objective is to inspire the learners to consider security & privacy as part of their daily work, and enable them to act upon it
- Demonstrate commitment to security towards customers.
Cybersecurity awareness campaign
- The campaign aims to create awareness among Nokia users about actual threats to organizational data and how to avoid situations that might compromise it..
- Focusing on one topic to make employees aware about their important role in protecting Nokia’s data.
Securing Nokia's lab and factory environments
A dedicated security program mitigates the risks of intentional or unintentional attempts to compromise the confidentiality, integrity, and availability of assets within designated business environments.
This program helps Nokia build and maintain secure lab and factory environments, ensuring compliance with company security policies through cost-effective controls aligned with risk assessments.
We rely on a Cyber Asset Attack Surface Management (CAASM) solution to automate control deployment, data collection, and risk monitoring within these environments.
Protecting Nokia’s most valuable information
Nokia’s critical information represents our most valuable intellectual assets - the “crown jewels” of our business. These include proprietary technologies, strategic data, and other high-impact resources that drive innovation and competitive advantage, and their protection is paramount.
Compromise of this information could lead to severe financial, operational, and reputational consequences, threatening Nokia’s long-term growth and customer trust.
To prevent this, Nokia operates a dedicated program that proactively identifies, assesses, and mitigates risks to critical information. By applying rigorous protection measures, we ensure our most valuable resources remain secure and resilient against evolving threats. This approach helps reduce risk exposure, secure future revenue streams, and reinforce confidence among customers and stakeholders.
At Nokia, our Application Security Compliance Team plays a vital role in protecting business continuity by ensuring secure and resilient application usage across the organization. Our mission is built on three core pillars:
1. Data criticality assessment
We apply a structured data element inventory process to accurately evaluate the sensitivity and importance of data, ensuring that critical information is identified and protected.
2. Application resilience and continuity
Through our robust Service Continuity Management Process, we ensure that essential applications can be rapidly restored in the event of disruptions.
This includes:
- Conducting business impact analyses
- Developing IT business continuity strategies
- Ensuring disaster recovery plans are documented and rigorously tested
3. Security control alignment
We assess and align security controls within applications to mitigate risks and protect Nokia’s information assets. This involves:
- Assessing implemented protective measures to identify an application’s risk profile and plan mitigations
- Evaluating potential vulnerabilities
By focusing on these strategic areas, Nokia ensures the security, resilience, and continuity of its business operations - today and into the future.
At Nokia, incident management is a proactive, strategic pillar of our cybersecurity framework. Our approach is designed to protect the integrity of our digital ecosystem, ensure operational continuity, and reinforce customer trust in an increasingly complex threat landscape.
Nokia’s Security Incident Management (SIM) and Cyber Defense Center (CDC) teams operate around the clock to detect, assess, and respond to cyber threats. We are equipped to handle a wide range of incidents, from denial-of-service attacks and malware outbreaks to third-party breaches and social engineering attempts. Our lifecycle-based response model includes preparation, identification, containment, eradication, recovery, and post-incident learning.
We understand that our customers expect more than just technical defenses - they want assurance that Nokia embodies resilience, transparency, and accountability. To meet these expectations, we’ve embedded incident response into our broader cybersecurity governance, which includes:
- Zero Trust Architecture: Every connection to Nokia’s network is verified before access is granted.
- Third-Party Risk Management: We monitor and mitigate vulnerabilities across our supply chain, recognizing that external partners can be entry points for attackers.
- Regulatory Compliance: Nokia aligns with global standards such as NIS2, CRA, and NSA, ensuring timely reporting and adherence to legal obligations.
- Security Awareness: Our employees are trained to recognize and report suspicious activity, reinforcing a culture of vigilance
Customers can be confident that Nokia’s incident management capabilities are not only robust but also continuously evolving. We leverage emerging technologies like AI to accelerate detection and response, while maintaining a strong ethical and operational foundation.
In the event of a cyber incident, Nokia’s teams are prepared - 24/7 - to act swiftly, minimize disruption, and restore services. This commitment ensures that our operations remain resilient, and our customers remain protected.
Nokia: Securing the future, together
At Nokia, we combine advanced cybersecurity with sustainable technology solutions to reduce environmental impact and mitigate cyber risks. Our robust governance framework ensures compliance and operational continuity across all operations.
Cybersecurity Risk Management Framework
Cybersecurity is embedded into Nokia’s enterprise risk management strategy through a comprehensive Security Program, which includes:
- Cybersecurity risk management
- Third party security risk management
- Security incident management
- Disaster recovery
Security training and awareness
We foster a strong internal security culture through:
- Annual mandatory training for all employees
- Quarterly awareness campaigns
- Monthly phishing simulations
Additionally, we implement advanced initiatives such as our Zero-Trust and Critical Information Protection Program and a dedicated Application Security Program to safeguard critical data.
Cyber resilience
Our proactive cyber resilience program is built on rigorous risk assessments and includes:
- Investment in our Cyber Defense Center and Computer Emergency Response Team
- Regular incident simulations and tabletop exercises
- Continuous penetration testing by trusted external assessors
Supply chain security
We strengthen security across our supply chain through enhanced supplier selection processes, embedding governance and compliance requirements into contracts and onboarding procedures.