Bidder readiness: certificates, qualifications, and compliance

The Finnish Public Procurement Act defines mandatory exclusion grounds that result in automatic rejection. Criminal-based mandatory exclusion grounds include corruption, fraud, money laundering, terrorism financing, human trafficking, and child labor. Bidders declare these through the ESPD form, but the contracting authority can verify the information from criminal records.

A tax debt certificate (verovelkatodistus) from the Tax Administration proves the company has no unpaid taxes. A pension insurance payment certificate (from the pension insurance company) verifies that statutory pension contributions have been paid. A trade register extract (from the Finnish Patent and Registration Office, PRH) confirms the company's registration and basic information. These three certificates are required in virtually every public tender.

At the bidding stage, the ESPD form replaces submission of individual certificates — the bidder declares that no exclusion grounds exist and that eligibility requirements are met. Original certificates are only required from the winning bidder before the procurement decision is made. Certificates must be no older than three months.

Workers' compensation insurance is legally mandatory for all employers. Professional liability insurance is not required by law but is demanded in nearly every tender. Always carefully review the tender's requirements list — a missing certificate means automatic rejection, and the contracting authority has no discretion in the matter.

Luotettava Kumppani is a subscription service (EUR 25/month) maintained by Vastuu Group (VAST) that continuously monitors and publishes your company's compliance data from multiple government registers. The service produces a Luottamusmerkki (trust badge) — a digital designation visible in Vastuu Group's Valvoja monitoring service and in your own materials.

The service verifies Contractor's Liability Act compliance (prepayment, employer, and VAT register status), financial data (revenue, EBITDA, liquidity, equity ratio over 3 years), real-time payment ability (via Intrum data), international sanctions list screening, and connections between company representatives and entities with payment defaults.

Public sector clients use Vastuu Group's Valvoja service to automatically monitor their subcontractors and suppliers. In practice, the Luotettava Kumppani badge has become the industry standard — its absence is not a legal barrier, but it raises the threshold: the client must manually verify Contractor's Liability Act data, which slows down the process.

Luotettava Kumppani is currently available only for Finnish entities. Foreign companies can access a limited version with power-of-attorney documentation. Registration takes a few days, and data updates automatically — there is no ongoing administrative burden for the company.

The Contractor's Liability Act (1233/2006) requires every company to verify their subcontractors' and temporary workers' compliance with statutory obligations before entering into a contract. The law applies when the subcontract value exceeds EUR 9,000 or the temporary worker's assignment exceeds 10 working days.

Required verifications include: registration in the prepayment, employer, and VAT registers; trade register extract; tax payment status report; pension insurance payment certificate; applicable collective agreement or principal employment terms; occupational health care provision account; and workers' compensation insurance certificate. Documents must be no older than three months.

In public procurement, the Contractor's Liability Act is relevant in two ways. First, the contracting authority verifies the prime contractor's compliance as part of the tender process. Second, the prime contractor is itself obligated to verify its own subcontractors' data — and under JYSE 2025, the supplier is responsible for its subcontractor as if for its own work.

Violations can result in a negligence fee of EUR 2,000–65,000. The most efficient way to handle Contractor's Liability Act obligations is through the Luotettava Kumppani service: both your own company and subcontractors are covered by the service, with data updated and verifiable in real time.

ISO 9001 (quality management system) is the most commonly required certification in public procurement. It is not legally mandatory but is practically either an eligibility requirement or a scored criterion in most service and IT tenders. Obtaining certification typically takes 6–12 months and requires building a documented quality management system.

ISO 14001 (environmental management system) is rapidly becoming more common. The upcoming procurement law reform's emphasis on ecological sustainability will further increase the significance of environmental certifications in tenders. Serious environmental offences are also proposed as a new mandatory exclusion ground.

ISO 45001 (occupational health and safety) is particularly relevant in construction and industrial procurement. In the construction sector, RALA certification (Rakentamisen Laatu ry) is the Finnish alternative, corresponding to ISO 9001, ISO 14001, and ISO 45001 but tailored to Finnish construction. RALA competence demonstrates technical expertise; RALA certification validates management systems.

Under the Procurement Act, a contracting authority cannot require a specific certification (e.g., exactly ISO 9001) as the only acceptable evidence. Equivalent proof must be accepted. In practice, this means a company can demonstrate quality management by other means — but a recognized certification makes proving it significantly easier.

ISO 27001 (information security management system) is the de facto standard for IT, cloud, and data processing contracts. In public sector IT procurement, it is almost invariably either an eligibility requirement or a scored criterion. Certification requires a comprehensive risk assessment, documented security controls, and annual audits.

Katakri (national security auditing criteria) is the tool used by Finnish authorities to audit organizations handling classified information. It covers three areas: T (security management), F (physical security), and I (technical cybersecurity). A facility security clearance (FSC) granted through a Katakri audit is valid for both domestic and international projects.

PiTuKri (cloud services security assessment criteria) is published by Traficom's National Cyber Security Centre (NCSC-FI) and is required when government classified data is processed in cloud services. The criteria are being actively updated in 2025. In practice, PiTuKri compliance is mandatory for all public sector cloud service procurement involving confidential data.

The Cybersecurity Act (124/2025, implementing the NIS2 Directive) entered into force on April 8, 2025, expanding cybersecurity requirements from approximately 1,100 to 5,500 organizations. It covers telecommunications, healthcare, manufacturing, energy, finance, and public administration. Procurement contracts in these sectors increasingly include cybersecurity requirements that flow down to subcontractors as well.

In defense and security procurement, a Facility Security Clearance (FSC) is required, issued by Supo (Finnish Security Intelligence Service) or the Defence Command. The clearance assesses company reliability, data security level, and capability to handle classified information. It is valid for up to 5 years. NATO procurement additionally requires an NCAGE code and a Declaration of Eligibility (DoE).

For digital services, accessibility requirements under the Act on the Provision of Digital Services (digipalvelulaki 306/2019) mandate WCAG 2.1 Level AA compliance for all public sector digital services. From June 2025, requirements were expanded to private sector consumer services. In public IT tenders, the contracting authority must require EN 301 549 / WCAG 2.1 AA compatibility.

The EU AI Act introduces new requirements for public sector AI procurement: transparency, human oversight, and bias prevention. Finland has adopted a decentralized model with 10 market surveillance authorities. General-purpose AI obligations began on August 2, 2025. IT vendors should prepare for AI transparency requirements in tender specifications.

GDPR requirements are mandatory in all contracts involving personal data processing. While there is no single "GDPR certificate," contracting authorities routinely require a Data Processing Agreement (DPA), record of processing activities, Data Protection Impact Assessment (DPIA) where applicable, and evidence of technical and organizational safeguards.

The D&B (Dun & Bradstreet) / Bisnode AAA credit rating is a widely used reliability indicator. The highest AAA rating requires over EUR 2 million in revenue, at least 10 years of operating history, and financial performance significantly above industry average. The credit rating is not legally mandatory, but contracting authorities frequently use it in assessing financial suitability.

Audited financial statements (typically the last 2–3 fiscal years) are a standard requirement for demonstrating financial stability. The contracting authority may set minimum requirements for revenue, equity ratio, or EBITDA. Under the Procurement Act, the revenue threshold may be at most twice the estimated annual contract value.

Professional liability insurance is required in nearly all tenders. The coverage amount is typically proportioned to the contract value. Under JYSE 2025, the maximum liability amount is five times the contract value, so insurance adequacy must be verified on a contract-by-contract basis.

References are practically always required as an eligibility criterion or scored element. Typically 2–5 references from the last 3–5 years are requested, comparable in size and nature to the procurement. A well-maintained reference bank is essential — collect the contact person, contract value, description, and feedback from every significant project immediately upon completion.

The procurement law reform is the most significant upcoming change. The government proposal was submitted to Parliament in autumn 2025, with the new law expected to enter into force on January 1, 2026. Key changes include emphasizing ecological, social, and economic sustainability as evaluation criteria, adding serious environmental offences as mandatory exclusion grounds, and requiring re-tendering in single-bid situations.

The EU Net-Zero Industry Act (2024/1735) introduces mandatory minimum environmental sustainability requirements for certain public procurements. In practice, this means environmental performance measurement and reporting will become part of an increasing number of tenders. Companies should prepare for carbon footprint calculations and lifecycle assessments.

Trade Register Act changes take effect January 1, 2026: mandatory electronic filing and penalty fees for failing to update register information. This affects all companies but is especially relevant for public procurement participants, whose trade register data must be current.

The impacts of the Cybersecurity Act (NIS2) and the EU AI Act are increasingly flowing into procurement contracts: cybersecurity and AI requirements are becoming part of standard tender conditions. Companies that proactively obtain ISO 27001 certification and document their AI practices will gain a competitive advantage in future tenders.

Basic readiness (all tenders): Luotettava Kumppani registration, automated tax debt certificate ordering, pension insurance payments current, trade register information updated, workers' compensation insurance active, professional liability insurance with adequate coverage, audited financial statements available, and a systematically maintained reference bank.

Service and IT procurement: ISO 9001 certification (or equivalent quality management evidence), ISO 27001 (especially for data-handling contracts), GDPR documentation (data processing agreement template, records of processing, impact assessment), accessibility expertise (WCAG 2.1 AA), and PiTuKri readiness for cloud services.

Construction: RALA competence and/or certification, ISO 45001 or equivalent occupational health and safety system, YSE 1998 expertise, secured bonding capacity (10% during construction, 2% during warranty period), and automated Contractor's Liability Act monitoring for subcontractors.

Defense and security: Facility Security Clearance (FSC) from Supo, Personnel Security Clearances (PSC) for key staff, NCAGE code and Declaration of Eligibility for NATO procurement, Katakri criteria familiarity, and ISO 27001. Allow ample time — security clearance processes can take months.