Finland has adopted national legislation to complement Regulation (EU) 2024/2847, the Cyber Resilience Act (“CRA”). The CRA adds a product-safety dimension to the regulatory framework for cybersecurity and applies to manufacturers, importers and distributors of products with digital elements. The new national complementing act (laki eräiden tuotteiden kyberkestävyydestä sekä kyberturvallisuussertifioinnista (439/2026)), has come into force 1 June 2026.
Background
The CRA lays down a uniform legal framework for essential cybersecurity requirements for placing products with digital elements on the EU market, as well as during a product’s lifecycle. The CRA sets out horisontal requirements for products and software which can be connected to the internet or another device – i.e., products with digital elements. As a directly applicable EU regulation, the CRA does not require transposition into national law. However, market surveillance and enforcement is carried out by national market surveillance authorities, which Member States must designate. The new act designates the surveillance authorities and their supervisory powers in Finland.
The CRA’s core obligations for manufacturers will become applicable on 11 December 2027, with certain provisions – in particular those relating to reporting obligations – applying from 11 September 2026.
Key aspects
The act covers the following central elements:
- Designation of a market surveillance and cybersecurity certification authority. The Finnish Transport and Communications Agency (Traficom) is responsible for supervising and enforcing compliance with the CRA in Finland. However, for high-risk AI systems within the CRA’s scope, the competent market surveillance authority is the supervisory authority designated under the Act on Supervision of Certain AI Systems (1377/2025). Traficom also acts as the cybersecurity certification authority and the notifying authority for conformity assessment bodies. In addition, Traficom is empowered to establish a cybersecurity regulatory sandbox under the CRA, providing a controlled testing environment for economic operators.
- Penalties and procedural rules. The act introduces national administrative penalty provisions to give effect to the CRA’s enforcement regime. The maximum administrative fine for manufacturers violating core CRA obligations is EUR 15 million or 2.5 % of global annual turnover, whichever is higher. For other economic operators, the ceiling is EUR 10 million or 2 %, and for providing incorrect, incomplete or misleading information to a notified body or market surveillance authority, EUR 5 million or 1 %. A separate, lower ceiling of EUR 100,000 applies to violations related to cybersecurity certification. The act also establishes procedural rules applicable to market surveillance activities, including the exercise of investigative and corrective powers by the national authority, such as the right to conduct inspections of business premises and to take software for examination without compensation to the economic operator.
- Coordination and other notable provisions. The act addresses coordination between the CRA market surveillance authority and other competent authorities, notably those responsible for NIS2 supervision. It also introduces specific provisions on the supervision of open-source software stewards, who may be guided and required to remedy deficiencies but are explicitly exempt from administrative fines. Information voluntarily reported to the CSIRT unit under Article 15 of the CRA may not be used in criminal investigations or administrative proceedings against the reporter without their consent. In addition, contracting authorities in public procurement must take into account CRA compliance and the manufacturer’s ability to handle vulnerabilities effectively when procuring products with digital elements.
Implementation timeline and transitional arrangements
The CRA’s core obligations for manufacturers become applicable on 11 December 2027, with certain provisions, in particular those relating to reporting obligations, applying from 11 September 2026. The provisions on notified bodies and related penalties apply from 11 June 2026. The Finnish national legislation enters into force ahead of the CRA’s full date of application, ensuring that the national enforcement infrastructure is in place when the obligations become applicable.
It is worth noting that products placed on the market before 11 December 2027 are subject to the CRA requirements only if, from that date, they undergo a substantial modification. However, reporting obligations apply to all products with digital elements covered by the CRA – also those on the market before 11 December 2027.
Main implications to businesses
Manufacturers of products with digital elements – from consumer IoT devices and industrial controllers to standalone software – should begin assessing their product portfolios at the latest now. Importers and distributors of the products with digital elements should also familiarise themselves with the regulation and prepare to comply with the obligations falling under their responsibility.
Key actions include:
- mapping which products fall within the CRA’s scope
- determining whether any of the products qualify as important or critical
- preparing gap analyses towards the new cybersecurity requirements
- conducting cybersecurity risk assessments
- reviewing supply chain, third-party components and procurement arrangements
- planning and testing reporting procedures.
The Commission has published Draft Commission Guidance to support businesses and Member States in the application of the CRA. The draft guidance addresses scope, conformity assessment, support periods and the treatment of free and open-source software.
In the implementing work, a crucial factor for success lies in cooperation between cybersecurity experts and legal advisors. Our Data Protection & Cyber Security team is available to assist with CRA readiness assessments and advice on the legislative developments.
Contact authors
