New Cyber Security Requirements for Connected Products

D&I Alert

The new EU regulation complementing the cyber security regulatory framework − the Cyber Resilience Act (EU) 2024/2847 (“CRA”) − has been adopted and published in the Official Journal of the EU. The CRA aims to improve cyber security of the connected products at the EU market. It will have significant implications for manufacturers, importers and distributors of products with digital elements across the EU.

The CRA applies widely to software and hardware products with digital elements that are connected either directly or indirectly to another device or network. It encompasses a wide range of products, such as IoT devices and software products used in industrial systems. Certain products such as medical devices are excluded from the scope.

The new cyber security requirements are imposed on (i) manufacturers that design and produce products within the scope of the CRA, (ii) importers who bring such products into the EU market, and (iii) distributors involved in their distribution.

The CRA will come into force on 10 December 2024, and as a main rule, it will apply after a transitional period from 11 December 2027.

Key cyber security requirements

Several critical requirements are imposed under the CRA to ensure that the products with digital elements meet the cyber security standards:

  • Cyber security requirements relating to the properties of products: The manufacturer of the product shall ensure that the product has been designed, developed and produced in accordance with the essential cyber security requirements set out by the CRA. Cyber security must be integrated into the design and development process of the products. This involves conducting thorough risk assessments and implementing appropriate security measures to mitigate identified risks. In addition, detailed documentation obligations must be complied with.
  • Conformity requirements: Before placing the product to the market, the manufacturer must carry out conformity assessment procedure and affix the CE marking to the product.
  • Vulnerability handling requirements: Products must continue to adhere the cyber security standards after placed on the market. Mechanisms must be established to identify and address product vulnerabilities throughout the product’s lifecycle, including the provision of timely updates and patches to mitigate post-market cyber security threats.
  • Reporting obligations: The manufacturer must report actively exploited vulnerabilities contained in the product as well as serious cyber security incidents to the national CSIRT unit and the EU Cybersecurity Agency (ENISA). Such reporting must comply with the strict deadlines set out by the CRA. An early warning must be made within 24 hours and a vulnerability or incident notification within 72 hours. A final report shall be given no later than 14 days after taking corrective measures to the vulnerability or within one month after the submission of the incident notification.

Strengthening transparency

The CRA aims to create conditions allowing users of the products with digital element to take cyber security into account when selecting and using them. It empowers consumer and business users by providing them with transparent information about the cyber security properties of products, enabling them to make informed choices. Users will have access to detailed product information, including information on cyber security features, user guidelines and vulnerability handling.

Enforcement with severe penalties

Compliance with the regulation has been reinforced by severe sanctions. Non-compliance shall be subject to administrative fines of maximum 15 MEUR or up to 2.5 % of the total worldwide annual turnover of the entity. The maximum level of the fine depends on the nature of the infringement. The sanctions shall be imposed by the national market surveillance authorities.

According to the press release of the Finnish Ministry of Transport and Communications, the aim is to submit a draft proposal for the national complementary legislation for consultation in winter 2025 and to the Finnish Parliament in the autumn of 2025.

Going forward

The CRA complements the cyber security regulatory framework of the EU with product safety rules for the connected products with the aim to improve the level of cyber security of the products at the market. The expected positive impact of the CRA on the general level of cyber security is to be welcomed, but at the same time, the broad impact on market players must be recognised.

There is a substantial transitional period before the CRA shall be applicable from 11 December 2027 (with a few exceptions), but it will have a major impact, particularly on manufacturers of products with digital elements. The entities falling within the scope must review their current cyber security measures associated with their products and ensure compliance with the CRA to avoid potential legal and financial repercussions. This entails updates to processes, properties of the products, product information and documentation. It is necessary to recognise these obligations across the supply chain and, where necessary, address them contractually.

We are happy to discuss the implications of the new requirements and keep you updated. For further information and advice, please contact the Head of our Data Protection & Cyber Security practice group, Jukka Lång.

More by the same author

Chambers Fintech 2025: Finland – An Introduction to Fintech Legal

The fintech industry stands at the crossroads of innovation and regulation, continually reshaping the financial landscape. It is currently experiencing unprecedented growth globally, propelled by technological advancements and evolving consumer preferences, which are also influencing the fintech industry in Finland.

Implementation of the NIS2 Directive in Finland: New Cyber Security Requirements for Critical Sector Businesses and Entities

On 23 May 2024, Finland took a significant stride towards strengthening its cyber security legislation when the Government submitted to the Parliament a proposal (HE 57/2024 vp) to implement the EU Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555, the “NIS2 Directive“). This legislative initiative aims to bolster cyber security measures across various critical sectors, reflecting a heightened regulatory focus on risk management and incident reporting. The proposed Cybersecurity Act, along with amendments to existing legislation, notably to the Act on Information Management in Public Administration (906/2019 as amended), is scheduled to be applicable as of 18 October 2024. The proposal denotes a significant step towards more regulated cyber security and positioning the review and supervision of cyber security risks as a top management issue.

Government proposal regarding the implementation of EU’s NIS 2 Directive published

On 23 May 2024, the Finnish Government submitted its proposal regarding the implementation of EU’s NIS 2 Directive ((EU) 2022/2555, the “Directive”) to the Parliament. The proposal includes, inter alia, the adoption of the new Cybersecurity Act and amendments to the Act on Information Management in Public Administration and the Act on Electronic Communications Services. The objective is that the proposed legislation would enter into force on 18 October 2024.

Latest insights

Chambers Fintech 2025: Finland - An Introduction to Fintech Legal

Insight / 9 Dec 2024

Welcoming Our New Partner: Eeva-Lotta Kivelä

Article / 20 Nov 2024
Reading time 2 minutes