Finland proposes rules for EU Cyber Resilience Act
Traficom will oversee the Cyber Resilience Act market surveillance and notified bodies, while AI Act authorities supervise high-risk AI systems.
The Finnish Government has proposed the approval of national provisions supplementing the EU Cyber Resilience Act, which sets cybersecurity requirements for products with digital elements.
The legislation will enter into force on 1 June 2026, with phased application aligned with the Cyber Resilience Act’s transitional periods during 2026 and 2027. The aim is to improve the cybersecurity of connected devices and software placed on the EU market.
The Cyber Resilience Act will be supplemented in Finland by a new national act on the cyber resilience of certain products and cybersecurity certification. The act covers supervision of product-related obligations, notification of conformity assessment bodies under the Cyber Resilience Act, administrative sanctions, and national provisions linked to the EU cybersecurity certification.
Market surveillance under the Cyber Resilience Act, along with the designation and supervision of notified bodies, will be assigned to the Finnish Transport and Communications Agency, Traficom. Market surveillance of high-risk AI systems will be carried out by the authorities responsible for supervising compliance with the AI Act, depending on the sector.
Conformity assessment bodies will be able to apply to Traficom from 11 June 2026 to be notified for assessment tasks under the Cyber Resilience Act. Bodies notified by Finland will be able to carry out conformity assessments across the EU member states within their area of competence.
Finland will also add a new chapter to the Act on Electronic Communications Services concerning the collection and disclosure of domain name registration data under the NIS2 Directive. The obligations will extend beyond .fi and .ax domains where the registrar or top-level domain registry is located in Finland, after a three-month transitional period.
The Government said the domain name provisions will complement Finland’s national implementation of NIS2 and improve the availability of registration data, making it easier to tackle illegal activity online.
Why does it matter?
Finland’s legislation shows how EU cybersecurity rules are being translated into national enforcement structures. The Cyber Resilience Act sets product security obligations at the EU level, but member states still need national provisions for supervision, notified bodies, sanctions, and certification. The added NIS2 domain registration rules also show how cybersecurity implementation is expanding beyond products into online infrastructure and data availability for enforcement.
Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!