Finland implements national framework for EU Cyber Resilience Act

Products placed on the EU market must comply with the Cyber Resilience Act from 11 December 2027.
Finland's cyber resilience act enters into force, assigning Traficom duties under the EU CRA and setting vulnerability reporting rules

Finland’s national cyber resilience law entered into force on 1 June, establishing national procedures for implementing the European Union’s Cyber Resilience Act. The Cyber Resilience Act establishes cybersecurity requirements for software and hardware products placed on the EU market.

The law assigns responsibility for implementing key provisions of the Cyber Resilience Act to the National Cyber Security Centre Finland, which operates within the Finnish Transport and Communications Agency (Traficom). The act covers market surveillance, vulnerability reporting, notification of conformity assessment bodies, administrative sanctions, and provisions linked to EU cybersecurity certification.

From 11 September 2026, manufacturers will be required to notify the National Cyber Security Centre Finland of actively exploited vulnerabilities and serious security incidents affecting their products. Notifications must be submitted within 24 hours of the manufacturer becoming aware of the vulnerability or incident.

Products covered by the Cyber Resilience Act must comply with its requirements from 11 December 2027. The requirements apply to manufacturers, importers, distributors, and open-source software stewards, while high-risk AI systems in Finland will be supervised by the authorities responsible for the Artificial Intelligence Act in their respective sectors.

Finland has also amended its Act on Electronic Communications Services to support the implementation of domain name registration requirements under the NIS2 Directive. The new obligations will apply after a three-month transition period and will extend to domain name resellers and certain domain names other than .fi and .ax, where the entity’s main establishment or designated representative is located in Finland.

Why does it matter?

The Cyber Resilience Act represents one of the EU’s most significant efforts to improve cybersecurity across connected products and software. By introducing security-by-design requirements, vulnerability reporting obligations and market surveillance mechanisms, the regulation aims to reduce cybersecurity risks throughout the digital supply chain.

Finland’s implementation measures provide the national framework needed to enforce these requirements, while the related NIS2 amendments further strengthen oversight of critical digital infrastructure and domain name services.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.