Cyber Resilience Act sets minimum requirements for connected products, national implementation project underway

The Cyber Resilience Act (CRA) was published in the Official Journal of the European Union on 20 November 2024. The CRA sets minimum cyber security requirements for products and software that can be connected to the internet or to other devices. A project preparing national legislation to complement the Act is underway at the Ministry of Transport and Communications.

While the CRA is directly applicable as a regulation, additional national legislation is required, especially on the organisation of market surveillance and the required official duties as well as on the approval of notified bodies and administrative sanctions. On 1 May 2024, the Ministry of Transport and Communications launched a project for preparing national legislation to complement the Act.

CRA improves the security of society by setting minimum requirements for the information security of devices and software

The scope of application of the CRA is wide, and its requirements apply, with certain exceptions, extensively to products and software that can be connected to the internet or other devices, i.e. contain a digital element referred to in the Act. These include connected surveillance cameras, refrigerators, smartwatches, televisions, computers, telephones, applications and toys. The Act will also apply to software, such as applications and games, and non-consumer products, such as operating systems, software, remote readable sensors and remote control systems contained in devices and machines. 

The Act responds to cybersecurity developments in which hardware and software are increasingly subject to cyberattacks, potentially adding significant costs to consumers, businesses, communities and public authorities.  With more secure products in use and on the market, the Act is expected to improve the overall security of society.

In future, meeting the security requirements laid down in the Act will be a prerequisite for market access in the EU. Manufacturers should notify the European Union Agency for Cybersecurity (ENISA) and the national computer security incident response team (CSIRT) of actively exploited vulnerabilities contained in products and software.

With most products, conformity will be demonstrated using self-assessment. Other methods, such as third-party assessment, will be required for certain products. They include routers, firewalls, browsers, operating systems, certain microprocessors and access and password management software. To demonstrate conformity, third party assessment could voluntarily be applied for other products, too.

The third-party assessment will be carried out by a notified body. The aim is that in Finland applications for a notified body would have to be submitted by no later than spring 2026.

What’s next?

A public consultation on national complementary regulation is expected to take place in winter 2025 and a proposal to Parliament is expected to be submitted during the autumn session 2025. 

After a transition period, the application of the Act will begin on 11 December 2027. However, reporting of actively exploited vulnerabilities will already be applied from 11 September 2026 and regulation on notified bodies from 11 June 2026. 

Inquiries:

Veikko Vauhkonen, Senior Specialist, tel. +358 29 534 2168, [email protected]
Marko Priiki, Senior Specialist, tel. +358 29 534 2187, [email protected]