Provisions supplementing the Cyber Resilience Act to enter into force: Improving cybersecurity of smart devices and software

On 28 May 2026, the Government proposed the approval of the national provisions supplementing the European Union’s Cyber Resilience Act (CRA). The legislation will enter into force on 1 June 2026, with transitional periods aligned with those of the CRA during 2026–2027. The aim of the CRA is to improve the cybersecurity of products.

The CRA will be supplemented by a new national act on the cyber resilience of certain products and on cybersecurity certification. It lays down provisions on the supervision of product‑related obligations, the notification of conformity assessment bodies under the CRA and administrative sanctions. Requirements concerning products will continue to be based on the applicable EU regulation. The act also supplements national provisions on EU cybersecurity certification.

Official duties related to market surveillance under the CRA, as well as the designation and supervision of notified bodies, will be centrally assigned to the Finnish Transport and Communications Agency Traficom. However, market surveillance of high‑risk AI systems will be carried out by the same authorities that supervise compliance with the AI Act. Depending on the sector, these are the Finnish Safety and Chemicals Agency, Traficom, Finnish Supervisory Agency, Finnish Medicines Agency, Energy Authority, Data Protection Ombudsman and Financial Supervisory Authority. Traficom will continue to act as Finland’s national cybersecurity certification authority.

Following the entry into force of the act, conformity assessment bodies may apply in Finland to be notified for assessment tasks under the CRA from 11 June 2026. Applications are submitted to Traficom. A body notified by Finland may carry out conformity assessments under the CRA in all EU Member States within its area of competence.

In addition, a new chapter will be added to the Act on Electronic Communications Services. It concerns the collection and disclosure of domain name registration data as required by the EU cybersecurity regulation known as the Network and Information Systems Directive (NIS 2 Directive). The obligations on collecting and disclosing domain name registration data will also be extended to domain names other than .fi and .ax where the domain name registrar or top‑level domain registry is located in Finland.

These provisions will complement the national implementation of the NIS 2 and improve the availability of domain name registration data, making it easier to tackle illegal activity online. The new obligations concerning domain name data will apply after a transitional period of three months.

Cyber Resilience Act applies to devices and software connected to the internet or other devices

The CRA sets minimum cybersecurity requirements in the EU single market for products and software that can be connected to the internet or to other devices. These include surveillance cameras, refrigerators, smart watches, televisions, computers, phones and toys. The CRA also applies to software such as applications and games,

as well as products intended for non-consumer use, including operating systems and software embedded in devices or machinery, remotely readable sensors and remote management systems. The CRA applies to products made available on the EU market.

The CRA requires manufacturers of devices and software to design and produce their products in line with essential cybersecurity requirements. Manufacturers are also required to report serious incidents affecting product information security, and vulnerabilities that are actively exploited. The CRA also introduces requirements for importers, distributors and open-source software stewards.

The CRA is expected to enhance overall societal security by ensuring that devices and software on the market and in use are more secure than before.

What’s next?

The President of the Republic is expected to approve the bills on 29 May 2026. The legislation will enter into force on 1 June 2026, with application phased in line with the transitional periods of the CRA. Phased application will begin in 2026–2027.

Inquiries:

Veikko Vauhkonen, Senior Specialist, tel. +358 295 342 168, [email protected]