Government proposes national legislation supplementing the Cyber Resilience Act

The Government submitted a legislative proposal for the national implementation of the European Union’s new Cyber Resilience Act (CRA) to Parliament on 27 November 2025.

The proposal includes a new act on the cyber resilience of certain products and on cybersecurity certification. Amendments are also proposed to the Act on Electronic Communications Services and the Cybersecurity Act.

The proposal provides that the official duties related to market surveillance under the CRA, as well as the designation and supervision of notified bodies, would be centrally assigned to the Finnish Transport and Communications Agency Traficom. However, the market surveillance of high-risk artificial intelligence (AI) systems would remain the responsibility of the authorities supervising compliance with the EU AI Act (Finnish Safety and Chemicals Agency, Finnish Customs, Traficom, Finnish Supervisory Authority, Finnish Medicines Agency, Finnish Energy Authority, Data Protection Ombudsman or Financial Supervisory Authority).

The bodies assessing the conformity of products could apply to Traficom to be designated as notified bodies conducting assessments under the CRA. Traficom would also supervise compliance with the requirements of the CRA.

The proposal also seeks to supplement the EU Cybersecurity Act by defining the powers of the national cybersecurity certification authority more precisely. Traficom would continue to act as Finland’s national cybersecurity certification authority.

Furthermore, the proposal introduces new provisions to the Act on Electronic Communications Services concerning the collection and disclosure of domain name registration data, extending the existing provisions beyond the .fi and .ax domain names. These provisions supplement the national implementation of the NIS2 Directive regarding the application of the obligations concerning the collection and disclosure of domain-name-related data. The regulation would also improve the availability of domain name registration data, thereby enhancing the authorities’ ability to address illegal activities carried out online.

Cyber Resilience Act applies to devices and software connected to the internet or other devices

The EU Cyber Resilience Act is a new product regulation establishing minimum cybersecurity requirements for products and software that can be connected to the internet or to other devices. These include surveillance cameras, refrigerators, smart watches, televisions, computers, phones and toys.

The CRA also applies to software such as applications and games, as well as products intended for non-consumer use, including operating systems and software embedded in devices or machinery, remotely readable sensors and remote management systems. The obligations of the regulation apply to products that are made available on the EU market.

The core obligations concern manufacturers’ responsibility to design and manufacture products that comply with essential cybersecurity requirements. Manufacturers will also be required to report serious incidents affecting product information security, as well as vulnerabilities that are actively exploited. The CRA also introduces requirements for importers, distributors and open-source software stewards.

The CRA is expected to enhance overall societal security by ensuring that devices and software on the market and in use are more secure than before.

What’s next?

Parliament will first hold a referral debate on the government proposal in a plenary session. The proposal will then proceed to a committee reading. After the committee submits its report, the process will continue in a plenary session.

The Cyber Resilience Act will begin to apply after the transitional period on 11 December 2027. However, the obligation to report actively exploited vulnerabilities will apply from 11 September 2026, and the provisions concerning notified bodies will apply from 11 June 2026.

Inquiries:

Veikko Vauhkonen, Senior Officer for Legal Affairs, tel. +358 295 342 168, [email protected] 

Timo Kievari, Director of Unit, tel. +358 295 342 620, [email protected]