New national act on cyber resilience enters into force on 1 June – vulnerabilities must be reported to Traficom from autumn onwards | Traficom
Skip to main content
Transport and Communications Agency

New national act on cyber resilience enters into force on 1 June – vulnerabilities must be reported to Traficom from autumn onwards

June 2, 2026 at 14:49

For the first time, the Cyber Resilience Act introduces product-level cybersecurity requirements for software and hardware placed on the EU market. A national act supplementing the EU regulation enters into force on 1 June 2026 and sets out the procedures to be followed in Finland. It also supplements provisions concerning domain names.

The aim of the new national act on cyber resilience and the EU Cyber Resilience Act (CRA) is to improve the cybersecurity of products available on the market. Under the legislation, manufacturers must report vulnerabilities to the National Cyber Security Center Finland (NCSC-FI) at the Finnish Transport and Communications Agency Traficom from 11 September 2026 onwards. In addition, all products placed on the market must comply with the CRA from 11 December 2027 onwards. 

The EU’s CRA lays down mandatory cybersecurity requirements for devices and software. The national provisions supplementing the CRA will enter into force on 1 June 2026.

CRA applies to devices and software that can connect to the internet or another device

The CRA lays down minimum cybersecurity requirements for products and software. Manufacturers must design and develop products to be secure, and they must report vulnerabilities and severe information security incidents. The requirements also apply to importers, distributors and open-source software stewards. The CRA is expected to improve comprehensive security in society by ensuring that more secure devices and software are available on the market and in use.

Traficom's responsibilities under the CRA

The official duties related to the CRA will be centrally assigned to the NCSC-FI at Traficom. The new national act on the cyber resilience of certain products and on cybersecurity certification contains provisions on, among other things, market surveillance, vulnerability reporting, the notification of conformity assessment bodies and administrative sanctions. 

In addition, the act supplements national provisions concerning EU cybersecurity certification. The requirements applicable to products continue to be based on EU regulation.

Vulnerability reporting

From 11 September 2026 onwards, manufacturers must notify the NCSC-FI at Traficom of any actively exploited vulnerabilities in their products and of any severe incidents having an impact on the security of their products. Notifications must be submitted within 24 hours of the manufacturer becoming aware of the vulnerability or incident.

Market surveillance

Official duties related to market surveillance under the CRA, as well as the designation and supervision of notified bodies, will be centralised within the NCSC-FI at Traficom. However, high-risk AI systems will be supervised by the same authorities that oversee compliance with the Artificial Intelligence Act (AI Act) within their respective sectors. These include, for example, the Finnish Safety and Chemicals Agency (Tukes), Traficom, the Finnish Supervisory Agency, the Finnish Medicines Agency (Fimea), the Energy Authority, the Data Protection Ombudsman and the Financial Supervisory Authority. The NCSC-FI at Traficom will continue to act as Finland’s national cybersecurity certification authority.

Conformity assessment bodies

Following the entry into force of the act, conformity assessment bodies may apply in Finland to be notified for assessment tasks under the CRA from 11 June 2026. Applications are submitted to the NCSC-FI at Traficom. A body notified by Finland may carry out conformity assessments under the CRA in all EU Member States within its area of competence.

Regulation concerning domain names supplemented

The Act on Electronic Communications Services has been amended and supplemented with a new chapter. The changes supplement domain name regulation in line with the NIS2 Directive. In future, the new obligations will also apply to, among others, domain name resellers and to domain names other than .fi and .ax where, for example, the entity’s main establishment or designated representative is located in Finland. The amendments will improve the availability of information and strengthen the authorities’ ability to intervene in unlawful activity online. The new obligations will apply after a transitional period of three months.

Cybersecurity requirements for radio equipment repealed

The European Commission has also adopted a delegated regulation repealing Delegated Regulation (EU) 2022/30 on cybersecurity requirements for radio equipment. The repeal will take effect from 11 December 2027, when the CRA will become fully applicable. Until then, the existing cybersecurity requirements under the Radio Equipment Directive (RED) will continue to apply as normal. In practice, the change will only affect radio equipment placed on the EU market from 11 December 2027 onwards. The aim is to avoid overlapping regulation.

EU Cyber Resilience Act (CRA) enters into force – information session on 3 June 2026

Traficom, the Ministry of Transport and Communications and the Finnish Information Security Cluster (FISC) will organise an information session on the CRA on 3 June 2026 from 9.00 to 11.30.