ARTICLE
30 January 2026

New Product Reality — The EU Cyber Resilience Act

HS
Hannes Snellman Attorneys Ltd

Contributor

Hannes Snellman Attorneys Ltd logo

Hannes Snellman is a leading Finnish business law firm entrusted by its clients in matters of critical importance. Our mission is to provide our clients with world-class advice and our people with world-class careers. What sets us apart is our deep commitment to achieving our clients’ goals. With our industry knowledge and business understanding, we provide simple yet effective advice and fresh perspectives, even in the most complex and demanding situations. We focus on what matters the most.

Explore Firm Details
Cybersecurity is no longer optional — it is becoming a legal requirement for products.
European Union Technology
Maria Aholainen and Max Visser
Your Author LinkedIn Connections
Hannes Snellman Attorneys Ltd are most popular:
  • within Intellectual Property, Corporate/Commercial Law, Media, Telecoms, IT and Entertainment topic(s)

Cybersecurity is no longer optional — it is becoming a legal requirement for products. The EU Cyber Resilience Act (the "CRA") is a product security regulation that entered into force on 10 December 2024, and it sets a security baseline for products with digital elements, meaning software and hardware products that can be connected to the internet or to other devices. The CRA's broad scope means that nearly every connected product sold on the EU market is covered by this regulation. There is still a transition period, but only until December 2027.

Cybersecurity Is No Longer Optional — It Must Be Built-In

The goal of the CRA is simple: to make products more secure.

The CRA (Annex I) sets essential cybersecurity requirements for products, which must be built in to every product, design, and development process and maintained during the lifetime of the product. In practice, the CRA is an extension of the existing CE mark that already appears on many products. As of December 2027, products in the EU are required to have the CE mark indicating they meet the essential requirements of the CRA.

The CRA classifies products into three categories: default, important, and critical. Products are classified according to their risk profile, and the risk profile in turn determines which conformity assessment procedure applies to the product. Most products fall into the "default" category, where the manufacturer can self-assess whether the product meets the essential requirements of the CRA, whereas higher-risk products must comply with standards and undergo third-party assessments.

The most controversial topics under the CRA are legacy products that were developed years ago without security requirements and the length and requirements for a support period after a product is placed on the market. Furthermore, the CRA extends cybersecurity requirements into supply chains. Manufacturers must ensure that suppliers adhere to stringent cybersecurity obligations and audit rights. Contracts play a key role here and should clearly outline supplier obligations ensuring compliance with the CRA.

The CRA in Finland

While the CRA is directly applicable in all EU Member States, each EU Member State must supplement the CRA by designating supervisory authorities with powers to enforce the CRA. The Finnish Government submitted a government proposal for the national implementation of the CRA to Parliament on 27 November 2025. In practice, a new Act on the Cyber Resilience of Certain Products and on Cybersecurity Certification is proposed.

It is proposed that the Finnish Transport and Communications Agency Traficom be the main supervisory authority under the CRA. The chosen approach was to be expected, as Traficom is also proposed to be the main supervisory authority for the Data Act in Finland and the single point of contact for coordination under the national implementation of the EU AI Act and under the national Cybersecurity Act (transposing the NIS2 Directive into Finnish law).

Similarly to the AI Act, the CRA also allows for the establishment of national regulatory sandboxes. The government proposal does not regulate the establishment of such an environment itself but only grants Traficom the authority to establish one at its own discretion. There would be no limit on the number of regulatory sandboxes, and multiple environments could be set up if needed — for example, for testing different types of products or circumstances.

Next Steps in Finland

The submission of the government proposal was announced in the plenary session on 27 November 2025, and next its consideration will proceed to the preliminary debate. The national law is set to enter into force on 1 June 2026, while taking into account the phased application timeline of the CRA.

The CRA will be fully applicable from 11 December 2027, whereas the requirements for manufacturers to notify authorities about actively exploited vulnerabilities and severe incidents will apply from 11 September 2026.

Originally published 15/12/2025

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Maria Aholainen
Maria Aholainen
Person photo placeholder
Max Visser
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More