The EU Cyber Resilience Act (“CRA”) will reshape how products with digital elements are placed on the EU market and the first compliance deadlines arrive in 2026. Although most of the Regulation applies from 11 December 2027, Finnish companies should already be preparing for the 2026 deadlines.
The CRA applies to a wide range of products with digital elements, defined as software or hardware products and their remote data processing solutions. In practice, this covers many connected products outside the traditional cybersecurity sector, from smart home devices and industrial IoT sensors to enterprise software and network routers, including products manufactured, imported or distributed by companies in other industries.
The CRA does not apply to free and open-source software supplied outside the course of a commercial activity. However, where open-source software is integrated into a commercial product or used in connection with a commercial activity, the CRA obligations may apply. Companies relying on open-source components should assess whether their use falls within or outside this exemption.
Certain product categories fall outside the CRA’s scope entirely. These include, among others, medical devices, motor vehicles, aviation products, and products developed exclusively for national security or defence purposes, each of which is governed by separate EU or national legislation.
Why 11 June 2026 matters for conformity assessment
The first relevant milestone is 11 June 2026, when the framework for conformity assessment bodies and notified bodies begins to operate. This date does not mean that all CRA product obligations apply immediately, but it is a useful planning point for companies manufacturing higher-risk products.
Important products with digital elements and critical products with digital elements may require third-party conformity assessment or certification routes, depending on their category and the standards or schemes available. Companies that leave conformity-assessment planning until 2027 may face capacity or timing constraints when seeking a notified body. In Finland, the Finnish Transport and Communications Agency (“Traficom”) serves as the notifying authority, managing the application process and the designation of notified bodies.
Why 11 September 2026 matters for vulnerability and incident reporting
For many manufacturers, a more immediate practical milestone is 11 September 2026, when mandatory reporting obligations come into effect. From this date, manufacturers must notify actively exploited vulnerabilities and severe incidents affecting the security of products with digital elements.
The reporting process is time-sensitive: a 24-hour early warning, a 72-hour vulnerability or incident notification, and a final report within 14 days for vulnerabilities (or one month for severe incidents). Notifications are submitted via a single reporting platform managed by ENISA, which routes them to the CSIRT designated as coordinator; in Finland, this is the Finnish CSIRT unit operating under Traficom. These reporting rules also apply to products already placed on the market before 11 December 2027, if they fall within the CRA’s scope.
Meeting these deadlines is likely to require internal escalation processes to identify when a technical vulnerability becomes a legal reporting issue. In practice, this will often require coordination between product, security, legal, compliance, and communications teams.
What Finnish companies should do now
To prepare, companies should consider the following steps before the deadlines:
- Map products: Check whether the company’s hardware, software, and integrated components qualify as products with digital elements.
- Identify the company’s role: Assess whether the company acts as a manufacturer, importer, distributor, or other economic operator for each product.
- Classify products: Check whether products are important products with digital elements, critical products with digital elements, or products not classified as either, to assess whether third-party conformity assessment or certification may be required.
- Review cybersecurity risk assessment practices: Assess whether cybersecurity requirements are considered early enough in product planning and development.
- Assess vulnerability handling: Establish a coordinated vulnerability disclosure policy if not already in place or update the existing policy to align with the CRA’s requirements.
- Review incident escalation processes: Update internal runbooks in light of the 24-hour and 72-hour reporting obligations taking effect in September 2026.
- Check supplier arrangements: Review due diligence over third-party and open-source components, including how software bill of materials (SBOM) information will be maintained where required.
- Prepare technical documentation: Start compiling the evidence, test reports and internal responsibilities needed to support the EU declaration of conformity and CE marking.
- Review customer-facing information: Verify that the expected product lifetime and the minimum support period during which the manufacturer will provide security updates are clearly communicated. Ensure that users can easily identify the relevant point of contact for reporting vulnerabilities.
The Finnish angle: Traficom and enforcement
As the CRA is directly applicable, Finland has adopted supplementary national provisions through the Act on the Cyber Resilience of Certain Products and on Cybersecurity Certification (439/2026). The Act entered into force on 1 June 2026, but its application follows the CRA’s phased timeline.
Traficom has several key roles under the new Act. It operates as the market surveillance authority, the notifying authority for notified bodies, and may provide expert support in relation to market surveillance and cybersecurity risk assessments. Traficom also has the authority to establish regulatory sandboxes, which may provide controlled testing environments to support innovation and assist micro and small enterprises before placing products on the market.
Non-compliance with the CRA may also lead to enforcement action. Traficom can impose administrative fines on companies that breach the requirements. For the most serious violations, such as breaches of essential cybersecurity requirements or reporting obligations, penalties can reach up to EUR 15 million or 2.5% of total worldwide annual turnover, whichever is higher. Lower-tier violations carry reduced caps of EUR 10 million or 2%, and EUR 5 million or 1% respectively.
Conclusion
Companies that leave preparation until the 11 December 2027 application date may find that the difficult part is not identifying the relevant rules, but changing internal processes across product, legal, compliance, security, and procurement teams.
For that reason, 2026 should be used to test whether the organisation is ready for the June and September milestones: identifying relevant products, classifying its role, escalating vulnerabilities and incidents within the required timeframes, producing the necessary technical documentation, and coordinating with suppliers.
If you have questions about how the CRA applies to your products or organisation, please do not hesitate to contact our team at HPP. We are happy to assist with scoping assessments, compliance planning, and preparing for the upcoming deadlines.
This article was prepared by Lasse Riski (Partner), Jenna Tyynilahti (Senior Associate), Sara Laitila (Senior Associate) and Max Visser (Associate Trainee) of HPP’s Technology and Data team. The team regularly advises clients on technology and data related matters, including cybersecurity regulation and EU product compliance.
