Light golden Rlogo of Finnish AI Region (FAIR EDIH). In is written FAIR - FINNISH AI REGION, EDIH
European union flag wth blue background and golden stars.

Soon Your Smart Watch, Fridge and Toys Must Meet Cybersecurity Standards As Finland Moves Towards Cyber Resilience Act

Every internet-connected device sold in Finland from children’s toys to home security cameras will soon need to meet mandatory cybersecurity standards under new legislation submitted to Parliament on 27 November. The proposals implement the EU’s Cyber Resilience Act, giving manufacturers three years to ensure their products comply or face removal from the market.

Text by Martti Asikainen, 1.12.2025 | Photo Adobe Stock Photos

Woman checking her smartwatch before going to jog.

Soon every internet-connected device sold in Finland from children’s toys to home security cameras will need to meet mandatory cybersecurity standards under new legislation submitted to Parliament on 27 November. 

The proposals implement the EU’s Cyber Resilience Act, giving manufacturers three years to ensure their products comply or face removal from the market.

The sweeping legislation targets a cybersecurity gap that has left millions of consumers vulnerable. Smart fridges, baby monitors, fitness trackers and even connected dog collars will all fall under the new rules, which aim to stop insecure devices becoming gateways for hackers.

Traficom to Lead Implementation

Under the proposals, the Finnish Transport and Communications Agency (Traficom) will become the country’s cybersecurity watchdog, with powers to pull non-compliant products from shops and fine manufacturers up to €15 million or 2.5% of global turnover, whichever is greater.

The agency will also certify “notified bodies” — independent assessors who will test whether products meet security standards before they can carry the CE marking that allows them to be sold across the EU. However, Traficom won’t police everything: high-risk AI systems will remain under the watch of specialist authorities already supervising artificial intelligence compliance.

The new rules place the burden squarely on manufacturers. Companies will need to design security into products from the start, not bolt it on as an afterthought. That means conducting risk assessments, eliminating known vulnerabilities before launch, and providing free security updates for at least five years.

But the requirements go further. From September 2026, more than a year before full compliance kicks in, manufacturers must report actively exploited vulnerabilities within 24 hours of discovery. Serious security incidents will need reporting too, with follow-up details required within 72 hours.

The legislation also extends domain name registration requirements beyond Finland’s .fi and .ax domains, making it easier for authorities to track down criminals operating illegal websites.

Why This Matters Now

The timing isn’t coincidental. Cyberattacks cost the global economy an estimated €5.5 trillion annually, with insecure consumer devices increasingly exploited to launch attacks on critical infrastructure. A vulnerable smart camera or router in your home could become part of a botnet attacking hospitals or power grids.

For consumers, the changes should mean safer products and clearer information about security features before purchase. For businesses, it means significant compliance work ahead. Products already on sale before December 2027 can remain on shelves, but anything launched after that date must meet the new standards.

Parliament will debate the proposals before sending them to committee for detailed scrutiny. If approved, the main obligations will take effect on 11 December 2027, though the vulnerability reporting requirements kick in 15 months earlier.

The Cyber Resilience Act represents the EU’s most ambitious attempt yet to secure the Internet of Things, complementing existing cybersecurity rules including the NIS2 Directive, which Finland implemented earlier this year. With connected devices proliferating, from smart doorbells to industrial sensors, regulators are racing to close security loopholes before they can be exploited at scale.

For Finnish manufacturers and importers, the message is clear: secure by design is no longer optional. It’s the law.

White logo of Finnish AI Region (FAIR EDIH). In is written FAIR - FINNISH AI REGION, EDIH
Euroopan unionin osarahoittama logo

Finnish AI Region
2022-2025.
Media contacts

Follow us on social media

Twitter Facebook-f Youtube Linkedin-in