There is a lot happening in the EU to improve cyber security

This section presents three different EU-level regulations that affect cyber security in Finland. A fourth topic, GDPR, is covered in the next section.

The EU has taken the approach that regulation can be used to promote cyber security. One might even argue that the EU has overregulated, when overregulation is understood to mean more regulation than average. The EU has often been among the first to regulate cyber security, and this has then been reflected in legislation outside the EU as well. It is important to understand the key aspects of EU legislation because it affects the implementation and use of systems as well as people’s rights. Directives, such as NIS2, require national legislation to be adapted, whereas regulations, such as the CRA, the AI Act, and the GDPR, are directly applicable in Member States as such.

There is a substantial amount of regulatory material in this module. The material on this page does not appear in the summary questions. Therefore—and as practice—the questions for this page have been placed at the end.

Network security: NIS2

The EU Network and Information Security Directive 2, NIS2 (Network and information security directive 2) entered into force on 8 April 2025. The aim of the directive is to improve the overall level of cyber security and resilience in the EU by replacing the old NIS Directive, which dates from 2016. NIS2 sets security and reporting requirements for providers of essential services and digital service providers.

In Finland, NIS2 has been implemented through the Cybersecurity Act (currently only in Finnish and Swedish). The new legislation applies more broadly than before to sectors classified as critical for society. These sectors include:

• Energy, transport, finance, and space (and their infrastructure)
• Healthcare (providers, EU reference labs, pharmaceutical R&D, active-substance and critical medical-device manufacturers)
• Drinking water and wastewater systems
• Food production, waste management, postal and courier services
• Public administration and ICT operators (security/management services)
• Digital infrastructure and digital services (marketplaces, search engines)
• Manufacturing industry (including chemicals and medical-device production)

Cyber Resilience Act (CRA)

To improve the quality of products and software, the EU has introduced the (Cyber Resilience Act, CRA). It has already been adopted, but due to a transition period, it will only take effect in December 2027. In practice, organisations should already begin preparing for its requirements.

The CRA applies to devices, software, and software components that are connected or can be connected to a network (and placed on the EU market after the legislation enters into force). The legislation uses the term “products with digital elements”. There are some exceptions, such as software and hardware already covered by other legislation. Requirements for open-source software have also been significantly relaxed.

The CRA also defines requirement classes:

• Unclassified (no high risk)
• Class I, important products with digital elements
• Class II, critical products with digital elements

Key requirements for manufacturers include:

• Secure default settings
• Automatic security updates
• Prevention of unauthorised access
• No known vulnerabilities at the time of placing on the market
• Encryption of personal data according to the state of the art
• Confidential storage of data and data minimisation
• Obligation to actively report exploited vulnerabilities to authorities (ENISA and, in Finland, CERT-FI) as well as to users. Preliminary notification to authorities must be made without undue delay within 24 hours, and a follow-up notification including instructions must be made within 72 hours from the moment the manufacturer becomes aware of the vulnerability. If this is not possible, an exception report must be made.
  • Note! The reporting obligation is already in force from 11 September 2026 and also applies to products already on the market.
• Obligation to provide product support and fix identified vulnerabilities throughout the product lifecycle or for at least five years. The support period must be indicated on the product.
• CE marking requires compliance with the CRA.
• Preparation of a software bill of materials (SBOM), listing key external components, their details, and dependencies.
• Security testing and assessment

Obligations are also imposed on importers and distributors to ensure compliance. The regulation also defines conformity assessment bodies, their obligations, and the conditions for their use.

As with many other EU regulations, administrative fines are significant—up to €15 million or 2.5% of turnover.

Artificial Intelligence Act (AI Act)

The EU Artificial Intelligence Act entered into force on 1 August 2024. Its application is phased; more details are available here.

The AI Act regulates the placing on the market, deployment, and use of AI through four risk categories: prohibited, high-risk, limited-risk, and minimal risk.

The AI Act does not apply to AI systems developed for:

• purely scientific research and development
• exclusively military, defence, or national security purposes
• free and open-source AI systems, unless they are placed on the market or used as high-risk AI systems.

Further exceptions and clarifications can be found in the legal text.

Translated from a summary by Traficom, prohibited uses of AI include:

• manipulative or deceptive techniques
• techniques exploiting human vulnerabilities and causing significant harm
• social scoring in certain contexts
• predicting criminal behaviour based on profiling
• scraping data from the web or surveillance cameras to create facial recognition databases
• emotion recognition in workplaces or schools
• biometric categorisation to infer race, political opinions, trade union membership, religious or political beliefs, or sexual orientation.

High-risk systems may adversely affect health, safety, or fundamental rights. Annex III of the regulation lists examples, including:

• biometric identification (except identity verification for a specific individual)
• critical infrastructure
• education and vocational training (evaluation of individuals or performance, detection of prohibited behaviour)
• employment and HR (recruitment and evaluation)
• access to essential private and public services and benefits
• law enforcement
• migration, asylum, and border control
• administration of justice and democratic processes

A system is not considered high-risk if AI is used only for a limited procedural task (e.g. data structuring) and does not materially influence decisions.

High-risk AI systems must meet requirements including:

• documentation and retention for authorities
• risk management systems
• testing and auditing
• logging
• user instructions
• transparency obligations
• human oversight
• avoidance of bias
• protection against external interference and vulnerabilities
• registration
• CE marking
• training processes
• accessibility requirements
• quality management systems
• reporting of serious incidents
• preparation of a declaration of conformity

The regulation also covers general-purpose AI models capable of performing a wide range of tasks. Providers must:

• produce technical documentation including training and testing processes
• implement a copyright policy
• publish a public summary of training data

Such models are classified as posing a “systemic risk” if cumulative training computation exceeds 10^25, or if determined by the European Commission.

Systemic-risk models must:

• notify the Commission
• assess and mitigate risks
• report incidents
• implement cyber security protections

All AI systems must allow supervisory authorities access to source code under conditions specified in the regulation.

Question 1

Select the correct options:

General-purpose AI models are always systemic risk models.

High-risk systems must include, among other things, documentation, risk management, testing, auditing, CE marking, and human oversight.

Supervisory authorities are not allowed access to AI model source code.

The AI Act applies to open-source systems regardless of their purpose.

Question 1

Both NIS2 and the CRA require that someone must report issues they detect. This applies to

a user of an online service who notices that a website has been hacked.

a recipient of a phishing message.

a router manufacturer informed by customers that they are unable to change the device password.

a mobile phone technician who resets a device locked by ransomware.

Question 1

In what order did the three directives presented on this page enter (or will enter) into force?

NIS2 – AI Act – CRA

NIS2 – CRA – AI Act

CRA – AI Act – NIS2

AI Act – CRA – NIS2

AI Act – NIS2 – CRA

Question 2

The three directives presented on this page classify their targets according to security needs, with different numbers of categories. In what order do the numbers of categories fall?

NIS2 > AI Act > CRA

CRA > NIS2 > AI Act

CRA > AI Act > NIS2

AI Act > CRA > NIS2

AI Act > NIS2 > CRA

Question 1

NIS2 appears to cover many actors involved with infrastructure. Based on this short description, which of the following does it cover?

A manufacturer of ultrasound diagnostic devices.

A manufacturer of fibre optic cables.

An importer of sewer pipes

An electrical installation company.

Posting submission...