CRA Compliance in Finland
National competent authority, Article 14 CSIRT contacts, and enforcement guidance for Finland manufacturers.
Finland's Transport and Communications Agency Traficom, through its National Cyber Security Centre Finland (NCSC-FI), serves as the national competent authority and CSIRT for the CRA. Finland is a significant exporter of telecommunications equipment, industrial systems, and connected devices, making CRA compliance central to market access for many Finnish manufacturers. Finland's early and comprehensive NIS2 transposition provides a strong regulatory foundation on which CRA obligations are built.
National Competent Authority (CRA)
Traficom / NCSC-FI
Liikenne- ja viestintävirasto Traficom / Kyberturvallisuuskeskus
Traficom is Finland's transport and communications regulatory authority. Its National Cyber Security Centre (NCSC-FI / Kyberturvallisuuskeskus) serves as both the CRA national competent authority and national CSIRT, with responsibilities for cybersecurity certification and incident coordination.
https://www.traficom.fi →National CSIRT (Article 14 Reports)
NCSC-FI
National Cyber Security Centre Finland
https://www.traficom.fi/en/communications/cyber-security/report-information-security-incident
https://www.traficom.fi/en/communications/cyber-security →CRA Enforcement in Finland
Traficom's NCSC-FI is designated as Finland's national competent authority for the CRA, building on its existing mandate as the national authority for the NIS2 Directive and network equipment certification. Finnish Customs and Tukes (Finnish Safety and Chemicals Agency) coordinate on market surveillance for products entering the Finnish market. Finland has a significant technology manufacturing base, including Nokia and its supply chain, as well as industrial automation manufacturers — all within the CRA's product scope. NCSC-FI participates actively in ENISA's CRA technical working groups and publishes implementation guidance in Finnish and English.
Article 14 Incident Reporting for Finnish Manufacturers
Finnish manufacturers submit Article 14 notifications to NCSC-FI through Traficom's secure incident reporting portal. NCSC-FI maintains a 24/7 duty function for critical cybersecurity incidents. The CRA Article 14 obligation requires an early warning within 24 hours of discovering active exploitation and a full notification within 72 hours. Finland's existing NIS2 incident reporting infrastructure — one of the most developed in the Nordics — provides the operational backbone for CRA Article 14 notifications. NCSC-FI coordinates with ENISA and the EU CSIRTs network and publishes anonymised incident data in its annual reports.
Market Surveillance & Penalties
Traficom coordinates market surveillance with Tukes (chemicals and product safety) and Finnish Customs for imported products. For CRA violations, Finland will implement the full penalty regime: up to €15 million or 2.5% of global annual turnover for breaches of essential cybersecurity requirements. Finland's regulatory enforcement culture tends toward cooperative compliance, with formal penalties reserved for cases of wilful non-compliance or significant consumer harm. Manufacturers should maintain comprehensive technical documentation as Traficom may request this as a first step in any surveillance inquiry.
Support for Finnish Manufacturers
NCSC-FI publishes free cybersecurity guidance in Finnish and English, including sector-specific implementation guides for manufacturing industries. Traficom operates the Cyber Security Label scheme for consumer IoT products, providing a market-recognised certification that maps to CRA Annex I requirements. Business Finland supports R&D and cybersecurity capability development for manufacturers through innovation grants. The VTT Technical Research Centre of Finland provides accredited conformity assessment and testing services for CRA product evaluations. The Finnish Standards Association (SFS) publishes national adoptions of IEC and ETSI standards relevant to CRA compliance.
CVD Portal automates your Article 14 notification obligations.
Pre-built notification workflows for NCSC-FI, deadline tracking, CSAF advisory generation, and a public CVD submission portal. Free forever.
Start your free portalFrequently asked
How do I contact NCSC-FI as a manufacturer with a CRA compliance question?+
NCSC-FI (Kyberturvallisuuskeskus) can be contacted through the Traficom website at traficom.fi. For CRA compliance queries, the Traficom industry liaison team handles manufacturer enquiries. NCSC-FI publishes guidance documents and hosts annual cybersecurity events for industry. For Article 14 incident reporting, use the secure reporting portal linked from the NCSC-FI website.
Does Finland have national-level CRA implementing legislation?+
Finland has transposed NIS2 through the Kyberturvallisuuslaki (Cybersecurity Act), which provides the legislative basis for Traficom's supervisory powers. CRA implementing measures are expected through amendments to the Kyberturvallisuuslaki and product safety regulations under the Tuoteturvallisuuslaki. The Ministry of Transport and Communications is leading the CRA implementation process, with national measures expected ahead of December 2027.
How does the CRA interact with Finland's cybersecurity and product safety laws?+
Finnish manufacturers face overlapping obligations under the Kyberturvallisuuslaki (NIS2) and the CRA. Where manufacturer obligations under NIS2 and CRA Article 14 overlap, Traficom is expected to provide consolidated guidance allowing a single notification to satisfy both frameworks. Finnish manufacturers in the energy and telecoms sectors face additional obligations under sector-specific regulations administered by the Energy Authority and Traficom's telecom division respectively.
Need a CRA compliance checklist for your product?
Browse free niche-specific checklists covering classification, Annex I obligations, and CVD requirements.