Information security now!
This week, we cover the newly adopted EU Cyber Resilience Act and how to prepare for different types of disruptions.
EU Cyber Resilience Act adopted
The Cyber Resilience Act (CRA) (EU) 2024/2847 sets minimum cybersecurity requirements for products and software connected to the internet in the EU. The CRA improves the security of society by requiring manufacturers to disclose vulnerabilities and by setting essential cybersecurity requirements for products. The manufacturer should indicate a support period for the product during which any vulnerabilities in the product will be addressed.
Meeting the safety requirements of the Act will be a condition for market access in the EU. A CE mark on a product would indicate that these requirements have been met. The regulation covers IoT devices, security cameras, TVs and software such as games, word processors, operating systems and password management tools. The CRA does not apply to cloud services, medical devices or already regulated vehicles and aircraft.
Obligations to enter into force in stages
The obligations for notified bodies will apply from 11 June 2026. Notified bodies can then apply to become a notified body under the CRA.
The vulnerability reporting obligations will apply from 11 September 2026. The reporting obligation applies to all covered products on the EU market, not just those placed on the market for the first time.
The requirements for the security features of the product will apply from 11 December 2027. Products placed on the EU market must be designed, developed and produced in accordance with the essential cybersecurity requirements of the CRA.
The importance of preparedness has been highlighted in the past week
The past week has proven the importance of preparedness as Finland faced two very different anomalies in our digitally-enabled society. On Monday, there was news of the C-Lion1 submarine cable breaking and, on Wednesday, a strong storm hit Finland from the south. Overall, the resilience of Finnish society is at a good level. Despite this, disruptions can have relatively short-lived local effects. During Storm Jari, tens of thousands of households in Finland were without electricity, and long power cuts can cause problems with mobile connections, for example.
As well as preparing society, each of us should also prepare for the unexpected. How can you yourself cope with a prolonged period of disruption, for example when mobile phones have no local network coverage? Do you know how to contact your loved ones in the event of a disruption, or where to get up-to-date information from the authorities? On Monday, the Ministry of the Interior published a guide on preparedness for incidents and crisis situations, which brings together preparedness information and guidance from many actors in one place on the Suomi.fi website. Traficom has been involved in the production of the guide.
Backup connections ensure business continuity in case of disruption
On Tuesday 19 November, Traficom, together with other authorities and Cinia, organised a briefing on the status of the investigation into damage to a cable linking Finland and Germany. At the event, the authorities said that the break in the cable had had no visible impact on Finland's IT connections to the world and that the security of supply of society had not been compromised. Finland's connections to the world do not rely on a single cable. In addition, incidents such as a break in a cable have been prepared for and rehearsed. When a connection is lost, traffic is transferred to the backup connection and works normally.
The authorities pointed out that there are several links within Finland and from Finland to the world to ensure the functioning of telecommunications. Data traffic on domestic and international connections can be re-routed in the event of equipment or connection failures and maintenance, for example. All this is done in routine cooperation between operators. The key to preparedness is that the main systems are duplicated and route-protected.
At the briefing, the authorities pointed out that cables break from time to time as undersea cables, for example, are vulnerable to damage from weather and shipping. The key is to identify problems and take corrective action. This has been the case this week. The broken undersea cable is being investigated in broad cooperation between the authorities and Cinia. The National Bureau of Investigation has opened a preliminary investigation into the breakage of the cable.
Recently reported scams
In this summary, we provide information about scams reported to the NCSC-FI during the past week.
What to do if you get scammed
- Immediately contact your bank if you have made a payment based on a scam or a criminal has gained access to your online banking codes or got hold of your payment card information.
- File a police report. You can file a police report online. (External link)
- You can also report the incident to the NCSC-FI.
- Instructions for victims of data leaks (External link)
Learn how to detect and protect yourself against online scams
About the weekly review
This is the weekly review of the National Cyber Security Centre Finland (reporting period 15 November–21 November 2024). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cybersecurity specialists to regular citizens.