New Cybersecurity Regulations: FAQ Answered by Elisa and Huld
Written by Taavi Mattila, Elisa
Written by Mika Flinck, Elisa
Written by Iikka Taanila
New regulations like the RED and CRA directives are shaking up the smart device market. But how will these changes play out in practice? What does it take to ensure a smart device is both technically up to date and compliant with regulations from the start?
In the previous part of this blog series, we gave a concise overview of the future of network technologies. Now, Mika Flinck and Taavi Mattila from Elisa, along with Iikka Taanila from Huld, answer the most asked questions about cybersecurity regulations.
Read below for expert insights on how to prepare for what’s ahead – whether you’re launching a brand-new innovation or updating an existing product.
1. What do you think about the new cybersecurity regulations?
Mika & Taavi: When implemented well, regulation is necessary. It improves cybersecurity, prevents low-quality products, and protects consumers. However, excessive or rigid regulation can hinder innovation and create unnecessary costs, especially for small businesses.
The best approach is regulation that is flexible and evolves with technology, while still ensuring safe devices and fair competition.
Iikka: Regulation is extremely important. Non-compliant and dangerous products can pose life-threatening risks to users. They can also distort competition with companies that sell compliant products.
Cybersecurity regulations like RED and CRA enhance the safety of products and services. Hopefully, they will also increasingly help prevent threats like the DDoS attacks mentioned in the previous article.
2. Is achieving compliance burdensome or expensive for companies?
Mika & Taavi: RED and CRA regulations make products safer and improve user cybersecurity. They bring security into the design process from the very beginning. The goal is to ensure that only safe and compliant devices reach the market, supported by tools like mobile network device management and remote updates.
It’s crucial for companies to invest in cybersecurity during product development and maintain it throughout the product lifecycle. In the long run, regulation can also be a competitive advantage, as cybersecurity is becoming a key factor in customer purchasing decisions. That’s why companies should prepare early and proactively develop their security practices.
Iikka: If you already follow the “secure by design” principle, you’ll likely only need minor adjustments. But if cybersecurity hasn’t been a priority, you can expect more work and costs.
The new RED and CRA regulations require device-specific risk assessments, secure software development, regular security testing, vulnerability monitoring, and reporting. If you’re building the entire process from scratch, it could take up to a year – especially considering that the first CRA requirements become mandatory on September 11, 2026. Cybersecurity should be a core part of product development budgets.
3. The Radio Equipment Directive (RED/RED-DA) entered into force on August 1, 2025 – what changed in the market?
Mika & Taavi: The effects are not immediately visible, since the entire supply chain, including wholesalers and retailers, will first want to clear out older stock. Device manufacturers, however, have been preparing for this for some time, ensuring that redesigns and approvals also meet CRA requirements. This way, product development does not need to start over again in two years when the CRA becomes mandatory.
Not all IoT devices and network technologies have been designed to support the remote updates required by the CRA. This is an important consideration for both end customers and service providers to ensure that their choices are genuinely future proof.
IoT devices used in billing, such as electricity, district heating, and water meters, still require separate MID approval if modified, since they serve as the basis for consumption-based billing.
This may reduce the availability of certain devices, but at the same time it addresses significant challenges.
Iikka: Companies have generally responded well in their product development efforts. However, interpreting the regulations and standards remains difficult. There is still uncertainty about exactly which devices the new cybersecurity requirements apply to and how compliance should be achieved.
Many companies were also surprised to learn that the new requirements must be met regardless of when the product was originally designed or type approved. Most manufacturers have already updated their device software to meet the requirements, though some are still in the process.
On store shelves, the change is currently visible as a “two product types” situation – both “older generation” products manufactured before August 1, 2025, and compliant products manufactured after that date are available. From a consumer perspective, this may initially cause some confusion, but the situation will become clearer over the coming months. Eventually, only compliant products will remain on sale.
4. Where can companies get help preparing for these changes?
Mika & Taavi: Elisa offers cybersecurity consulting, expert support, and training to help companies understand the regulations and protect themselves effectively. We also provide automated security solutions, such as IoT and software updates without manual work.
Iikka: Our cybersecurity experts help secure your business comprehensively. They have strong experience in security management, risk assessment, and evaluation methods across industries. We offer services like compliance assessments, secure software and product development processes, and vulnerability identification and testing.
All: Also, follow the Finnish Transport and Communications Agency Traficom’s National Cybersecurity Centre for updates.
Read more
Elisa’s cybersecurity services
Huld’s security services
Meet Huld and Elisa:
Subcontracting Fair, 30.9 – 2.10.2025, Tampere Exhibition and Sports Centre
Teknologia 25, 4.11 – 6.11.2025, Helsinki Exhibition and Convention Centre