The Finnish Transport and Communications Agency (Traficom) has decided to stop issuing new Cybersecurity Labels. The decision is based in particular on future EU regulations, which will introduce new data security requirements for devices connected to a network.
In particular, the security requirements of the Radio Equipment Directive (RED) and the Cyber Resilience Act will set new requirements for connected devices and services. Starting from 1 August 2025, radio equipment placed on the EU market must meet the new information security requirements harmonised at EU level. The new requirements apply to some radio equipment and will be part of the CE marking requirements in the future.
The Finnish Transport and Communications Agency has estimated that when the EU regulation enter into force, the significance of the Cybersecurity Label will lessen considerably and might even go away completely. The Cybersecurity Labels issued by the Finnish Transport and Communications Agency will be valid as planned at least until the end of 2024.
Cybersecurity label at the forefront of the Finnish information security landscape
The Finnish Transport and Communications Agency’s Cybersecurity Label has been a pioneer in the Finnish information security field for years. The Cybersecurity Label was introduced in 2019, when Traficom wanted to increase consumers’ awareness of information security and the secure use of devices with the Label.
The Label is an important tool for consumers to demonstrate the information security of connected devices. The Cybersecurity Label has particularly emphasized the security of smart devices, such as home routers and smart TVs. The Label has been an important part of Traficom's efforts to improve the overall level of security and increase consumer awareness of safe device choices. In addition, it has provided consumers with a reliable indicator of the information security of a device or service.
For companies, the Cybersecurity Label has provided an opportunity to stand out from competitors by demonstrating their commitment to high information security requirements. At the same time, it has encouraged companies to improve their security practices and pay attention to the information security of products and services throughout their lifecycle. This has been particularly important at a time when cyber threats are constantly on the rise and consumer concerns about information security have increased significantly.
Mandatory information security requirements must be complied with from 1 August 2025
The new requirements concern wireless devices that are connected to the internet directly or via other equipment, children’s devices and wearable devices, such as smart watches. Information security requirements aim to improve user privacy and protect communication networks. The goal is also to reduce the risk of monetary fraud committed using internet-connected equipment. For consumers and companies, this change means they can rely on EU-regulated products to meet information security requirements without a separate Cybersecurity Label. This harmonises and simplifies compliance with security standards and improves the overall level of security. In the future, Traficom will be responsible for monitoring information security requirements as part of other market monitoring for the sale of radio equipment. In the future, the information security requirements will be part of the requirements coming from the Radio Equipment Directive RED 2014/53/EU.
The Cybersecurity Label has promoted international cooperation, setting an example for other countries in developing and implementing information security requirements. Although no new Cybersecurity Labels will be issued with future EU regulation, its legacy as a pioneer in information security still lives on and affects future standards. Traficom is committed to monitoring and supporting the EU's legislative efforts and ensuring that the transition to new regulation is smooth.
The Cybersecurity Labels issued by the Finnish Transport and Communications Agency will be valid as planned at least until the end of 2024. The Finnish Transport and Communications Agency will not extend the validity of the current Cybersecurity Labels when the Radio Equipment Directive enters into force on 1 August 2025.