Every connected device that ships without proper security testing is a door left open. Smart locks, hospital monitors, factory sensors, building management systems. Test of Things just raised EUR 1.2 million in pre-seed funding because someone finally decided that the current way of securing these devices, which involves expensive experts doing manual work for weeks, is completely unsustainable.

The round was led by Vendep Capital, with participation from angel investors including Aapo Oksman, Zach Shelby, and Neil Costigan, alongside public support from Business Finland. For a seven-person, pre-revenue startup operating out of Helsinki and Oulu, it's a bet on timing as much as technology.

That timing? The EU's Cyber Resilience Act. It's about to change everything for connected device manufacturers, and most of them aren't ready.

The EU Cyber Resilience Act (CRA) is the kind of regulation that sounds dry until you realize its implications. Starting in 2027, every connected product sold in the EU must meet mandatory cybersecurity requirements throughout its entire lifecycle. Not just at launch. Throughout its life. That means continuous testing, continuous compliance documentation, and the ability to prove at any point that your product meets the standard.

For large manufacturers with dedicated security teams, this is manageable. Expensive, but manageable. For the thousands of small and mid-sized device makers across Europe? It's potentially existential. They don't have the internal expertise. They can't afford to hire cybersecurity consultants for every product iteration. And the penalties for non-compliance won't be gentle.

"Cybersecurity of products is in everyone's interest," says Marko Kaasila, CEO and co-founder of Test of Things. "But the current way of assuring it, manual, not systematic, and expensive, is unsustainable."

Test of Things is building a platform that automates cybersecurity compliance testing end-to-end. Instead of a team of experts spending weeks combing through a device's firmware and communication protocols, the platform runs automated test sequences, identifies vulnerabilities, and generates the regulatory documentation that manufacturers need to prove compliance.

The pitch is straightforward. Connect your device to the platform. Let it run. Get your results and your compliance paperwork. Ship your product with confidence that it meets the CRA requirements. No six-figure consulting engagement required.

Whether it's actually that simple in practice is a question the company will need to answer as it moves from development to deployment. Connected devices are enormously diverse. A smart thermostat has different attack surfaces than an industrial robot. The challenge isn't automating one type of test. It's building a platform flexible enough to handle the full spectrum of IoT hardware while still being rigorous enough that regulators trust the results.

Finland doesn't get mentioned in the same breath as Israel or the US when people talk about cybersecurity hubs. But it probably should. The country has produced F-Secure (now WithSecure), SSH Communications Security, and a steady pipeline of security-focused startups. Helsinki and Oulu, where Test of Things operates, both have deep engineering talent pools rooted in Nokia's legacy and the university system that grew around it.

Test of Things fits this lineage perfectly. Its angel investors include names familiar to anyone in the Nordic security community. Aapo Oksman works in embedded security. Zach Shelby is a recognized figure in IoT standards. Neil Costigan has deep roots in cryptographic technology. These aren't random angels writing small checks. They're domain experts who understand the specific technical challenges this company faces.

The honest assessment: Test of Things is early. Seven people, no revenue, and a product that's still being built. At pre-seed stage, that's entirely normal. But it also means the company is making a bet that the CRA timeline will create urgent demand before its runway expires.

The regulation is set to take full effect in 2027. That gives manufacturers roughly a year to get compliant. Many haven't started. The gap between regulatory deadline and industry readiness is exactly the window Test of Things needs to fill.

If they can build a credible, automated testing platform before the compliance crunch hits, the market will come to them. If the platform takes longer than expected, or if manufacturers find alternative solutions, the window closes. That's the pre-seed gamble in a nutshell.

The capital goes toward expanding the engineering team and accelerating product development. Standard early-stage priorities. The more telling detail is the investor composition. Vendep Capital leading with domain-specific angels suggests this isn't a spray-and-pray investment. It's a targeted bet by people who know the cybersecurity testing market from the inside.

For the broader Nordic tech ecosystem, Test of Things represents a category that's likely to grow fast: regulation-driven enterprise software. The EU is generating compliance requirements faster than most companies can respond. Startups that build the tools to bridge that gap, turning regulatory complexity into automated workflows, have a structural tailwind that doesn't depend on economic cycles or AI hype. It depends on law. And laws, unlike market trends, don't change direction because sentiment shifts.