The Cyber Resilience Act (CRA) entered into force on 10 December 2024. This new regulation will apply directly across EU member states from 11 December 2027, without requiring transposition into national law.
The requirement for manufacturers to notify severe incidents and actively exploited vulnerabilities will apply earlier, from 11 September 2026.
The CRA establishes baseline cybersecurity requirements for products with digital elements (hardware and software) applicable from the design phase to the product’s expected use.
Products that do not comply with the requirements introduced by the regulation will be prohibited from accessing the EU market.
Cullen International published an infographic providing an overview of the main obligations introduced by the CRA.
Clients of our European Digital Economy service, can also access it directly on our client portal via the following link:
more news
11 June 25
Protection of minors: overview of initiatives on age-verification systems in European countries
Cullen International has just updated a benchmark on national age-verification systems to control or restrict minors' exposure to harmful content on social media platforms.
06 June 25
Update on digital services taxes in Europe
Our latest benchmark offers an overview of taxes adopted or proposed on digital services across Europe.
05 June 25
New ecodesign requirements for smartphones and tablets to apply this month
From 20 June 2025, all new smartphones and tablets must meet new EU ecodesign requirements covering reparability, software updates, durability and battery life. Our new Tracker provides a concise description of the EU ecodesign rules and puts them into context.