The Cyber Resilience Act (CRA) entered into force on 10 December 2024. This new regulation will apply directly across EU member states from 11 December 2027, without requiring transposition into national law.
The requirement for manufacturers to notify severe incidents and actively exploited vulnerabilities will apply earlier, from 11 September 2026.
The CRA establishes baseline cybersecurity requirements for products with digital elements (hardware and software) applicable from the design phase to the product’s expected use.
Products that do not comply with the requirements introduced by the regulation will be prohibited from accessing the EU market.
Cullen International published an infographic providing an overview of the main obligations introduced by the CRA.
Clients of our European Digital Economy service, can also access it directly on our client portal via the following link:
more news
26 March 26
What are New Competition Tools and who wields them?
Our new benchmark surveys which European countries have introduced so-called new competition tools (NCTs), also known as market investigation powers. NCTs enable competition authorities to intervene in markets without establishing an infringement of antitrust rules.
25 March 26
Measures to improve cost transparency for telecoms consumers in Europe
Cullen International’s latest benchmark shows measures in place in 13 European countries to ensure that end users are aware of their consumption behaviour and protected against bill shock.
24 March 26
Middle East tightens oversight of IoT connectivity as roaming and licensing frameworks evolve
Cullen International’s latest analysis shows that, while some MENA countries allow IoT connectivity through cross-border roaming arrangements, others increasingly rely on telecommunications licensing frameworks and identity verification requirements to regulate connected devices.