The Cyber Resilience Act (CRA) entered into force on 10 December 2024. This new regulation will apply directly across EU member states from 11 December 2027, without requiring transposition into national law.
The requirement for manufacturers to notify severe incidents and actively exploited vulnerabilities will apply earlier, from 11 September 2026.
The CRA establishes baseline cybersecurity requirements for products with digital elements (hardware and software) applicable from the design phase to the product’s expected use.
Products that do not comply with the requirements introduced by the regulation will be prohibited from accessing the EU market.
Cullen International published an infographic providing an overview of the main obligations introduced by the CRA.
Clients of our European Digital Economy service, can also access it directly on our client portal via the following link:
more news
20 February 26
Revised Cybersecurity Act (CSA2) - Changes to the EU cybersecurity certification framework
Cullen International published an analysis of the proposed changes to the EU cybersecurity certification framework under the draft Cybersecurity Act 2 (CSA2) delivered by the European Commission on 20 January 2026.
19 February 26
Upper 6 GHz band: EU member states wait for EU-level decisions
Cullen International has been monitoring regulation of the upper 6 GHz band at the European level and now also benchmarks regulation at the national level in Europe.
18 February 26
The DNA explained: more EU guidance to protect end users against fraud
Cullen International is issuing a series of analyses on different aspects of the Digital Networks Act (DNA) proposal. This report covers end-user rights.