The Cyber Resilience Act (CRA) entered into force on 10 December 2024. This new regulation will apply directly across EU member states from 11 December 2027, without requiring transposition into national law.
The requirement for manufacturers to notify severe incidents and actively exploited vulnerabilities will apply earlier, from 11 September 2026.
The CRA establishes baseline cybersecurity requirements for products with digital elements (hardware and software) applicable from the design phase to the product’s expected use.
Products that do not comply with the requirements introduced by the regulation will be prohibited from accessing the EU market.
Cullen International published an infographic providing an overview of the main obligations introduced by the CRA.
Clients of our European Digital Economy service, can also access it directly on our client portal via the following link:
more news
19 December 25
CSRD transposition: Belgium, Denmark, Finland and Slovenia transpose the “stop-the-clock” directive
Cullen International’s updated benchmark tracks the progress made by the 27 EU member states in transposing the CSRD and the related “stop-the-clock” directive.
19 December 25
Global trends in AI regulation
Our latest Global Trends benchmark compares policies and regulations on artificial intelligence (AI) across 14 jurisdictions around the world.
19 December 25
Implementation of European Media Freedom Act: general overview in 12 EU member states
Our new Media benchmark shows if there are initiatives/rules in the selected countries which aim to put into application the EU Media Freedom Act (EMFA). If yes, it describes the scope of the main measures proposed. The benchmark also provides information on the next legislative or regulatory steps.