The Cyber Resilience Act (CRA) entered into force on 10 December 2024. This new regulation will apply directly across EU member states from 11 December 2027, without requiring transposition into national law.
The requirement for manufacturers to notify severe incidents and actively exploited vulnerabilities will apply earlier, from 11 September 2026.
The CRA establishes baseline cybersecurity requirements for products with digital elements (hardware and software) applicable from the design phase to the product’s expected use.
Products that do not comply with the requirements introduced by the regulation will be prohibited from accessing the EU market.
Cullen International published an infographic providing an overview of the main obligations introduced by the CRA.
Clients of our European Digital Economy service, can also access it directly on our client portal via the following link:
more news
30 June 25
LTE and 5G in the 410–430 MHz and 450–470 MHz bands in Europe
Our latest European benchmark shows the countries where the 410–430 MHz or 450–470 MHz bands can be used for LTE or 5G.
27 June 25
Can European end users choose their own router or modem?
Our new benchmark research shows that national regulators clearly defined the network termination point in five of the 14 European countries studied.
26 June 25
Data Protection in the Americas
Recent research highlights contrasts in the enforcement of data protection laws across the Americas. While most countries have legal frameworks in place to penalise violations, the scale of fines—both in terms of maximum fine limits and actual enforcement—varies widely. The findings also reveal that fines imposed in Europe are often significantly higher than those recorded in the Americas.