The Cyber Resilience Act (CRA) entered into force on 10 December 2024. This new regulation will apply directly across EU member states from 11 December 2027, without requiring transposition into national law.
The requirement for manufacturers to notify severe incidents and actively exploited vulnerabilities will apply earlier, from 11 September 2026.
The CRA establishes baseline cybersecurity requirements for products with digital elements (hardware and software) applicable from the design phase to the product’s expected use.
Products that do not comply with the requirements introduced by the regulation will be prohibited from accessing the EU market.
Cullen International published an infographic providing an overview of the main obligations introduced by the CRA.
Clients of our European Digital Economy service, can also access it directly on our client portal via the following link:
more news
19 November 25
Latest update on telecoms regulation from the Middle East and North Africa
Our latest MENA Telecoms Update details the most significant regulatory developments taking place in the region between 12 August and 30 October 2025.
18 November 25
Cybersecurity strategies in the Americas focus on policy goals, with most not setting binding obligations
Our latest benchmark surveys main cybersecurity issues, including general policies and specific rules on critical infrastructure across the Americas.
14 November 25
Most European NRAs regulate wholesale access to fibre
Our latest pan-European benchmark provides an overview of the market definition of M1/2020 and the remedies imposed on fibre unbundling and VULA over fibre, the wholesale prices for fibre unbundling at the optical distribution frame and for VULA over fibre.