The Cyber Resilience Act (CRA) entered into force on 10 December 2024. This new regulation will apply directly across EU member states from 11 December 2027, without requiring transposition into national law.
The requirement for manufacturers to notify severe incidents and actively exploited vulnerabilities will apply earlier, from 11 September 2026.
The CRA establishes baseline cybersecurity requirements for products with digital elements (hardware and software) applicable from the design phase to the product’s expected use.
Products that do not comply with the requirements introduced by the regulation will be prohibited from accessing the EU market.
Cullen International published an infographic providing an overview of the main obligations introduced by the CRA.
Clients of our European Digital Economy service, can also access it directly on our client portal via the following link:
more news
29 July 25
New benchmark on provisioning timers and SLAs for wholesale local access over fibre in Europe
Our new benchmark covers service level agreements (SLAs) for the provisioning of wholesale local access (WLA) over fibre unbundling and virtual unbundling (VULA) across 18 European countries.
28 July 25
Privacy in the digital age
This Global Trends benchmark compares key aspects of data protection laws across 14 jurisdictions: Australia, Brazil, Canada, China, the EU, India, Indonesia, Japan, Kenya, Korea, Singapore, South Africa, the UK and the US.
25 July 25
Few EU countries have yet designated authorities to enforce new EU rules on data and AI
Our new benchmark maps the authorities designated to enforce the Data Governance Act, the Data Act and the Artificial Intelligence Act across all the 27 EU member states.