The Cyber Resilience Act (CRA) entered into force on 10 December 2024. This new regulation will apply directly across EU member states from 11 December 2027, without requiring transposition into national law.
The requirement for manufacturers to notify severe incidents and actively exploited vulnerabilities will apply earlier, from 11 September 2026.
The CRA establishes baseline cybersecurity requirements for products with digital elements (hardware and software) applicable from the design phase to the product’s expected use.
Products that do not comply with the requirements introduced by the regulation will be prohibited from accessing the EU market.
Cullen International published an infographic providing an overview of the main obligations introduced by the CRA.
Clients of our European Digital Economy service, can also access it directly on our client portal via the following link:
more news
24 October 25
How are EU member states transposing NIS2?
Our benchmark tracks the transposition status of the directive on measures for a high common level of cybersecurity across the EU (NIS2) in the 27 member states. 15 countries adopted national legislation to transpose NIS2.
23 October 25
Update on 5G security measures across Europe
Our latest research provides a summary of key developments since June 2025 on national 5G security initiatives in the 27 EU member states, Norway, Switzerland, and the UK.
22 October 25
To Space and beyond – part II: Regulating and licensing the terrestrial part of satellite systems in the Americas
Our new satellite benchmark on requirements for fixed earth stations licensing in the Americas summarises the key regulatory procedures and identifies the relevant government authorities.