The Cyber Resilience Act (CRA) entered into force on 10 December 2024. This new regulation will apply directly across EU member states from 11 December 2027, without requiring transposition into national law.
The requirement for manufacturers to notify severe incidents and actively exploited vulnerabilities will apply earlier, from 11 September 2026.
The CRA establishes baseline cybersecurity requirements for products with digital elements (hardware and software) applicable from the design phase to the product’s expected use.
Products that do not comply with the requirements introduced by the regulation will be prohibited from accessing the EU market.
Cullen International published an infographic providing an overview of the main obligations introduced by the CRA.
Clients of our European Digital Economy service, can also access it directly on our client portal via the following link:
more news
20 April 26
Only a few national cloud schemes include sovereignty and data residency requirements
Ahead of the upcoming EU Cloud and AI Development Act, our new Benchmark explores cloud-specific certification or qualification schemes across 19 EU countries.
20 April 26
The rise of AI agents in China triggers new industrial and security policies
China’s booming market for artificial intelligence (AI) agents has drawn international attention due to the far-reaching economic, industrial and social impacts. This Global Trends report explains the context and significance of this new phenomenon. It also discusses how the Chinese government has been addressing both the opportunities and challenges brought by the fast adoption of AI agents in China.
15 April 26
VOD advertising to children: fragmented regulatory approaches across the Americas
Cullen International’s latest benchmark shows whether there are restrictions on advertising to protect public health or minors in selected countries in the Americas region.