The Cyber Resilience Act (CRA) entered into force on 10 December 2024. This new regulation will apply directly across EU member states from 11 December 2027, without requiring transposition into national law.
The requirement for manufacturers to notify severe incidents and actively exploited vulnerabilities will apply earlier, from 11 September 2026.
The CRA establishes baseline cybersecurity requirements for products with digital elements (hardware and software) applicable from the design phase to the product’s expected use.
Products that do not comply with the requirements introduced by the regulation will be prohibited from accessing the EU market.
Cullen International published an infographic providing an overview of the main obligations introduced by the CRA.
Clients of our European Digital Economy service, can also access it directly on our client portal via the following link:
more news
11 December 24
NIS2 transposition: tracking the entities in scope and the authorities that oversee compliance
Our new benchmark shows whether the scope of national transposition rules differs from that of the NIS2, and maps competent authorities for sectors such as digital infrastructure, digital providers and ICT service management.
09 December 24
Artificial intelligence in the EU media and creative sectors
Our latest report outlines existing EU rules on the transparency of AI-generated outputs, such as news and deepfakes, as well as the EU’s approach towards fighting AI-enhanced disinformation.
09 December 24
Regulation of targeted advertising and social media in the Americas
Cullen International’s latest survey of media regulation in the Americas takes a leap into the online economy with two new benchmarks, addressing regulation of targeted advertising and social media regulation, respectively.