The Cyber Resilience Act (CRA) entered into force on 10 December 2024. This new regulation will apply directly across EU member states from 11 December 2027, without requiring transposition into national law.
The requirement for manufacturers to notify severe incidents and actively exploited vulnerabilities will apply earlier, from 11 September 2026.
The CRA establishes baseline cybersecurity requirements for products with digital elements (hardware and software) applicable from the design phase to the product’s expected use.
Products that do not comply with the requirements introduced by the regulation will be prohibited from accessing the EU market.
Cullen International published an infographic providing an overview of the main obligations introduced by the CRA.
Clients of our European Digital Economy service, can also access it directly on our client portal via the following link:
more news
02 April 25
Common approaches to the protection of sensitive data and the personal data of minors across the Americas
Our new benchmark addresses how sensitive personal data is defined in eight countries in the Americas. It also lists what special protection measures apply to sensitive personal data and the personal data of minors.
31 March 25
APAC countries apply diverse regulatory rules to global IoT providers
Our new research compares the approach to regulation for IoT and M2M (machine-to-machine) connectivity in Australia, China, India, Japan, South Korea, New Zealand, and Singapore.
27 March 25
Many MENA countries taking steps to switch off 2G and 3G networks
Our latest benchmark on 2G and 3G networks switch-off shows the status in 13 MENA countries.