The Cyber Resilience Act (CRA) entered into force on 10 December 2024. This new regulation will apply directly across EU member states from 11 December 2027, without requiring transposition into national law.
The requirement for manufacturers to notify severe incidents and actively exploited vulnerabilities will apply earlier, from 11 September 2026.
The CRA establishes baseline cybersecurity requirements for products with digital elements (hardware and software) applicable from the design phase to the product’s expected use.
Products that do not comply with the requirements introduced by the regulation will be prohibited from accessing the EU market.
Cullen International published an infographic providing an overview of the main obligations introduced by the CRA.
Clients of our European Digital Economy service, can also access it directly on our client portal via the following link:
more news
15 January 25
Phasing out public payphones: regulatory conditions in the Americas
A new benchmark of Cullen International shows which countries of the Americas imposed an obligation to offer public payphones on telecoms operators and whether their removal is subject to any conditions imposed by regulation.
09 January 25
Postal regulators divided on whether and how to add new environmental powers
Our analysis of a draft report published on 11 December 2024 by the European Regulators Group for Postal Services (ERGP) entitled: Exploring the possibilities to support environmental sustainability within the postal regulatory framework.
07 January 25
Global Trends in social media regulation
Our latest Global Trends benchmark analyses different aspects of social media regulation across 13 jurisdictions around the world.