The Cyber Resilience Act (CRA) entered into force on 10 December 2024. This new regulation will apply directly across EU member states from 11 December 2027, without requiring transposition into national law.
The requirement for manufacturers to notify severe incidents and actively exploited vulnerabilities will apply earlier, from 11 September 2026.
The CRA establishes baseline cybersecurity requirements for products with digital elements (hardware and software) applicable from the design phase to the product’s expected use.
Products that do not comply with the requirements introduced by the regulation will be prohibited from accessing the EU market.
Cullen International published an infographic providing an overview of the main obligations introduced by the CRA.
Clients of our European Digital Economy service, can also access it directly on our client portal via the following link:
more news
25 April 25
FTTH roll-out in MENA expands with different approaches to deployment
Our latest NGA deployments benchmark shows that all of the 13 studied countries in the Middle East and North Africa region (MENA) have started to deploy fibre-to-the-home (FTTH) networks.
24 April 25
Understand the EU’s VAT and customs rules for cross-border e-commerce
Cullen International’s new report explains how EU VAT and customs rules apply to imported e-commerce goods, as well as describing the customs reform package, proposed by the European Commission in 2023.
23 April 25
Tower transactions in Europe continue to draw competition scrutiny
The European passive mobile infrastructure markets have seen a large number of mergers and acquisitions in recent years, attracting scrutiny from competition authorities. Cullen International’s new report draws on merger control decisions to explain how competition works in the market and what concerns, if any, authorities have raised about different types of transactions.