Dr Henrik Hanssen
Henrik Hanssen is an expert for data, data privacy, AI, IT, cybersecurity, e-commerce and digital media law. He advises national and international companies on regulatory challenges in the digital sector and represents his clients in contract negotiations, proceedings with regulators and in court proceedings.
He brings extensive experience in the creation of practicable solutions to challenges under regulations such as the GDPR, the EU Data Act and EU AI Act, whether it is the evaluation of new products, coordinating regulatory compliance implementation projects, the drafting of policies, notices, agreements and other legal texts, in-house trainings or contentious matters.
Due to several secondments, including with a leading global cloud computing provider, Henrik has special expertise in the tech industry and the field of cloud computing, and is familiar with the work and view of an in-house counsel.
Prior to his career as attorney, Henrik studied law in Kiel with a focus on IP and antitrust law. While working as a research and teaching assistant at the University of Kiel and as paralegal a local law firm, he received a Ph.D. for his dissertation in the fields of IP and unfair competition law. During his legal clerkship he worked, inter alia, for the economic department of the German Embassy in Washington, D.C., and for an international law firm in Hamburg.
Practice Area
Panel
- Contributing Author
Qualified Year
- 2014
Education
- Second State Exam in Law, Higher Regional Court of Schleswig-Holstein (2014)
- Dr iur, Kiel University (2012)
- First State Exam in Law (2010)
3 Contributions by Henrik Hanssen
PRACTICE NOTES
EU Cyber Resilience Act (2024/2847): background, market access timelines and interaction with NLF product law, CE marking, sectoral regimes, product liability, GDPR/Data Act, NIS2/DORA and certification
This Practice Note sets out the essentials of Regulation (EU) 2024/2847, the EU Cyber Resilience Act (CRA): its background, timeline, aims, and how it aligns with other EU laws.
For details on the CRA’s scope or core duties for economic operators, see the following Practice Notes:
The EU Cyber Resilience Act—scope and classification of products
The EU Cyber Resilience Act—obligations, compliance and enforcement
Regulation (EU) 2024/2847, known as the CRA, is the first EU measure to set mandatory cybersecurity requirements for ‘products with digital elements’ across the EU. From December 2027, products that do not satisfy these requirements cannot be placed on the EU market. Accordingly, compliance will be crucial for market entry for both hardware and software. Manufacturers, importers and distributors will have extensive cybersecurity responsibilities and risk significant fines for non-compliance.
The CRA was published in the Official Journal of the EU on 20 November 2024, entered into force on 10 December 2024, and applies in full from 11 December 2027.
Background...
EU Law
PRACTICE NOTES
EU Cyber Resilience Act (Regulation (EU) 2024/2847): obligations across the supply chain, standards and CE marking, conformity assessment, vulnerability reporting, enforcement, penalties and practical steps for compliance
This Practice Note sets out the responsibilities of manufacturers, authorised representatives, importers and distributors under Regulation (EU) 2024/2847, the EU Cyber Resilience Act (CRA). It further considers enforcement and sanctioning under the CRA and explains what the new obligations mean for organisations in practical terms. For additional background and scope on the CRA, see the following Practice Notes:
The EU Cyber Resilience Act—overview and regulatory framework
The EU Cyber Resilience Act—scope and classification of products
The CRA is landmark EU legislation introducing mandatory cybersecurity requirements for ‘products with digital elements’ across the EU. Any product that fails to meet those requirements will be ineligible for placement on the EU market from December 2027. Accordingly, adherence to the CRA will be critical for securing access to the EU market for both hardware and software products. Manufacturers, importers and distributors of such products will shoulder extensive cybersecurity duties and risk substantial fines where they do not comply. The CRA was published in the Official Journal of the EU (OJEU) on 20 November 2024, entered into force on 10 December 2024, and will apply in full from 11 December 2027.
Manufacturer obligations
The CRA...
EU Law
PRACTICE NOTES
EU Cyber Resilience Act: material, personal and territorial scope; product classification; exemptions; and obligations of manufacturers, importers, distributors and open‑source stewards when placing products on the EU market
This Practice Note outlines the material, personal and territorial reach and application of Regulation (EU) 2024/2847, the EU Cyber Resilience Act (CRA). It further sets out how products are categorised under the CRA, including non‑critical, important and critical products. For further background on the CRA and the key obligations placed on economic operators, see the following Practice Notes:
The EU Cyber Resilience Act—overview and regulatory framework
The EU Cyber Resilience Act—obligations, compliance and enforcement
The CRA is the first EU measure of its kind, imposing mandatory cyber security standards for ‘products with digital elements’ across the Union. Items failing to satisfy these requirements will be barred from sale on the EU market from December 2027 onwards. Meeting the CRA will therefore be vital for market entry into the EU for both hardware and software. Manufacturers, importers and distributors of such products will shoulder extensive cyber security duties and may face significant financial penalties if they fail to comply. The CRA was published in the Official Journal of the EU (OJEU) on 20 November 2024, and subsequently took effect on 10 December 2024, and will apply in full from 11 December 2027 across the EU.
Material scope
The CRA’s material scope...
EU Law
If you expected to see yourself on this page, click here.
