← Back to Blogregulation

CRA vs NIS2: Understanding the Difference

The CRA and NIS2 are both EU cybersecurity regulations, but they apply to different entities and impose different obligations. This post explains the distinction, where they overlap, and what dual-obligation organisations need to do.

CRAReady Team·

Two Different Frameworks with Different Targets

The EU Cyber Resilience Act (CRA) and the NIS2 Directive are both major EU cybersecurity legislation, but they target fundamentally different entities:

  • CRA targets manufacturers of products with digital elements — it regulates products placed on the market
  • NIS2 targets operators of essential and important services — it regulates how critical infrastructure organisations manage cybersecurity risk

NIS2 in Brief

NIS2 (Directive (EU) 2022/2555) requires operators of essential services (energy, transport, health, water, digital infrastructure) and important entities (postal services, waste management, food, manufacturing of certain goods) to:

  • Implement risk management measures (incident detection, supply chain security, access controls, encryption)
  • Report significant security incidents to national authorities within 24 hours (early warning) and 72 hours (detailed report)
  • Ensure senior management accountability for cybersecurity

NIS2 applied from October 2024.

CRA in Brief

CRA requires manufacturers of products with digital elements to:

  • Design and build products meeting Annex I security requirements
  • Generate and maintain SBOMs
  • Operate CVD programmes
  • Provide security updates for at least five years
  • Report actively exploited vulnerabilities to ENISA within 24 hours
  • Conduct conformity assessments and affix CE marking

CRA fully applies from December 2027.

Where They Overlap

Some large manufacturers are both CRA-subject (they make products) and NIS2-subject (they operate critical infrastructure). For these organisations:

  • Incident reporting obligations overlap in timing (both 24h/72h) but go to different authorities: CRA reports go to ENISA, NIS2 reports go to national authorities
  • Supply chain security requirements in NIS2 mean that NIS2 entities must only procure CRA-compliant products from December 2027
  • Security by design principles in both frameworks align well

Key Practical Distinction

CRA obligations follow the product. If you make a router, the CRA applies to you as the manufacturer regardless of whether you are critical infrastructure.

NIS2 obligations follow the service. If you operate a power grid or a hospital network, NIS2 applies to you based on your sector and size, regardless of what products you make.

A manufacturer of industrial control systems sold to the energy sector is subject to CRA as a manufacturer, and may also be subject to NIS2 as an operator depending on their own operations.

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker