CRA vs NIS2: What's the Difference and Do You Need Both?
The CRA and NIS2 are both major EU cybersecurity laws but they target different entities. Here is the distinction, where they overlap, and what dual-obligation organisations must do.
Two Frameworks, Different Targets
The EU Cyber Resilience Act (CRA) and the NIS2 Directive address fundamentally different entities. CRA targets manufacturers of products with digital elements -- it regulates products placed on the EU market. NIS2 targets operators of essential and important services -- it regulates how critical infrastructure organisations manage their own cybersecurity risk.
NIS2 in Brief
NIS2 (Directive (EU) 2022/2555) requires operators of essential services (energy, transport, health, water, digital infrastructure) and important entities to implement risk management measures, report significant security incidents to national authorities (24-hour early warning, 72-hour detailed notification), and ensure senior management accountability for cybersecurity. NIS2 applied from October 2024.
CRA in Brief
The CRA requires manufacturers of products with digital elements to design and build products meeting Annex I security requirements, generate and maintain machine-readable SBOMs, operate CVD programmes, provide security updates for at least five years, report actively exploited vulnerabilities to ENISA within 24 hours, and conduct conformity assessments and affix CE marking. The CRA fully applies from December 2027, with Article 14 incident reporting beginning September 2026.
Where They Overlap
Some large organisations are subject to both: they manufacture products (CRA) and operate critical infrastructure (NIS2). For these dual-obligation organisations: incident reporting timelines align (both 24h/72h) but go to different authorities -- CRA reports to ENISA, NIS2 reports to national authorities. Supply chain security under NIS2 means NIS2-covered operators must verify their suppliers are CRA-compliant from December 2027. Security by design principles in both frameworks are broadly consistent.
The Key Practical Distinction
CRA obligations follow the product. If you manufacture a router, the CRA applies to you as the manufacturer regardless of whether you are critical infrastructure or a small startup.
NIS2 obligations follow the service. If you operate a power grid or hospital network, NIS2 applies based on your sector and size, regardless of whether you manufacture anything.
Do You Need Both?
A manufacturer of industrial control systems sold to the energy sector is subject to the CRA as a manufacturer. If they also operate energy infrastructure themselves, they are additionally subject to NIS2. The two sets of obligations run in parallel -- there is no general exemption or substitution.
For most pure software manufacturers and hardware product companies, only the CRA applies. For most critical infrastructure operators who buy rather than make products, only NIS2 applies.
Ready to assess your CRA compliance obligations?
Try the Free Applicability Checker