EN 
FR 
DE 
IT CRA vs NIS2: Understanding the Key Differences
The Cyber Resilience Act and NIS2 are two major EU cybersecurity regulations with different scopes. Learn their differences, overlaps, and how to manage both simultaneously.
The Cyber Resilience Act (CRA) and the NIS2 Directive are two pillars of the European cybersecurity strategy. While complementary, they target different objectives and apply to distinct scopes. Understanding their differences is essential to avoid compliance gaps and duplication of effort.
1. What is NIS2?
The NIS2 Directive (Network and Information Security 2) entered into force in January 2023 and was due for transposition into national laws by October 2024. It aims to strengthen cybersecurity across the EU by imposing requirements on essential and important entities in critical sectors such as energy, transport, health, digital infrastructure, and public administration.
NIS2 requires covered organizations to implement risk-management measures, report significant incidents, and undergo regular audits.
2. What is the CRA?
The Cyber Resilience Act (CRA) is a regulation (directly applicable, no national transposition) that imposes mandatory cybersecurity requirements for products with digital elements placed on the European market. It covers manufacturers, importers, and distributors of connected hardware, software, and components.
It entered into force in December 2024, with reporting obligations applying from September 2026 and full compliance required by December 2027.
3. Fundamental Differences
Scope of Application
NIS2: Applies to entities (organizations) in critical sectors. It is a directive requiring transposition into each member state's national law.
CRA: Applies to products (hardware and software) placed on the market. It is a regulation directly applicable across the entire EU.
Main Obligations
NIS2: Risk management, incident notification, supply chain security, training. Entities must implement organizational and technical measures.
CRA: Security by design, SBOM, vulnerability management, reporting of exploited vulnerabilities within 24 hours, cyber CE marking. Products must be designed and documented to meet requirements.
Penalties
NIS2: Fines up to 10M€ or 2% of global annual turnover for essential entities.
CRA: Fines up to 15M€ or 2.5% of global annual turnover, plus product withdrawal from the market for non-compliant products.
4. Overlaps and Synergies
Significant overlap areas exist:
- Supply chain: NIS2 requires entities to secure their supply chain, while the CRA requires manufacturers to provide SBOMs and security evidence.
- Incident notification: Both frameworks impose notification obligations with different timelines and thresholds.
- Product security: A CRA-compliant product helps NIS2 entities demonstrate supply chain security compliance.
5. Managing Both Simultaneously
For organizations subject to both NIS2 and the CRA (e.g., a manufacturer of connected medical devices):
- Map your obligations: Identify precisely which requirements fall under each regulation.
- Share evidence: A well-managed SBOM and CRA technical documentation also serve to demonstrate NIS2 supply chain compliance.
- Automate reporting: Platforms like Expert CRA let you manage both frameworks from a single tool.
- Prepare for audits: NIS2 authorities will verify the compliance of products used, including their CRA conformity.
CRA compliance is not optional — it is a prerequisite for NIS2 compliance in many cases. The two regulations must be treated as complementary, not separate.