CRA vs NIS 2: How the Two EU Cybersecurity Regulations Differ

In boardrooms across the EU, two pieces of cybersecurity regulation now dominate the agenda: the NIS 2 Directive and the Cyber Resilience Act. They are often discussed as though they were versions of the same thing. They are not. They regulate different targets, create different obligations, and carry different penalties. Understanding where they differ — and where a single organisation may fall under both — is essential for any compliance programme.

NIS 2 Regulates Operators. The CRA Regulates Products.

This is the core distinction, and the rest of the comparison follows from it.

The NIS 2 Directive (Directive (EU) 2022/2555) regulates operators — organisations that run networks and information systems used to provide services. Its obligations fall on essential entities (energy, transport, banking, health, digital infrastructure and so on) and important entities (postal services, waste management, food, chemicals, research and so on). If you operate the service, NIS 2 tells you how to manage the cybersecurity of the systems you use to operate it.

The Cyber Resilience Act (Regulation (EU) 2024/2847) regulates products — specifically, products with digital elements (PDEs) placed on the EU market. Its obligations fall on manufacturers, importers, and distributors of hardware, software, and connected devices. If you make the product, the CRA tells you how to build, ship, and maintain it securely.

The NIS 2 operator and the CRA manufacturer can be different organisations, the same organisation wearing two hats, or a commercial chain: a NIS 2-regulated hospital buying CRA-regulated medical devices.

Different In-Scope Entities

NIS 2 is targeted at organisations above specific size thresholds (typically medium-sized or larger, measured by headcount or turnover) operating in 18 defined sectors. The European Commission estimated this brings roughly 160,000 organisations into scope across the EU, although member state implementation varies. Size of organisation and sector drive in-scope determination.

The CRA has no size threshold in the same sense. Any manufacturer selling a covered product into the EU market is in scope, regardless of company size, geography of origin, or sector. The product determines scope, not the organisation. A two-person firmware startup selling an IoT device into the EU has the same essential obligations as a multinational consumer electronics manufacturer, even if the flat-fee penalty ceilings are lower. This is a more democratic scope definition but means that many smaller organisations that escaped NIS 2 cannot escape the CRA.

Different Obligations

Both regulations require cybersecurity risk management. Both require incident reporting. But the substance of what is required differs considerably.

NIS 2 requires operators to implement technical, operational, and organisational cybersecurity risk management measures. Article 21 lists ten minimum measures including policies on risk analysis and information system security, incident handling, business continuity, supply chain security, vulnerability handling and disclosure, policies on the effectiveness of cybersecurity measures, basic cyber hygiene and training, cryptography, access control, and multi-factor authentication. These are operational measures applied by the organisation to its own systems.

The CRA requires manufacturers to meet essential cybersecurity requirements set out in Annex I. These are requirements about the product itself: secure by default, protected against unauthorised access, vulnerability management built in, SBOM provided, secure update mechanism, support period committed, and so on. These are product-engineering requirements applied at design and production.

Both require incident reporting, but the triggers are different. NIS 2 requires operators to report significant incidents affecting the services they provide, within 24 hours (early warning), 72 hours (incident notification), and 1 month (final report). The CRA requires manufacturers to report actively exploited vulnerabilities in their products and severe incidents affecting the security of products, within 24 hours (early warning), 72 hours (notification), and 14 days after a corrective measure is available (final report). A NIS 2 incident is about a service disruption or security compromise. A CRA incident is about a vulnerability or product-level security issue.

The other structural difference is that NIS 2 is a Directive, transposed into national law by each member state, which means 27 different flavours of implementation. The CRA is a Regulation, directly applicable across the EU without national transposition. For manufacturers operating across member states, the CRA is considerably easier to comply with as a single instrument.

Penalty Levels Differ Slightly

NIS 2 sets maximum fines of at least €10 million or 2 percent of total worldwide annual turnover for essential entities, and at least €7 million or 1.4 percent for important entities. These are minimum caps that member states must provide for; some have set higher limits. Personal liability for senior management is also enabled by NIS 2.

The CRA sets fines up to €15 million or 2.5 percent of total worldwide annual turnover for non-compliance with the essential cybersecurity requirements or vulnerability handling obligations. Lower tiers apply to procedural breaches (€10 million or 2 percent) and to provision of incorrect information (€5 million or 1 percent). The top CRA fine is somewhat higher than NIS 2 for the most serious breaches, reflecting the regulatory view that product-level failures can cascade into systemic harm.

A Single Organisation Under Both

A medical device manufacturer that also operates a hospital chain would be a good example of an entity under both regulations simultaneously. The hospital operations fall under NIS 2 as an essential entity in the health sector. The medical devices it manufactures fall under the CRA, likely as Class II important products given the risk profile of medical technology.

This kind of organisation faces two distinct compliance programmes: a NIS 2 programme covering how the hospital is run (access controls, incident response, risk management applied to hospital IT), and a CRA programme covering how the medical devices are designed and maintained (secure update mechanisms, vulnerability reporting, SBOM, conformity assessment by a notified body).

The two programmes can share infrastructure — risk assessment frameworks, incident response processes, training programmes — but the regulatory obligations are distinct and need separate documentation.

Automotive is another sector where both often apply. A car manufacturer operates NIS 2-regulated networks and information systems, and it produces CRA-regulated connected vehicle components. Supply chain management becomes particularly important: under NIS 2 Article 21, the manufacturer needs to manage the cybersecurity risk of its suppliers; under the CRA, those same suppliers (of software modules, network components, sensors) are themselves CRA-regulated manufacturers with their own conformity assessments.

Practical Overlap in Security Testing Programmes

For organisations under both, there is useful overlap on the testing side. A penetration test scoped to a specific product can produce evidence that supports both the CRA's product-level testing obligations and the NIS 2 operator's supply chain risk management obligations. The report needs to be framed carefully — mapped against the specific requirements of each regulation — but the underlying testing work is largely the same.

Where the overlap does not hold is in the organisational security testing that NIS 2 requires. Testing the hospital's own IT environment is a NIS 2 matter and largely disjoint from CRA product testing. Plan for both.

The Compliance Calendar

NIS 2 has been in application since October 2024, with national transpositions rolling out through 2024 and 2025. Germany's BSI Act came into force in December 2025, for instance. For most in-scope organisations, NIS 2 is already live.

The CRA's reporting obligations start on 11 September 2026 and the full regulation applies from 11 December 2027. Organisations under both have a phased sequence: NIS 2 compliance first, followed by the CRA's reporting build-out in 2026, followed by the full conformity assessment and documentation regime by late 2027.

Choosing the Right Provider

For NIS 2 compliance testing, look for providers with NIS 2, DORA, and national regulator experience — penetration testing scoped to operational environments with specific sector expertise.

For CRA compliance testing, look for providers with product security expertise — firmware analysis, hardware penetration testing, IoT and embedded device testing, and notified body engagement experience for Class II products. These skills are distinct from general operator-side penetration testing.

For organisations under both, a provider that can deliver both competencies is increasingly valuable. Our compliance pages at /compliance/nis-2 and /compliance/cyber-resilience-act list providers aligned to each, with overlap for the firms that genuinely cover both.