CRA vs NIS2: Two Sides of EU Cybersecurity
The CRA and NIS2 Directive are complementary but different. Organizations may be subject to both. Understanding where they overlap and where they diverge is essential.
Key Differences
| Aspect | CRA | NIS2 |
|---|---|---|
| Focus | Products with digital elements | Organizations and services |
| Who | Manufacturers, importers, distributors | Essential and important entities |
| What | Product security requirements | Organizational security measures |
| Enforcement | Market surveillance authorities | National cybersecurity authorities |
| Penalties | Up to β¬15M / 2.5% turnover | Up to β¬10M / 2% turnover |
| Timeline | Full enforcement Dec 2027 | Transposition Oct 2024 |
Where They Overlap
Incident Reporting
- CRA: Report exploited vulnerabilities to ENISA (24h)
- NIS2: Report significant incidents to CSIRT (24h)
- Both apply? Report to both if youβre a manufacturer AND an essential entity
Supply Chain Security
- CRA: SBOM, vulnerability management for products
- NIS2: Supply chain risk management for the organization
- Both apply? Your SBOM fulfills part of your NIS2 supply chain obligations
Security by Design
- CRA: Mandatory for all products
- NIS2: Required as part of organizational measures
- Both apply? Security by design in your products helps meet NIS2 organizational requirements
Who Is Subject to Both?
Organizations that:
- Manufacture software products (CRA) AND
- Operate essential/important services (NIS2)
Examples:
- Cloud service providers who also sell software products
- Telecom operators who manufacture network equipment
- Healthcare technology companies (device manufacturer + service provider)
Compliance Synergies
If youβre subject to both, many activities serve dual purpose:
CRA Requirement β NIS2 Benefit
βββββββββββββββββββββββββββββββββββββββββ
SBOM generation β Supply chain risk assessment
Vulnerability handling β Incident management
Security by design β Risk management measures
Security testing β Security audit requirements
Technical documentation β Governance documentationAction Plan for Dual Compliance
- Single security team β donβt create separate CRA and NIS2 teams
- Unified incident reporting β one process, two notification channels
- Shared risk assessment β product risks and organizational risks overlap
- Combined documentation β technical docs serve both regulatory requirements
- Integrated audit β one audit program covering both regulations
Subject to both CRA and NIS2? I help organizations build unified compliance programs. Get in touch.