The EU has built a comprehensive cybersecurity regulatory framework in recent years. Two central pillars are the Cyber Resilience Act (CRA) and the NIS2 Directive. For manufacturers of digital products, understanding the difference between CRA and NIS2 is critical – both regulations can apply simultaneously, but they have entirely different requirements and addressees.
The Core Difference: Product vs Organization
The most important distinction between CRA and NIS2 can be summarized in one sentence: The CRA regulates products, NIS2 regulates organizations.
The Cyber Resilience Act addresses manufacturers, importers, and distributors of products with digital elements. It defines security requirements that the product itself must meet – regardless of who uses it. Every manufacturer selling a connected product on the EU market falls under the CRA.
The NIS2 Directive, by contrast, regulates operators of essential and important entities – organizations in specific sectors such as energy, healthcare, transport, finance, or digital infrastructure. NIS2 specifies which organizational cybersecurity measures these entities must implement to protect their services and networks.
Who Is Affected?
For the CRA, the target group is clear: every manufacturer of a product with digital elements placed on the EU market. This covers IoT devices, industrial controllers, software and SaaS products, smart home devices, and many other product categories. Company size is irrelevant – even a startup with a single product falls under the CRA.
NIS2 affects operators in 18 defined sectors, distinguishing between "essential" and "important" entities. Classification depends on the sector and company size. Generally, medium and large enterprises in the defined sectors are covered. Small companies are usually exempt unless they provide certain critical services.
For manufacturers of digital products, this can mean: if you manufacture network infrastructure for energy providers, you fall under the CRA as a manufacturer and could simultaneously fall under NIS2 for your own IT infrastructure, if classified as an important entity.
Comparing Requirements
The specific obligations differ considerably. The CRA requires manufacturers to conduct a risk assessment for the product, implement security by design in product development, maintain a complete SBOM (Software Bill of Materials), establish processes for vulnerability management and coordinated disclosure, ensure secure default settings (no default passwords), provide security update capability throughout the support period, and prepare technical documentation with an EU declaration of conformity.
NIS2 requires operators to implement organizational cybersecurity measures, maintain risk management for network and information security, develop incident response plans and report security incidents, secure the supply chain, conduct regular security audits and penetration tests, and provide training for management and employees.
Different Timelines
The timelines of both regulations partially overlap but have different milestones.
For the CRA: From September 2026, actively exploited vulnerabilities must be reported. From December 2027, all new products must be fully CRA-compliant.
For NIS2: Transposition into national law was due by October 2024. In practice, many EU member states are behind schedule, so specific implementation and enforcement vary by country.
Penalties: What Are the Consequences?
Both regulations provide for significant penalties. Under the CRA, fines can reach up to 15 million euros or 2.5 percent of global annual revenue – whichever is higher. Market surveillance authorities can also order product recalls or market bans.
NIS2 provides for fines of up to 10 million euros or 2 percent of global annual revenue. Additionally, management bodies can be held personally liable if they fail to meet their supervisory obligations.
For manufacturers subject to both regulations, risks compound. Anyone distributing a non-compliant product while also neglecting organizational obligations risks sanctions under both frameworks.
Leveraging Synergies: Implementing CRA and NIS2 Together
Despite their different orientations, overlaps exist that manufacturers can exploit for efficient implementation. The risk assessment the CRA requires for products can be linked with NIS2 risk management for the organization. Vulnerability management processes built for the CRA simultaneously serve NIS2's supply chain security requirement. Incident response processes can be designed to cover reporting obligations under both regulations.
The most important synergy lies in documentation: those who thoroughly document their security processes from the start fulfill requirements from both frameworks and save effort in the long run.
Conclusion: Take Both Regulations Seriously
Understanding the CRA penalties for non-compliance makes the urgency clear. CRA and NIS2 complement each other to form a comprehensive EU cybersecurity framework. The CRA ensures products are secure. NIS2 ensures organizations operate securely. Manufacturers of digital products should understand both regulations and assess early which requirements apply to them.
Our free CRA readiness assessment helps you evaluate your current CRA compliance status and identify concrete next steps. In just a few minutes, you will know where action is needed.